hkm67/OSWE-Notes
Exploit template plus helper modules for blind SQLi, reverse shells, web callbacks, and WebSocket interfaces.
Files
exploit.py– Main skeleton of the exploit scriptutils.py– Banner helpers, regex extractor, password/name generators, PS1 encoder, etc.shell_listener.py– TCP reverse shell listenerweb_callback_server.py– Serve payloads + catch callbacks (XSS, XXE, SSRF)sqli_parallel.py– Parallel blind SQLi extractorwebsocket_helper.py– WebSocket response drainer (targets with WS interfaces)
exploit.py is a barebone skeleton: session setup, argument parsing, and an empty exploit chain. Paste in the helpers the target needs from the other files, then fill in the stage functions.
exploit.py – Flags
| Flag | Default | Description |
|---|---|---|
-t / --target | required | Target IP or IP:port |
-l / --lhost | required | Your tun0 IP |
-p / --lport | 4444 | Reverse shell port |
-wp / --wport | 80 | Web callback server port |
-u / --username | – | Provide a known username to skip enumeration/registration |
-P / --password | – | Provide a known password to skip brute-forcing |
-f / --file | – | File path to read (for targets with LFI or XXE) |
--shell | off | Trigger reverse shell stage |
--proxy | off | Route all traffic through Burp (127.0.0.1:8080) |
-u and -P exist because some stages are slow. Brute-forcing a token can take a few minutes. Once you have the credentials, pass them directly and skip to the stage you’re actually working on.
Helpers
utils.py
Console output:generate_password() always satisfies strict validation policies. It avoids shell-breaking characters (quotes, backslashes) so you can safely embed it in payloads.
Regex extraction – pull values out of HTML responses:
re.DOTALL, so it works on values that span multiple lines.
PowerShell encoder – avoids quoting issues when injecting PS1 through a webshell:
-EncodedCommand expects UTF-16LE base64. Encoding it in Python ensures the command arrives intact regardless of how it’s passed through the delivery mechanism.
shell_listener.py
Pastestart_listener() into your script, run it in a background thread, then trigger the shell:
conn.send(b"\n") inside the function for PowerShell. It kicks the PS1 prompt on connect so you see output immediately.
Reverse shell payloads:
web_callback_server.py
One server that does two things: serves files to the victim and captures whatever the victim sends back. Hardcode your payloads as constants at the top of the script, using.replace() for LHOST/LPORT (full credits to rizemon/exploit-writing-for-oswe for this neat trick!):
EXFIL_DATA[path]. POST callbacks parse JSON or form-encoded bodies into the same dict. CORS headers are set on every response so fetch() in the victim browser works cross-origin.
XSS cookie theft:
HttpOnly, cookie theft won’t work. Go after browser storage, scrape the CSRF token, or force admin actions directly instead.
Steal tokens from storage (JWT / SPA sessions):
sqli_parallel.py
Pasteextract_string_blind() into your script. The only thing you write is one function, is_correct_char(index, char) -> bool, that returns True when char is correct at position index (1-based). Pass it in and the extractor pulls the whole string:
(position, character) combinations are submitted at once. The thread pool caps concurrency at max_workers=30. For a 32-char string over a 62-char charset, that’s ~2000 tasks, done in roughly the time it takes to test a single character sequentially.
Tune max_workers down if you’re hitting rate limits, up if the target handles the load.
websocket_helper.py
For targets that expose a command interface over WebSocket. Pastews_recv_all() into your script:
{"type": "response", "payload": "..."}), filter on the type to skip heartbeats:
requests Cheatsheet
Sending requests:Development Tips
Skip slow stages while iterating – hardcode a known-good cookie and comment out the early steps:--proxy, or as an env var:
Common Patterns
Avoid f-string hell with payloads that contain lots of{} (SSTI):
Decompilation
| Language | Tool | Notes |
|---|---|---|
| Java | JD-GUI | Open .jar → File → Save All Sources → unzip |
| .NET / C# | dnSpy | Open .dll → File → Export to Project |
Database Debugging
PostgreSQL – log all queries in real time: Enable inpostgresql.conf:

