Proof of Concept

Overview

Vulnerability confirmed → Now achieve highest possible exploitation impact and automate it.

PoC Phases

Full Chain Exploitation
         ↓
  Exploit Development
         ↓
 Test on Real Target

Phase 1: Full Chain Exploitation

Goal

Document working exploitation process step-by-step.

What to Document

Element

Description

Initial target location

Entry point URL/endpoint

Client-side payload

First payload sent

Additional payloads

For chained vulnerabilities

Bypasses

WAF, filter, encoding bypasses

Process

1. Start from client-side input
         ↓
2. Document each payload needed
         ↓
3. If chaining vulns, document each step
         ↓
4. If blocked, work on bypass
         ↓
5. Proceed to next step
         ↓
6. Repeat until full exploitation

Chained Vulnerability Example

Step 1: SQLi to bypass authentication
   Payload: admin' OR '1'='1
   Result: Logged in as admin
         ↓
Step 2: File upload as admin
   Payload: shell.php.jpg with PHP content
   Bypass: Double extension
   Result: Shell uploaded
         ↓
Step 3: RCE via uploaded shell
   Location: /uploads/shell.php.jpg
   Payload: ?cmd=whoami
   Result: Command execution

Handling Blocks

Block

Action

WAF blocks payload

Research bypasses, encoding

Filter removes chars

Find alternative chars/encoding

Blind exploitation

Develop OOB or time-based

Rate limiting

Add delays, use multiple sessions

If Full Exploitation Fails

Still report vulnerability
Severity may be reduced
Document what was achieved
Note what prevented full exploitation

Tip: Persist! If you can't achieve full exploitation, someone else will with better bypasses or chained vulns.

Phase 2: Exploit Development

Goal

Write script that automatically reproduces exploitation steps.

Language Selection

Use Case

Language

Reason

Network/Web applications

Python

Cross-platform, good libraries

Client-side (CSRF, etc.)

JavaScript

Only executes in browsers

Web + client-side chain

Python + JavaScript

JS for client, Python for backend

Binary exploitation

Python

Good debugging libraries (pwntools)

OS targeting

Bash/PowerShell

Pre-installed on target OS

Thick client/advanced

Application's language

Reuse code/functions

Python Exploit Structure

#!/usr/bin/env python3
import requests
import sys

class Exploit:
    def __init__(self, target, port):
        self.target = target
        self.port = port
        self.session = requests.Session()
    
    def check_vuln(self):
        """Verify target is vulnerable"""
        pass
    
    def stage1_auth_bypass(self):
        """First stage: bypass authentication"""
        pass
    
    def stage2_upload_shell(self):
        """Second stage: upload web shell"""
        pass
    
    def stage3_rce(self, cmd):
        """Third stage: execute commands"""
        pass
    
    def cleanup(self):
        """Remove traces of exploitation"""
        pass
    
    def run(self):
        """Main exploitation flow"""
        try:
            if not self.check_vuln():
                print("[-] Target not vulnerable")
                return False
            
            self.stage1_auth_bypass()
            self.stage2_upload_shell()
            self.stage3_rce("whoami")
            return True
        except Exception as e:
            print(f"[-] Error: {e}")
            self.cleanup()
            return False
        finally:
            self.cleanup()

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"Usage: {sys.argv[0]} <target> <port>")
        sys.exit(1)
    
    exploit = Exploit(sys.argv[1], int(sys.argv[2]))
    exploit.run()

Key Exploit Features

Feature

Purpose

Error handling

Graceful failure, cleanup on error

Cleanup function

Remove traces

Modular stages

Easy to debug/modify

Verification

Confirm target is vulnerable first

Configurability

Easy to change target

Phase 3: Test on Real Target

Before Testing on Production

Thoroughly tested on test environment
All security mechanisms enabled during tests
Works fully automatically
Safe to run (no data loss/downtime)

Modifications for Production

# Change target details
TARGET = "production.target.com"  # Was: "test.local"
PORT = 443                        # Was: 8080
USE_HTTPS = True                  # Was: False

Safety Requirements

Requirement

Implementation

Revertible

Can undo all changes

Clean traces

Remove created files/accounts

Handle errors

Cleanup even on failure

Non-destructive

Never modify critical data

No downtime

Operations don't crash services

What to Clean Up

Action Taken

Cleanup Required

Created account

Delete account

Modified data

Reset to original

Uploaded files

Delete files

Changed configs

Restore configs

Created DB entries

Remove entries

Error Handling Pattern

def exploit(self):
    created_user = None
    uploaded_file = None
    
    try:
        # Stage 1
        created_user = self.create_user()
        
        # Stage 2
        uploaded_file = self.upload_shell()
        
        # Stage 3
        result = self.execute_command()
        
        return result
        
    except Exception as e:
        print(f"[-] Exploit failed: {e}")
        raise
        
    finally:
        # Always cleanup
        if uploaded_file:
            self.delete_file(uploaded_file)
        if created_user:
            self.delete_user(created_user)

PoC Documentation Template

# Vulnerability: [Name]

## Summary
Brief description of the vulnerability.

## Affected Version
- Application: v1.2.3
- Component: /api/upload

## Prerequisites
- Valid user account
- Network access to target

## Exploitation Steps

### Step 1: Authentication Bypass
Payload: `admin' OR '1'='1`
Endpoint: POST /login

### Step 2: Shell Upload
Payload: [shell.php content]
Bypass: Double extension
Endpoint: POST /upload

### Step 3: RCE
Command: `whoami`
Endpoint: GET /uploads/shell.php.jpg?cmd=whoami

## Proof
[Screenshot or output]

## Remediation
[Recommended fix]

Checklist

Full Chain Exploitation

All steps documented
All payloads recorded
Bypasses identified and tested
Can reproduce manually

Exploit Development

Script automates all steps
Error handling implemented
Cleanup function works
Tested on test environment

Production Testing

Target details configured
Safe to run verified
Cleanup confirmed working
Successful execution documented

PreviousLocal Testing NextPatching & Remediation

Last updated 1 month ago

hashtagOverview

hashtagPoC Phases

hashtagPhase 1: Full Chain Exploitation

hashtagGoal

hashtagWhat to Document

hashtagProcess

hashtagChained Vulnerability Example

hashtagHandling Blocks

hashtagIf Full Exploitation Fails

hashtagPhase 2: Exploit Development

hashtagGoal

hashtagLanguage Selection

hashtagPython Exploit Structure

hashtagKey Exploit Features

hashtagPhase 3: Test on Real Target

hashtagBefore Testing on Production

hashtagModifications for Production

hashtagSafety Requirements

hashtagWhat to Clean Up

hashtagError Handling Pattern

hashtagPoC Documentation Template

hashtagChecklist

hashtagFull Chain Exploitation

hashtagExploit Development

hashtagProduction Testing

Overview

PoC Phases

Phase 1: Full Chain Exploitation

Goal

What to Document

Process

Chained Vulnerability Example

Handling Blocks

If Full Exploitation Fails

Phase 2: Exploit Development

Goal

Language Selection

Python Exploit Structure

Key Exploit Features

Phase 3: Test on Real Target

Before Testing on Production

Modifications for Production

Safety Requirements

What to Clean Up

Error Handling Pattern

PoC Documentation Template

Checklist

Full Chain Exploitation

Exploit Development

Production Testing