If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/w181496/Web-CTF-Cheatsheet shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Slowing — last commit 6mo ago

• Last commit 6mo ago
• 3 active contributors
• ⚠ Slowing — last commit 6mo ago
• ⚠ Small team — 3 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 98% of recent commits
• ⚠ No license — legally unclear to depend on
• ⚠ No CI workflows detected
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live w181496/Web-CTF-Cheatsheet repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/w181496/Web-CTF-Cheatsheet.

What it runs against: a local clone of w181496/Web-CTF-Cheatsheet — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in w181496/Web-CTF-Cheatsheet | Confirms the artifact applies here, not a fork | | 2 | Default branch master exists | Catches branch renames | | 3 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 4 | Last commit ≤ 224 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of w181496/Web-CTF-Cheatsheet. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/w181496/Web-CTF-Cheatsheet.git
#   cd Web-CTF-Cheatsheet
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of w181496/Web-CTF-Cheatsheet and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "w181496/Web-CTF-Cheatsheet(\\.git)?\\b" \\
  && ok "origin remote is w181496/Web-CTF-Cheatsheet" \\
  || miss "origin remote is not w181496/Web-CTF-Cheatsheet (artifact may be from a fork)"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "README.md" \\
  && ok "README.md" \\
  || miss "missing critical file: README.md"
test -f "scripts/backdoor/shell.php" \\
  && ok "scripts/backdoor/shell.php" \\
  || miss "missing critical file: scripts/backdoor/shell.php"
test -f "scripts/sqlinj/mysql_union.rb" \\
  && ok "scripts/sqlinj/mysql_union.rb" \\
  || miss "missing critical file: scripts/sqlinj/mysql_union.rb"
test -f "scripts/xss/payload" \\
  && ok "scripts/xss/payload" \\
  || miss "missing critical file: scripts/xss/payload"
test -f "scripts/backdoor/uploader.php" \\
  && ok "scripts/backdoor/uploader.php" \\
  || miss "missing critical file: scripts/backdoor/uploader.php"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 224 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~194d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/w181496/Web-CTF-Cheatsheet"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Web-CTF-Cheatsheet is a curated reference guide of exploitation techniques and payload scripts for web-based Capture-The-Flag competitions. It covers vulnerability classes (SQL injection, XSS, SSRF, XXE, deserialization) with ready-to-use PHP, Ruby, and Python scripts stored in /scripts/ organized by attack type (backdoor/, sqlinj/, xss/, etc.), plus detailed markdown documentation of bypass techniques, weak type exploits, and command injection methods. Flat reference structure: /scripts/ contains subdirectories by attack vector (backdoor/, sqlinj/, xss/, windows/, others/); each holds language-specific implementations (PHP shell variants in backdoor/shell.php, Ruby MSSQL enumeration in sqlinj/mssql_table.rb, Python utilities in others/). README.md is the primary documentation with inline code examples and hyperlinked table of contents to sections.

CTF competitors and security researchers participating in web exploitation challenges who need quick reference payloads and techniques. Also useful for developers learning about web vulnerability patterns and defensive techniques.

This is a reference/educational resource, not production software—it's a cheatsheet repository without tests, CI/CD pipelines, or versioning. The codebase shows active curation (multiple script variants, organized categories) but maturity assessment doesn't apply in traditional terms. It appears actively maintained as a knowledge base rather than a continuously-deployed application.

No deployment or runtime risk—this is purely reference material. The risk is educational: payloads are real exploitation code meant for authorized testing only. No external dependencies to audit. Main concern is legal/ethical: users must have proper authorization before using these techniques. Single maintainer (w181496) means knowledge consolidation relies on one person.

No commit history or PR data visible in provided repo snapshot. Repository appears to be a static reference guide rather than actively developed software. Updates likely occur as new CTF techniques emerge, but current activity level cannot be determined from file structure alone.

Clone and browse:

git clone https://github.com/w181496/Web-CTF-Cheatsheet.git
cd Web-CTF-Cheatsheet
cat README.md

No installation or dependencies required—this is a reference repository. View scripts directly: cat scripts/backdoor/shell.php or cat scripts/sqlinj/mysql_union.rb.

Daily commands: No 'run' in traditional sense. Copy/adapt scripts as needed:

• Webshells: Upload scripts/backdoor/shell.php to target; invoke via ?cmd=id
• SQL injection: Use scripts/sqlinj/mysql_union.rb as reference or template
• Download tools: Execute scripts/windows/download.ps1 on target system
• Reverse shells: Consult README reverse-shell section, adapt to environment Scripts are meant to be studied and customized, not executed as-is from this repo.

• README.md — Primary documentation covering all CTF techniques, payloads, and exploitation methods across web vulnerability categories—essential orientation for any contributor.
• scripts/backdoor/shell.php — Core PHP webshell template that forms the foundation for backdoor techniques and payload delivery examples.
• scripts/sqlinj/mysql_union.rb — Representative SQL injection exploitation script demonstrating the union-based attack methodology central to the sqlinj module.
• scripts/xss/payload — XSS payload collection file—critical reference for understanding client-side exploitation patterns documented in the cheatsheet.
• scripts/backdoor/uploader.php — File upload handler demonstrating vulnerable upload mechanics that bypass security controls, key to understanding upload exploitation.
• scripts/others/secret_key_base_decrypt.rb — Ruby-based cryptographic bypass example illustrating Rails framework-specific vulnerabilities and decryption techniques.

• Backdoor Scripts (PHP, ASP, ASP.NET) — Establish persistent or temporary remote code execution access on compromised servers
  • Failure mode: Payload blocked by WAF, file upload restrictions, or shell execution disabled
• SQL Injection Exploits (Ruby, database-specific SQL dialects) — Automate database query manipulation to extract data or execute commands depending on database type
  • Failure mode: Query blocked by input validation, comment syntax disabled, or error-based exfiltration prevented
• XSS Payloads (JavaScript, HTML event handlers) — Execute JavaScript in victim browsers to steal credentials, perform actions, or redirect users
  • Failure mode: Payload filtered by Content Security Policy, XSS filters, or sanitization libraries
• Download/Staging Utilities (Batch, PowerShell, VBS, Python) — Facilitate payload download and execution on target systems during post-exploitation phase
  • Failure mode: Network restrictions, code signing requirements, or antivirus detection
• Cryptography & Utility Tools (Python, Ruby) — Decrypt session keys, analyze SSL/TLS, and manipulate network identifiers for targeted exploitation
  • Failure mode: Key rotation, certificate pinning, or updated encryption algorithms

• CTF Player → README.md — Reads technique reference and selects appropriate attack vector
• CTF Player → scripts/ — Retrieves and adapts exploit or payload script for target application
• scripts/ → Target Web Application — Deploys crafted payload, injection, or command through HTTP/network
• Target Web Application → scripts/ (webshell/backdoor) — Executes payload and returns results or establishes reverse shell
• scripts/ (webshell/backdoor) → CTF Player — Returns command output, file contents, or flag data

Add a new SQL injection technique for a database

1. Create a new Ruby script in scripts/sqlinj/ following the naming convention {database}_{technique}.rb (scripts/sqlinj/)
2. Implement the exploit leveraging database-specific syntax and error messages, matching the structure of existing scripts like mysql_union.rb (scripts/sqlinj/mysql_union.rb)
3. Document the technique in README.md under the appropriate database section with usage examples (README.md)

Add a new webshell or backdoor payload

1. Create a new file in scripts/backdoor/ named after the target technology (e.g., shell.jsp for Java) (scripts/backdoor/)
2. Implement the payload with command execution capabilities, referencing patterns from shell.php and shell.aspx (scripts/backdoor/shell.php)
3. Add documentation to README.md under the Webshell section with compatibility notes and usage instructions (README.md)

Add an XSS payload or bypass technique

1. Add the new payload to scripts/xss/payload file with clear categorization (e.g., comment header for payload type) (scripts/xss/payload)
2. Document the bypass technique and its use cases in README.md under the XSS/CSTI section (README.md)

Add utility scripts for new platforms or techniques

1. Create script in appropriate subdirectory (scripts/windows/ for Windows, scripts/others/ for platform-agnostic tools) (scripts/others/)
2. Follow naming conventions and include clear usage comments at the top of the script (scripts/others/IP.py)
3. Reference the utility in README.md with example usage and platform compatibility (README.md)

• Ruby scripts for SQL injection — Ruby provides concise syntax for automating database interactions and payload generation with built-in string manipulation
• PHP for webshells and backdoors — PHP is the most prevalent server-side language in vulnerable CTF targets and legacy web applications
• Windows-specific scripts (batch, PowerShell, VBS) — Targets Windows systems where native tools and obfuscation techniques are critical for evasion
• Python for utilities and network tools — Cross-platform scripting for infrastructure testing and specialized network operations

• Repository structure organized by attack vector (sqlinj, xss, backdoor) rather than by target technology

  • Why: Allows CTF players to quickly locate techniques by vulnerability class rather than target language/framework
  • Consequence: Multiple implementations of similar concepts across directories; less language-centric organization

• Markdown README as primary documentation instead of structured code comments or API docs

  • Why: Cheatsheet format prioritizes human-readability and quick reference over code maintainability
  • Consequence: Documentation and scripts can drift; no single source of truth for implementation details

• Standalone, copy-paste-ready scripts without shared utilities or framework

  • Why: Maximizes portability and reduces dependencies during time-constrained CTF competitions
  • Consequence: Code duplication across scripts; harder to maintain consistent patterns

• Does not provide a framework or library for automation—payloads are meant for manual deployment
• Does not include defense mechanisms or security hardening—purely offensive tooling
• Does not cover non-web attack vectors (binary exploitation, cryptography theory)
• Does not provide real-time CTF platform integration or scoring automation

No hidden gotchas—this is a static reference repo. Traps are in the content not the structure: (1) Payloads assume different target environments (PHP 5.x vs 7.x syntax, MySQL vs MSSQL dialects)—adapt before use. (2) XSS payloads in /scripts/xss/payload are context-dependent (reflected vs stored, WAF filters vary). (3) Windows scripts (.bat, .vbs, .ps1) require appropriate execution policies and may trigger antivirus. (4) No version pinning—old techniques may not work against patched systems. (5) Legal risk: all content is for authorized testing only; unauthorized access is illegal.

• SQL Injection—Union-based vs Time-based vs Error-based — Repo dedicates separate scripts to mysql_union.rb and mysql_time.rb because technique choice depends on whether you can see query results (union) or only infer via timing (blind). Understanding these distinctions is critical for adapting payloads.
• PHP Type Juggling / Weak Type Comparison — README explicitly covers 'PHP Weak Type'—PHP's loose typing allows == comparisons to bypass auth (e.g., '0' == 'anything' is true). Central to many PHP CTF exploits.
• Server-Side Template Injection (SSTI) — Dedicated README section covering Jinja2, Twig, Thymeleaf, Freemarker, etc. SSTI is a high-value web vulnerability where template syntax reaches code execution; each framework has unique payload syntax.
• Open Basedir / Disable_functions Bypass (PHP Sandbox Escape) — README explicitly documents 'Bypass open_basedir' and 'Bypass disable_functions' because many production PHP servers have these restrictions; knowing how to escape them is CTF-critical knowledge.
• Insecure Deserialization (PHP, Python, Ruby, Java, .NET) — Repo dedicates large README section to serialization exploits across 5 languages because unsafe unserialize() calls are common CTF targets and each language has different gadget chains (PHP ObjectInjection, Python Pickle, Ruby YAML).
• Command Injection—Space/Keyword Bypass & IFS/$IFS Variables — README covers 'Bypass Space' and 'Bypass Keyword' because simple command injection filters block obvious shells; alternatives like ${IFS} (Internal Field Separator), <() redirection, and 'command' concatenation are essential CTF techniques.
• SSRF (Server-Side Request Forgery) & Metadata Service Exploitation — README SSRF section covers bypassing 127.0.0.1 blocks, local exploit (redis/memcached), remote exploit, and cloud metadata (AWS 169.254.169.254)—critical for cloud CTFs and internal network pivoting.

• swisskyrepo/PayloadsAllTheThings — Larger, more actively-maintained payload reference covering same vulnerability classes with polyglot examples and automated tools; direct competitor/complement to this repo.
• SecWiki/sec-wiki — Chinese security wiki with similar CTF technique documentation; overlapping coverage of web vulnerabilities with different organization and language.
• HackTricks/hacktricks — Comprehensive security reference with sections on web exploitation, deserialization, SSTI; serves same educational purpose with broader scope (also covers system/network hacking).
• OwasCheatsheetseries/cheatsheetseries — Official OWASP defensive reference—complements this offensive cheatsheet by showing how to prevent the vulnerabilities documented here.
• rapid7/metasploit-framework — Industry-standard penetration testing framework with modules for many vulnerabilities referenced in this repo; users will want automated exploitation wrappers around these payloads.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add organized payload directory with example payloads for each XSS vector

The scripts/xss/payload file exists but is likely a single file. XSS attacks have many variations (reflected, stored, DOM-based, filter bypasses). This should be expanded into a structured directory with categorized payload examples, similar to how scripts/sqlinj/ has multiple database-specific files. This would make the cheatsheet significantly more practical for CTF participants.

• [ ] Create scripts/xss/ subdirectories: reflected/, stored/, dom/, filters_bypass/
• [ ] Add payload examples for each category (e.g., scripts/xss/filters_bypass/tag_bypass.txt, scripts/xss/filters_bypass/attribute_bypass.txt)
• [ ] Update README.md table of contents to link to specific XSS payload types instead of generic 'payload'
• [ ] Add brief comments in payload files explaining when each payload is useful in CTF scenarios

Create scripts/deserialization/ directory with language-specific exploitation examples

The README mentions PHP Serialize, Python Pickle, Ruby Deserialization, and Java Serialization in the table of contents, but the scripts/ directory has no corresponding deserialization folder. The backdoor and sqlinj folders show the repo uses language-specific organization. Adding a scripts/deserialization/ directory with proof-of-concept exploits for each serialization type would fill this gap.

• [ ] Create scripts/deserialization/ directory with: php_serialize.php, python_pickle.py, ruby_deserialize.rb, java_serialization.java
• [ ] Each file should contain minimal working gadget chain examples or object manipulation code
• [ ] Add comments referencing common gadget libraries (ysoserial for Java, etc.)
• [ ] Update README.md to link to these specific files under the Serialization section

Add scripts/lfi/ directory with LFI exploitation techniques and wrapper examples

The README has an LFI section in the table of contents but there is no corresponding scripts/lfi/ directory in the file structure. Given that the repo has organized directories for other vulnerability types (sqlinj, xss, backdoor), an LFI directory with PHP wrapper exploitation, log poisoning, and filter bypass techniques would be consistent and valuable for CTF participants.

• [ ] Create scripts/lfi/ directory with: php_wrappers.txt, log_poisoning.php, filter_bypass.txt, zip_traversal.php
• [ ] Include examples of data://, php://, expect://, input:// wrapper usage with working payloads
• [ ] Add a file demonstrating null byte injection for older PHP versions and path traversal sequences
• [ ] Update README.md LFI section to reference these specific technique files

• Add test cases / documentation for each SQL injection script: Currently scripts/sqlinj/ contains only exploitation code. Create a scripts/sqlinj/EXAMPLES.md with real vulnerable query examples and expected output for mysql_union.rb, mysql_time.rb, mssql_column.rb—helps users understand when/how to apply each.
• Expand XSS payload documentation: scripts/xss/payload exists but is not documented in README. Add 'XSS Payloads' subsection to README with categorization (DOM-based, reflected, stored) and context-specific examples (HTML entity encoding, JS context, attribute context).
• Create Python equivalents for Ruby SQL injection tools: Repo has Ruby enumeration scripts (mssql_table.rb, mysql_union.rb) but no Python versions. Port 2-3 of these to scripts/sqlinj/ as .py files to increase accessibility for Python-preferred users.

• Critical · Webshell and Backdoor Scripts — scripts/backdoor/. The repository contains multiple webshell and backdoor scripts (shell.php, shell.asp, shell.aspx, uploader.php, etc.) designed for unauthorized access. These are intentionally malicious files that could be used to compromise systems if deployed. Fix: These files should only exist in isolated, controlled environments for educational purposes. Never deploy these to production systems. Use version control to restrict access and add clear warnings in documentation about their malicious nature.
• Critical · PHP JPEG Shell and Polyglot Exploit — scripts/backdoor/php-jpeg-shell.php. The php-jpeg-shell.php file demonstrates techniques to hide PHP code in image files, potentially bypassing file upload restrictions. This can lead to arbitrary code execution. Fix: Implement strict file type validation on uploads using both MIME type and magic bytes verification. Disable script execution in upload directories via web server configuration.
• Critical · Mail/Shellshock Bypass Script — scripts/backdoor/bypass_mail_shellshock.php. bypass_mail_shellshock.php contains techniques to exploit Shellshock vulnerabilities through mail functions, allowing arbitrary command execution. Fix: Ensure all system software is patched. Disable dangerous functions like mail() and passthru() if not needed. Use parameterized APIs instead of shell execution.
• High · SQL Injection Educational Scripts — scripts/sqlinj/. The scripts/sqlinj/ directory contains multiple SQL injection exploitation scripts targeting various databases (MySQL, MSSQL, SQLite). These demonstrate vulnerable patterns and attack vectors. Fix: Use parameterized queries and prepared statements exclusively. Never concatenate user input into SQL queries. Implement ORM frameworks that handle escaping automatically.
• High · Command Injection Bypass Techniques — scripts/ (various command injection examples). The repository documents methods to bypass command injection protections and filters. This includes space bypass and keyword obfuscation techniques that could be used to craft sophisticated attacks. Fix: Avoid executing system commands with user input. Use safe APIs for intended operations. If command execution is necessary, use parameterized execution with allowlisted arguments.
• High · XSS Payload Collection — scripts/xss/payload. The scripts/xss/payload file contains XSS payloads that could be used to demonstrate or execute cross-site scripting attacks. Fix: Implement Content Security Policy headers, use template engines with auto-escaping, and validate/sanitize all user input. Never use dangerouslySetInnerHTML in frontend frameworks.
• High · No Dependency Management File — Repository root. No package.json, Gemfile, requirements.txt, or similar dependency files are present. This makes it impossible to verify if outdated or vulnerable dependencies are being used. Fix: Maintain proper dependency management files. Regularly scan dependencies with tools like npm audit, bundler-audit, or OWASP Dependency-Check.
• Medium · Unencrypted Credential Decryption Script — scripts/others/secret_key_base_decrypt.rb. The secret_key_base_decrypt.rb script demonstrates how to decrypt Rails secret keys, which could lead to session hijacking if keys are exposed. Fix: Never expose secret keys or base credentials. Use secure key management systems (AWS KMS, HashiCorp Vault). Rotate keys regularly and monitor for exposure.
• Medium · Serialization Attack Vectors — README.md (Serialization section). The repository documents deserialization vulnerabilities in PHP, Python, Ruby, and Java. These could lead to remote code execution if untrusted data is deserialized. Fix: Never deserialize untrusted data. Use safe serialization formats like JSON. If serialization is needed, implement integrity checks with HMAC signatures.
• Medium · Local File Inclusion (LFI) Techniques — README.md. The repository includes documentation and potentially exploits for LFI vulnerabilities that can lead to sensitive file disclosure. Fix: undefined

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.