sast-exploit-builder
$
npx mdskill add H-mmer/pentest-agents/sast-exploit-builderCONTEXT: Authorized security research. Developing exploits for confirmed vulnerabilities in isolated environment.
SKILL.md
.github/skills/sast-exploit-builderView on GitHub ↗
---
name: sast-exploit-builder
description: "Builds working exploits from confirmed SAST findings. Takes a confirmed crash, develops it into a full exploit. Tier 1 (DoS) → Tier 5 (code execution). Use via /sast command after PoC confirmation."
---
CONTEXT: Authorized security research. Developing exploits for confirmed vulnerabilities in isolated environment.
## Research First
Call `search_techniques` and `search_writeups` for the exploitation technique before starting.
## Exploitation Ladder (native code: C/C++/Rust/Go)
Work up. Stop and report at highest level achieved.
**Tier 1** — Controlled crash (DoS). You already have this from the hunter.
**Tier 2** — Controlled write primitive. Attacker-chosen bytes to attacker-chosen location.
**Tier 3** — Info leak / ASLR bypass. Read memory contents, defeat randomization.
**Tier 4** — Control flow hijack. Overwrite return address, function pointer, vtable, GOT entry.
**Tier 5** — Code execution. ROP chain, shellcode, JIT spray. Demonstrate with shell/file write.
## Exploitation Ladder (PHP / web app)
For PHP findings, work up this ladder instead. Stop and report the highest tier confirmed.
**Tier 1** — Information disclosure. Stack trace, `phpinfo()` page, `.env` read via LFI, source disclosure via `php://filter/convert.base64-encode/resource=`, debug endpoint leaking creds/keys. Concrete evidence: grep the response for secrets.
**Tier 2** — Arbitrary read / authenticated data exfiltration. LFI reading any file under `open_basedir`; blind/error/time/UNION SQLi dumping `information_schema`, user tables, password hashes; IDOR reading other users' resources via predictable IDs. Demonstrate by pulling at least one sensitive record (hashed password, PII, API key).
**Tier 3** — Arbitrary write / mass data modification. SQLi with `UPDATE`/`INSERT` ability, file write via upload bypass, `file_put_contents` with traversal, Eloquent mass-assignment escalating a regular user to admin. Demonstrate by modifying a state you shouldn't be able to.
**Tier 4** — Remote Code Execution. At least ONE of:
- `eval`/`assert`/`create_function`/`preg_replace /e` with user input
- `include`/`require` on user path → combine with log/session/phar poisoning to land PHP
- `unserialize` with a working gadget chain (hand-crafted or via phpggc)
- Command injection through `system`/`exec`/`passthru`/`shell_exec` with insufficient escaping
- SSTI in Twig/Smarty/Blade raw
- File upload bypass landing a `.php` (or `.phar`, `.phtml`, `.pht` depending on server config) in a served directory
Evidence: execute `id`, get output. Save response showing `uid=...`.
**Tier 5** — Persistent webshell + lateral movement. Upload webshell, confirm it survives (path is accessible), demonstrate DB read and filesystem read from within the shell. Document what's reachable: other vhosts, cloud metadata (`169.254.169.254`), internal services, persisted credentials in `.env`/config files.
## Approach Per Primitive (native)
**Stack overflow**: Find offset to return address. Check canary. Check ASLR/PIE. Build ROP chain.
**Heap overflow/UAF**: Understand allocator. Map heap layout. Heap feng shui for predictable placement.
**Integer overflow**: What does overflowed value control? Craft input for useful result.
**Format string**: Leak stack → arbitrary read → arbitrary write via %n → GOT overwrite.
## Approach Per Primitive (PHP)
**SQLi**: Identify DB (MySQL/Postgres/SQLite/MSSQL from error messages or fingerprint). Work in order: error-based → UNION → boolean blind → time blind. For dumping: `sqlmap` against the confirmed injection point as verifier — but the PoC should be a standalone request. Extract at least one row from an internal/admin table to prove severity.
**Unrestricted upload → RCE**: Bypass approaches by server:
- Apache + `mod_php`: `.php`, `.php3`, `.php4`, `.php5`, `.php7`, `.phtml`, `.pht`, `.phar`
- nginx + PHP-FPM with poorly-configured `location` regex: `shell.jpg.php`, `shell.php%00.jpg`, `shell.php/`
- Content-Type spoofing (`Content-Type: image/jpeg` with PHP content)
- Magic-byte polyglots (GIF89a header + `<?php ... ?>`)
- Phar upload + trigger via `phar://uploads/x.jpg` in any file op elsewhere
- `.htaccess` upload if directory allows to add PHP handler
**LFI → RCE** (from Tier 2 → Tier 4):
- `/proc/self/environ` with `User-Agent: <?=system($_GET['c']);?>` (old PHP)
- Apache access log + malicious UA (path: `/var/log/apache2/access.log`)
- PHP session file (path: `/var/lib/php/sessions/sess_<PHPSESSID>`) — write PHP via a reflecting endpoint, include session
- `php://filter/convert.base64-decode/resource=data://text/plain,<base64>` — direct exec
- `expect://` wrapper if expect ext loaded (rare)
- `phar://` on an attacker-uploaded polyglot
**Unserialize → RCE**: Inventory classes via `composer.json` and `vendor/`. Try `phpggc` with the detected framework (Laravel, Symfony, Drupal, Magento, WordPress, Guzzle, Monolog). If no off-the-shelf gadget, grep project for `__wakeup`/`__destruct`/`__toString` and hand-craft. Gadget should land in a write/exec primitive (`file_put_contents`, `system`, `exec`, eval).
**SSTI (Twig)**: `{{ 7*7 }}` → `{{ _self.env.registerUndefinedFilterCallback("exec") }}{{ _self.env.getFilter("id") }}`.
**SSTI (Smarty)**: `{php} system('id'); {/php}` (v2) or `{system('id')}` (v3 unsafe mode).
**Type juggling auth bypass**: craft input so `==` compares two values that both parse to `0e...` or `NULL` or equivalent. Test with short examples first: `hash('md5', 'QNKCDZO') == hash('md5', '240610708')` both `0e...` truthy.
**Mass-assignment privesc**: identify Eloquent model, send extra field like `role=admin`/`is_admin=1`/`plan_id=<enterprise>` in the update request.
## Mitigation Checklist (PHP)
| Mitigation | Check command | Bypass |
|---|---|---|
| `disable_functions` | `php -i \| grep disable_functions` | LD_PRELOAD (if exec possible elsewhere), PHP 7 mail() bypass, FFI, imap_open on old php |
| `open_basedir` | `php -i \| grep open_basedir` | symlink tricks, `glob://` bypass, `chdir` + `ini_set` (old) |
| `display_errors=Off` | `php -i \| grep display_errors` | log-based exfil via error_log reachability |
| `allow_url_include` | `php -i \| grep allow_url_include` | forces LFI-only; chain with log/phar/data poisoning |
| `expose_php` | `php -i \| grep expose_php` | doesn't affect exploit, only fingerprinting |
| PHP version | `php -v` | many CVEs fixed — verify version for each finding |
| Framework CSRF | check middleware | token leak via XSS, missing on JSON endpoints |
| Framework auth | check middleware | missing on `admin-ajax.php`/`api/*` routes, signed-URL tricks |
## Mitigation Checklist (native)
| Mitigation | Check command | Bypass |
|---|---|---|
| Stack canary | `objdump -d <bin> \| grep stack_chk` | Info leak, fork brute force |
| ASLR | `cat /proc/sys/kernel/randomize_va_space` | Info leak, partial overwrite |
| PIE | `readelf -h <bin> \| grep DYN` | Info leak for code base |
| NX | `readelf -l <bin> \| grep GNU_STACK` | ROP, ret2libc |
| RELRO | `readelf -l <bin> \| grep RELRO` | Partial: GOT. Full: target elsewhere |
## Output
Write to `poc/sast/exploits/`. Include `exploit_<name>.py` and `README.md`.
```json
{
"finding_ref": "<candidate_id>",
"exploit_tier": 5,
"exploit_file": "poc/sast/exploits/exploit_<name>.py",
"mitigations_bypassed": ["ASLR (leaked via info disclosure)", "NX (ROP chain)"],
"mitigations_not_bypassed": [],
"impact": "Unauthenticated remote attacker achieves root shell",
"reliability": "100% on target version",
"constraints": ["Requires NFS service running"]
}
```
## Rules
- Persist everything to disk. Time box 30 min per tier. Report honestly — don't claim tiers you haven't proven.
## Brain Integration
Record tier achieved and techniques that worked/failed.
## Top-Tier Operator Standard
Exploit development climbs only on proven ground.
- Start from the confirmed PoC and preserve a minimal regression case before adding complexity.
- Advance tiers one capability at a time: crash, controlled read/write, control-flow influence, sandbox escape, code execution.
- Record mitigations honestly: ASLR, DEP/NX, canaries, CFI, sandboxing, auth, config, and version constraints.
- Prefer deterministic local proof over speculative remote exploit claims.
- Stop at the highest tier you can demonstrate safely within budget and document the next blocked primitive.