OSCP Web Exploitation Guide: SQLi, LFI, RCE & File Upload Attacks Explained
Curious how hackers gain full control of web servers during OSCP-style exams? This in-depth guide walks you through web application exploitation techniques such as SQL Injection (SQLi), Local File Inclusion (LFI), Remote Code Execution (RCE), and file upload vulnerabilities. With hands-on, exam-like scenarios, you'll understand how to escalate from initial foothold to root access — just like in a real-world penetration test. Whether you're an OSCP aspirant or cybersecurity enthusiast, this blog is your practical playbook for mastering web app attacks.
Table of Contents
Introduction
The Offensive Security Certified Professional (OSCP) certification is a hallmark of practical penetration testing skills, emphasizing hands-on exploitation in real-world scenarios. Web applications are often the gateway to compromising a system, serving as the initial foothold that pentesters use to pivot deeper into a network. This blog outlines the systematic approach to exploiting web applications the "OSCP way," from reconnaissance to achieving root-level access. We’ll cover methodologies, tools, and techniques while staying true to the OSCP mantra: "Try Harder."
Phase 1: Reconnaissance and Enumeration
Reconnaissance is the foundation of any successful penetration test. The goal is to gather as much information as possible about the target web application to identify potential vulnerabilities.
Passive Reconnaissance
Start with passive techniques to avoid detection:
- WHOIS Lookup: Use tools like
whoisto identify domain ownership and registration details. - OSINT: Leverage sources like Shodan, Censys, or public records on X to find exposed services or misconfigurations.
- Google Dorking: Use advanced Google search operators (e.g.,
site:target.com inurl:login) to uncover hidden pages or sensitive files.
Active Enumeration
Once passive recon is complete, move to active enumeration:
- Port Scanning: Use
nmapto identify open ports and services. For example:nmap -sV -p- -T4 target.com - Directory Bruteforcing: Tools like
dirborgobustercan uncover hidden directories:gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt - Web Crawling: Use
Burp SuiteorOWASP ZAP to map the application’s structure.
Focus on identifying technologies (e.g., Apache, PHP, WordPress) and potential entry points like login pages, file uploads, or API endpoints.
With reconnaissance complete, the next step is to exploit vulnerabilities to gain initial access to the web application.
Suppose you identify an LFI vulnerability. You can leverage it to read sensitive files or, if combined with a file upload, achieve remote code execution (RCE). For example, upload a webshell ( Then, access it: This could yield a low-privilege shell, your foothold into the system.
Phase 2: Gaining a Foothold
Common Web Vulnerabilities
' OR 1=1 -- using tools like sqlmap:
sqlmap -u http://target.com/login --data="username=admin&password=pass" --dbs
to test for reflected or stored XSS.../../etc/passwd.Exploiting a Vulnerability
shell.php) and access it via LFI:
http://target.com/index.php?page=../../uploads/shell.php&cmd=id.
With a foothold, the goal is to deepen access, often by escalating privileges or pivoting to other services.
Run commands to gather system information:
Look for misconfigurations, such as world-writable files or outdated software.
If the web server has access to other internal services, use it to pivot. For example, scan internal networks with a simple PHP script:
This can reveal other hosts to target.
Common privilege escalation techniques include:
Phase 3: Post-Exploitation and Privilege Escalation
Enumerating the System
whoami
uname -a
cat /etc/passwd
netstat -tulnpLateral Movement
";
}
?>Privilege Escalation
uname -r) and search for known exploits using tools like searchsploit.sudo -l to check for commands executable as root./etc/shadow or cron jobs.
Root access is the ultimate goal in OSCP-style engagements. Let’s say you find a sudo misconfiguration allowing Alternatively, a kernel exploit like Dirty COW could be used if the system is vulnerable. Compile and run the exploit to gain root privileges.
Once root is achieved, maintain persistence (e.g., add a backdoor user) and document your steps for reporting.
Phase 4: Achieving Root
/usr/bin/vim to run as root:
sudo vim
:shell
whoami
# root
Best Practices for OSCP-Style Web App Exploitation
Burp Suite or sqlmap to speed up testing, but verify findings manually.
Exploiting web applications the OSCP way is a blend of technical skill, creativity, and persistence. From reconnaissance to achieving root, each phase builds on the previous, requiring thorough enumeration and exploitation. By mastering these techniques and maintaining a methodical approach, you’ll be well-prepared for the OSCP exam and real-world pentesting. Keep practicing, stay curious, and always “Try Harder!”
Conclusion
What tools are essential for OSCP web app testing? How do I practice web app exploitation safely? What’s the most common web vulnerability in OSCP labs? How long does it take to prepare for OSCP web app exploitation? Can I use automated scanners for OSCP? What should I focus on during web app testing? Do I need to know how to write my own exploits? How important is Burp Suite for OSCP? What is the best way to learn Burp Suite? Are web shells allowed in OSCP? Should I focus more on Linux or Windows web servers? How do I approach a web app with a login page? What’s the role of cookies in web app pentesting? What is directory brute forcing and why is it important? Do I need to learn JavaScript for web exploitation? How should I document my findings for OSCP? What are some good wordlists for web enumeration? Can file upload features be dangerous? What are some overlooked web vulnerabilities in OSCP? Is web exploitation enough to pass OSCP?
Frequently Asked Questions
Key tools include nmap, Burp Suite, sqlmap, dirb, gobuster, and sometimes Metasploit (used very sparingly in OSCP). Manual testing is strongly encouraged.
Use platforms like TryHackMe, Hack The Box, Web Security Academy (PortSwigger), and VulnHub. These environments are legal and built for hands-on learning.
SQL Injection and Local File Inclusion (LFI) are very common. Sometimes you’ll also encounter command injection or authentication bypass.
On average, 3 to 6 months of consistent hands-on practice is needed. It depends on your prior experience and how much time you can dedicate.
Not really. Tools like Nessus are not allowed. Stick to semi-automated tools like sqlmap and focus more on manual enumeration and logic-based attacks.
Directory enumeration, hidden files, login forms, input fields, and upload functionalities. Always test for misconfigurations, too.
For web apps, exploit writing isn't usually required. But understanding how payloads work (like in XSS or file uploads) is important.
It’s one of the most important tools. You’ll use it to intercept, modify, and replay HTTP requests to find and exploit vulnerabilities.
Start with the free Web Security Academy from PortSwigger. It teaches Burp along with real-world vulnerabilities.
Yes, you can use web shells, but you must understand how they're created and used manually, especially for privilege escalation.
You’ll encounter both. Start with Linux since it's slightly easier, then move to Windows-specific attack vectors like ASP vulnerabilities.
Try default credentials, SQL injection, and brute force (if allowed). Also check for forgotten password functionality and session management flaws.
Cookies often hold session information. Look for insecure cookies, JWTs, or IDs that can be manipulated or reused.
It’s the process of discovering hidden pages and directories using tools like gobuster or dirb. These often lead to vulnerable files.
Basic JavaScript helps in understanding XSS and bypasses. But for OSCP, deep JS knowledge isn’t a must.
Take screenshots, write clear notes, and copy all commands used. Tools like CherryTree or Obsidian can help you stay organized.
Use SecLists, specifically common.txt, medium.txt, or raft-large-directories.txt depending on the situation.
Yes. Improperly validated upload functions can lead to remote code execution if you can upload a shell script.
Unrestricted admin panels, weak .git directories, exposed configuration files, and backup archives (.bak, .zip, etc.).
It’s a big part, but you must also understand local and privilege escalation, buffer overflows, and Windows/Linux basics. Don’t focus only on web.
What's Your Reaction?
Like
0
Dislike
0
Love
0
Funny
0
Angry
0
Sad
0
Wow
0
![How to Install RHEL 10 on VMware/VirtualBox [Tutorial]](https://www.cybersecurityinstitute.in/blog/uploads/images/202509/image_430x256_68b56dc967a4a.jpg)
