ssti-freemarker
OfficialExploit Java Server-Side Template Injection.
Authorblacklanternsecurity
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill helps penetration testers identify and exploit Server-Side Template Injection (SSTI) vulnerabilities in Java applications, specifically targeting engines like Freemarker, Velocity, and SpEL, to achieve code execution or file access.
Core Features & Use Cases
- Engine Identification: Differentiates between various Java template engines (Freemarker, Velocity, Thymeleaf, Pebble, SpEL, Groovy) using error messages and syntax variations.
- Remote Code Execution (RCE): Provides payloads for achieving RCE through direct class execution, file reading, and sandbox bypass techniques.
- Use Case: When a web application displays user-generated content within a Freemarker template, this Skill can be used to inject malicious code that executes on the server, potentially leading to a full compromise.
Quick Start
Use the ssti-freemarker skill to attempt to execute the 'id' command on the target server.
Dependency Matrix
Required Modules
None requiredComponents
references
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: ssti-freemarker Download link: https://github.com/blacklanternsecurity/red-run/archive/main.zip#ssti-freemarker Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.