ssti-jinja2
OfficialExploit Jinja2/Python SSTI vulnerabilities.
Authorblacklanternsecurity
Version1.0.0
Installs0
System Documentation
What problem does it solve?
This Skill helps penetration testers identify and exploit Server-Side Template Injection (SSTI) vulnerabilities in Python applications using Jinja2, Mako, Tornado, or Django templates.
Core Features & Use Cases
- Engine Identification: Differentiates between Jinja2, Mako, Tornado, and Django template engines.
- Information Extraction: Extracts configuration details, context variables, and file contents.
- Remote Code Execution (RCE): Achieves RCE through various payload techniques, including context-free and MRO chains.
- Filter Bypass: Provides methods to bypass common input filters like underscore, dot, and bracket restrictions.
- Blind SSTI: Handles scenarios where direct output is not visible using error-based, boolean-based, time-based, and OOB techniques.
- Use Case: A penetration tester encounters a web application that appears vulnerable to SSTI. They use this Skill to confirm the template engine, extract sensitive configuration data like the SECRET_KEY, and ultimately achieve remote code execution on the server.
Quick Start
Use the ssti-jinja2 skill to attempt remote code execution by exploiting a Jinja2 SSTI vulnerability on the target URL.
Dependency Matrix
Required Modules
None requiredComponents
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: ssti-jinja2 Download link: https://github.com/blacklanternsecurity/red-run/archive/main.zip#ssti-jinja2 Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.