Skills
.Work. You
Rest

ssti-twig

Official

Exploit Twig/PHP template injection.

Software Engineering#php#web security#twig#rce#ssti#template injection
Authorblacklanternsecurity
Version1.0.0
Installs0

System Documentation

What problem does it solve?

This Skill helps penetration testers identify and exploit Server-Side Template Injection (SSTI) vulnerabilities in PHP applications utilizing Twig or similar templating engines, aiming to achieve code execution.

Core Features & Use Cases

  • Engine Identification: Differentiates between Twig, Smarty, Blade, and Latte engines.
  • Vulnerability Assessment: Provides payloads to confirm template expression evaluation and identify engine versions.
  • Remote Code Execution (RCE): Offers various RCE payloads tailored to different Twig versions and bypass techniques.
  • Use Case: When a web application reveals {{7*7}} as 49, this Skill can be used to confirm it's Twig and then attempt to execute commands like id on the server.

Quick Start

Use the ssti-twig skill to attempt to execute the 'id' command on the target.

Dependency Matrix

Required Modules

None required

Components

scriptsreferences

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: ssti-twig
Download link: https://github.com/blacklanternsecurity/red-run/archive/main.zip#ssti-twig

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 223,000+ vetted skills library on demand.