The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill provides comprehensive instructions and functional Python code to exploit Remote Code Execution vulnerabilities in GeoServer, specifically CVE-2024-36401 (XPath RCE) and CVE-2022-24816 (Jiffle script injection). These exploits allow an attacker to execute arbitrary Java code and system commands on a target GeoServer instance.
[COMMAND_EXECUTION]: Included within the skill is a complete Python-based reverse shell handler (geoserver_cve_2024_36401_rshell.py) that implements a network listener using socket.bind and an interactive command loop (interactive_shell) to control compromised systems remotely. It also instructs the agent to execute shell commands locally using os.system or subprocesses to run these exploitation scripts.
[DATA_EXFILTRATION]: The skill documents and automates the exploitation of XML External Entity (XXE) vulnerabilities (CVE-2025-58360), SQL injection (CVE-2023-25157), and Server-Side Request Forgery (SSRF) (CVE-2021-40822) to extract sensitive data. Evidence includes payloads for reading /etc/passwd, extracting PostgreSQL database versions through error messages, and probing internal network or cloud metadata services (AWS, GCP, Azure).
[CREDENTIALS_UNSAFE]: The skill specifically targets GeoServer security configuration files, identifying the path to the user credential store (/opt/geoserver_data/security/usergroup/default/users.xml) for exfiltration. It also encourages the use of default administrative credentials (admin/geoserver) for initial reconnaissance and access.

geoserver-exploit