This playbook walks you through exploiting XSLT injection when you control stylesheet input on a server-side transform. It starts with processor fingerprinting (Xalan, Saxon, libxslt, MSXML) then maps out the escalation paths: XXE via DTD entities, file reads through document(), EXSLT write primitives for arbitrary file creation, and platform-specific RCE surfaces in PHP (php:function with system calls), Java (Runtime.exec via extension namespaces), and .NET (msxsl:script blocks). The coverage is thorough and includes working payloads for each vector. Use this when you see parameters like stylesheet, transform, or template in XML processing endpoints. Most modern setups disable the nastiest features, so you'll often end up pivoting to document() SSRF or read-only XXE rather than full RCE, but the skill covers both scenarios.
npx skills add https://github.com/yaklang/hack-skills --skill xslt-injection