CD Title

# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations) {% hint style="success" %} Learn & practice AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

{% endhint %} ## Basic Information XSLT는 XML 문서를 다양한 형식으로 변환하는 데 사용되는 기술입니다. 버전 1, 2, 3이 있으며, 버전 1이 가장 일반적으로 사용됩니다. 변환 과정은 서버 또는 브라우저 내에서 실행될 수 있습니다. 가장 자주 사용되는 프레임워크는 다음과 같습니다: - **Gnome의 Libxslt**, - **Apache의 Xalan**, - **Saxonica의 Saxon**. XSLT와 관련된 취약점을 악용하기 위해서는 xsl 태그가 서버 측에 저장되어야 하며, 그 콘텐츠에 접근해야 합니다. 이러한 취약점의 예시는 다음 출처에 문서화되어 있습니다: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/). ## Example - Tutorial ```bash sudo apt-get install default-jdk sudo apt-get install libsaxonb-java libsaxon-java ``` {% code title="xml.xml" %} ```xml CD Title The artist Da Company 10000 1760 ``` {% endcode %} {% code title="xsl.xsl" %} ```xml

The Super title

Title	artist

``` {% endcode %} 실행: ```xml saxonb-xslt -xsl:xsl.xsl xml.xml Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor

The Super title

Title	artist
CD Title	The artist

``` ### 지문 {% code title="detection.xsl" %} ```xml Version:
Vendor:
Vendor URL:
Product Name:
Product Version:
Is Schema Aware ?:
Supports Serialization:
Supports Backwards Compatibility:
``` {% endcode %} 그리고 실행하십시오 ```xml $saxonb-xslt -xsl:detection.xsl xml.xml Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor

XSLT identification

Version:2.0
Vendor:SAXON 9.1.0.8 from Saxonica
Vendor URL:http://www.saxonica.com/
``` ### 로컬 파일 읽기 {% code title="read.xsl" %} ```xml

``` {% endcode %} ```xml $ saxonb-xslt -xsl:read.xsl xml.xml Warning: at xsl:stylesheet on line 1 column 111 of read.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ``` ### SSRF ```xml ``` ### Versions 사용된 XSLT 버전에 따라 더 많거나 적은 기능이 있을 수 있습니다: * [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/) * [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/) * [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/) ## Fingerprint 이 파일을 업로드하고 정보를 가져옵니다. ```xml Version:
Vendor:
Vendor URL:
Product Name:
Product Version:
Is Schema Aware ?:
Supports Serialization:
Supports Backwards Compatibility:
``` ## SSRF ```xml ``` ## 자바스크립트 주입 ```xml ``` ## 디렉토리 목록 (PHP) ### **Opendir + readdir** ```xml

- - - - - - - - -

``` ### **Assert (var\_dump + scandir + false)** ```xml

``` ## 파일 읽기 ### **내부 - PHP** ```xml

``` ### **내부 - XXE** ```xml ]> &ext_file; ``` ### **HTTP를 통한** ```xml

``` ```xml ]> &passwd; ``` ### **내부 (PHP-함수)** ```xml

``` ```xml

``` ### 포트 스캔 ```xml

``` ## 파일에 쓰기 ### XSLT 2.0 ```xml

Write Local File

``` ### **Xalan-J 확장** ```xml Write Local File ``` 다른 방법으로 PDF에 파일 쓰기 ## 외부 XSL 포함 ```xml ``` ```xml ``` ## 코드 실행 ### **php:function** ```xml

``` ```xml

``` Execute code using other frameworks in the PDF ### **더 많은 언어들** **이 페이지에서는 다른 언어에서의 RCE 예제를 찾을 수 있습니다:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)** ## **클래스에서 PHP 정적 함수에 접근하기** 다음 함수는 클래스 XSL의 정적 메서드 `stringToUrl`을 호출합니다: ```xml

``` (Example from [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls)) ## More Payloads * Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection) * Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection) ## **Brute-Force Detection List** {% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %} ## **References** * [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT\_SSRF.pdf)\\ * [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\ * [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) {% hint style="success" %} Learn & practice AWS Hacking:

[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)

\ Learn & practice GCP Hacking:

[**HackTricks Training GCP Red Team Expert (GRTE)**

](https://training.hacktricks.xyz/courses/grte)

Support HackTricks

{% endhint %}