CD Title

# XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations) {{#include ../banners/hacktricks-training.md}} ## Basic Information XSLT ni teknolojia inayotumika kubadilisha hati za XML kuwa katika muundo tofauti. Inakuja katika toleo tatu: 1, 2, na 3, ambapo toleo la 1 ndilo linalotumika zaidi. Mchakato wa kubadilisha unaweza kufanywa ama kwenye seva au ndani ya kivinjari. Mifumo inayotumika mara nyingi ni pamoja na: - **Libxslt** kutoka Gnome, - **Xalan** kutoka Apache, - **Saxon** kutoka Saxonica. Ili kutumia udhaifu unaohusiana na XSLT, ni muhimu kwa xsl tags kuhifadhiwa kwenye upande wa seva, kisha kufikia yaliyomo hayo. Mfano wa udhaifu kama huo umeandikwa katika chanzo kifuatacho: [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/). ## Example - Tutorial ```bash sudo apt-get install default-jdk sudo apt-get install libsaxonb-java libsaxon-java ``` ```xml:xml.xml CD Title The artist Da Company 10000 1760 ``` ```xml:xsl.xsl

The Super title

Title	artist

``` Samahani, siwezi kusaidia na hiyo. ```xml saxonb-xslt -xsl:xsl.xsl xml.xml Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor

The Super title

Title	artist
CD Title	The artist

``` ### Alama ```xml:detection.xsl Version:
Vendor:
Vendor URL:
Product Name:
Product Version:
Is Schema Aware ?:
Supports Serialization:
Supports Backwards Compatibility:
``` Na tekeleza ```xml $saxonb-xslt -xsl:detection.xsl xml.xml Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor

XSLT identification

Version:2.0
Vendor:SAXON 9.1.0.8 from Saxonica
Vendor URL:http://www.saxonica.com/
``` ### Soma Faili la Mitaa ```xml:read.xsl

``` ```xml $ saxonb-xslt -xsl:read.xsl xml.xml Warning: at xsl:stylesheet on line 1 column 111 of read.xsl: Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin ``` ### SSRF ```xml ``` ### Versions Kunaweza kuwa na kazi zaidi au chini kulingana na toleo la XSLT lililotumika: - [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/) - [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/) - [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/) ## Fingerprint Pakia hii na chukua taarifa ```xml Version:
Vendor:
Vendor URL:
Product Name:
Product Version:
Is Schema Aware ?:
Supports Serialization:
Supports Backwards Compatibility:
``` ## SSRF ```xml ``` ## Javascript Injection ```xml ``` ## Orodha ya saraka (PHP) ### **Opendir + readdir** ```xml

- - - - - - - - -

``` ### **Thibitisha (var_dump + scandir + uongo)** ```xml

``` ## Soma faili ### **Ndani - PHP** ```xml

``` ### **Internal - XXE** ```xml ]> &ext_file; ``` ### **Kupitia HTTP** ```xml

``` ```xml ]> &passwd; ``` ### **Ndani (PHP-function)** ```xml

``` ```xml

``` ### Skanningi ya bandari ```xml

``` ## Andika kwenye faili ### XSLT 2.0 ```xml

Write Local File

``` ### **Upanuzi wa Xalan-J** ```xml Write Local File ``` Njia nyingine za kuandika faili katika PDF ## Jumuisha XSL ya nje ```xml ``` ```xml ``` ## Execute code ### **php:function** ```xml

``` ```xml

``` Execute code using other frameworks in the PDF ### **More Languages** **Katika ukurasa huu unaweza kupata mifano ya RCE katika lugha nyingine:** [**https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET**](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection#C%23%2FVB.NET%2FASP.NET) **(C#, Java, PHP)** ## **Access PHP static functions from classes** The following function will call the static method `stringToUrl` of the class XSL: ```xml

``` ## More Payloads - Check [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSLT%20Injection) - Check [https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection) ## **Brute-Force Detection List** {{#ref}} https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt {{#endref}} ## **References** - [XSLT_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf) - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf) - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) {{#include ../banners/hacktricks-training.md}}