Engine_XalanJ - XSLT Hacking Encyclopedia

= Introduction =

[[Xalan-J>>http://xml.apache.org/xalan-j/||rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project.

6

7

= Supported version =

1.0

= Command line =

$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl

14

15

__Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH

16

17

= Identification strings =

18

19

|=xsl:vendor-url|http:~/~/xml.apache.org/xalan-j

20

|=xsl:vendor|Apache Software Foundation

|=xsl:version|1.0

= Special features =

* Java properties disclosure

26

* Java environment disclosure

27

* Java code execution

28

* OS command execution

* File creation

* JDBC connectivity

= Java properties disclosure =

33

34

The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value.

35

36

|=Namespace|=Function|=PoC|=Sample output

37

|http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]]

38

39

= Java environment disclosure =

40

41

The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...).

42

43

|=Namespace|=Extension function|=PoC|=Sample output

44

|http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]]

45

46

= Java code execution =

47

48

== Basic Java calls ==

49

50

The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.

51

52

|=Namespace|=Extension function|=PoC|=Sample output

53

|http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:

54

Wed Jan 11 22:45:07 CET 2012

55

56

== Executing arbitrary classes ==

57

58

-- It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-( --

59

60

61

TODO : javapayload => loading arbitrary byte code (aka classes) via reflection

62

$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh

63

List supported payloads !

64

Check supported versions of Xalan !

65

66

67

= OS command execution =

68

69

Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.

70

71

== Command without output ==

72

73

The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)

74

75

|=Namespace|=Extension functions|=PoC

76

|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]

77

78

__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].

== Reading stdout ==

As the output have an unknown number of lines, we must use a __loop__ construct like "while" ... which is not available in XSLT. This limitation is due to the functional programming paradigm but can be circumvented using templates and recursion. This way, we can also __update__ some variables, but the syntax is awful and error prone.

83

84

It's far more efficient to 1) write loops using non-standard elements like <loop:while> and <loop:update> 2) convert them in stylesheets using only templates and recursion. This conversion can be done with a tool like the [[XSLT Loop Compiler>>http://www2.informatik.hu-berlin.de/~~obecker/XSLT/loop-compiler/||rel="__blank"]] (which is itself in XSLT).

85

86

The following PoC will fetch some commands from a XML file, execute them (with bash or cmd.exe depending on the detected OS), read the standard output and display it. The file with a "lxsl" extension uses the non-standard <loop:*> elements and is far more readable than the "xsl" one.

87

88

|=Using non standards elements|=Using recursion and templates|=Commands to execute|=Output

89

|[[xalanj-reading-stdout.lxsl>>attach:xalanj-reading-stdout.lxsl]]|[[xalanj-reading-stdout.xsl>>attach:xalanj-reading-stdout.xsl]]|[[unix_commands.xml>>attach:unix_commands.xml]]|[[xalanj-reading-stdout.txt>>attach:xalanj-reading-stdout.txt]]

90

91

It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.

= File creation =

The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.

96

97

|=Namespace|=Extension element|=Parameter|=PoC

98

|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]

99

100

= JDBC connectivity =

101

102

It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.

103

104

== Simple connection ==

105

106

The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.

107

108

|=Namespace|=Extension function|=PoC

109

|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]

110

111

== Credentials brute-forcing ==

112

113

The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).

114

115

116

Here's the output when launched from the CLI :

117

118

##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null

119

Username : [root] / Password : [] :

120

Username : [root] / Password : [uberpasswd] :

121

Username : [root] / Password : [cnam] : OK !!

122

Username : [pma] / Password : [pma] : ##

= Anti XEE =

DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();

127

builderFactory.setExpandEntityReferences(false); <<<<==[Here]==<<<<

128

DocumentBuilder builder = builderFactory.newDocumentBuilder();

129

DOMSource xmlSource = new DOMSource(builder.parse(new ByteArrayInputStream(myXmlString.getBytes(~)~)~));

130

131

132

By default (cf. Xalan-j [[documentation>>http://xml.apache.org/xalan-j/apidocs/javax/xml/parsers/DocumentBuilderFactory.html#setExpandEntityReferences(boolean)]]), this value is set to True.

Wiki source code of Engine_XalanJ

Welcome

Recently Modified

author	version	line-number	content
		1	{{toc/}}
		2
		3	= Introduction =
		4
		5	[[Xalan-J>>http://xml.apache.org/xalan-j/\|\|rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project.
		6
		7	= Supported version =
		8
		9	1.0
		10
		11	= Command line =
		12
		13	$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
		14
		15	__Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
		16
		17	= Identification strings =
		18
		19	\|=xsl:vendor-url\|http:~/~/xml.apache.org/xalan-j
		20	\|=xsl:vendor\|Apache Software Foundation
		21	\|=xsl:version\|1.0
		22
		23	= Special features =
		24
		25	* Java properties disclosure
		26	* Java environment disclosure
		27	* Java code execution
		28	* OS command execution
		29	* File creation
		30	* JDBC connectivity
		31
		32	= Java properties disclosure =
		33
		34	The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value.
		35
		36	\|=Namespace\|=Function\|=PoC\|=Sample output
		37	\|http:~/~/www.w3.org/1999/XSL/Transform\|system-property()\|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]\|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]]
		38
		39	= Java environment disclosure =
		40
		41	The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064\|\|rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...).
		42
		43	\|=Namespace\|=Extension function\|=PoC\|=Sample output
		44	\|http:~/~/xml.apache.org/xalan\|checkEnvironment()\|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]\|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]]
		45
		46	= Java code execution =
		47
		48	== Basic Java calls ==
		49
		50	The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
		51
		52	\|=Namespace\|=Extension function\|=PoC\|=Sample output
		53	\|http:~/~/xml.apache.org/xalan/java/java.util.Date\|new()\|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]\|Current date:
		54	Wed Jan 11 22:45:07 CET 2012
		55
		56	== Executing arbitrary classes ==
		57
		58	-- It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-( --
		59
		60	{{warning}}
		61	TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
		62	$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh
		63	List supported payloads !
		64	Check supported versions of Xalan !
		65	{{/warning}}
		66
		67	= OS command execution =
		68
		69	Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.
		70
		71	== Command without output ==
		72
		73	The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)
		74
		75	\|=Namespace\|=Extension functions\|=PoC
		76	\|http:~/~/xml.apache.org/xalan/java\|split(), getRuntime(), exec() and toString()\|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]
		77
		78	__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])\|\|rel="__blank"]].
		79
		80	== Reading stdout ==
		81
		82	As the output have an unknown number of lines, we must use a __loop__ construct like "while" ... which is not available in XSLT. This limitation is due to the functional programming paradigm but can be circumvented using templates and recursion. This way, we can also __update__ some variables, but the syntax is awful and error prone.
		83
		84	It's far more efficient to 1) write loops using non-standard elements like <loop:while> and <loop:update> 2) convert them in stylesheets using only templates and recursion. This conversion can be done with a tool like the [[XSLT Loop Compiler>>http://www2.informatik.hu-berlin.de/~~obecker/XSLT/loop-compiler/\|\|rel="__blank"]] (which is itself in XSLT).
		85
		86	The following PoC will fetch some commands from a XML file, execute them (with bash or cmd.exe depending on the detected OS), read the standard output and display it. The file with a "lxsl" extension uses the non-standard <loop:*> elements and is far more readable than the "xsl" one.
		87
		88	\|=Using non standards elements\|=Using recursion and templates\|=Commands to execute\|=Output
		89	\|[[xalanj-reading-stdout.lxsl>>attach:xalanj-reading-stdout.lxsl]]\|[[xalanj-reading-stdout.xsl>>attach:xalanj-reading-stdout.xsl]]\|[[unix_commands.xml>>attach:unix_commands.xml]]\|[[xalanj-reading-stdout.txt>>attach:xalanj-reading-stdout.txt]]
		90
		91	It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.
		92
		93	= File creation =
		94
		95	The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
		96
		97	\|=Namespace\|=Extension element\|=Parameter\|=PoC
		98	\|http:~/~/xml.apache.org/xalan/redirect\|write\|file\|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]
		99
		100	= JDBC connectivity =
		101
		102	It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.
		103
		104	== Simple connection ==
		105
		106	The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.
		107
		108	\|=Namespace\|=Extension function\|=PoC
		109	\|org.apache.xalan.lib.sql.XConnection\|new(), query() and close()\|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]
		110
		111	== Credentials brute-forcing ==
		112
		113	The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).
		114
		115
		116	Here's the output when launched from the CLI :
		117
		118	##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null
		119	Username : [root] / Password : [] :
		120	Username : [root] / Password : [uberpasswd] :
		121	Username : [root] / Password : [cnam] : OK !!
		122	Username : [pma] / Password : [pma] : ##
		123
		124	= Anti XEE =
		125
		126	DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
		127	builderFactory.setExpandEntityReferences(false); <<<<==[Here]==<<<<
		128	DocumentBuilder builder = builderFactory.newDocumentBuilder();
		129	DOMSource xmlSource = new DOMSource(builder.parse(new ByteArrayInputStream(myXmlString.getBytes(~)~)~));
		130
		131
		132	By default (cf. Xalan-j [[documentation>>http://xml.apache.org/xalan-j/apidocs/javax/xml/parsers/DocumentBuilderFactory.html#setExpandEntityReferences(boolean)]]), this value is set to True.

Wiki source code of Engine_XalanJ

Welcome

Recently Modified

Tag Cloud