Changes for page Engine_XalanJ

Summary

• Page properties (1 modified, 0 added, 0 removed)
• Attachments (0 modified, 1 added, 0 removed)
  • xalanj-write.xsl

Details

Page properties

Content

...	...	@@ -52,11 +52,23 @@
52	52
53	53	Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)
54	54
	55	+|=Namespace|=Extension functions|=PoC
	56	+|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]
55	55
56		-__Note__ : as arrays are not a native type in XSLT, we create one via split() before passing it as an argument to exec(String[] cmdarray).
	58	+__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].
57	57
	60	+== File creation ==
58	58
	62	+The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
59	59
60		-xx
	64	+|=Namespace|=Extension element|=Parameter|=PoC
	65	+|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]
61	61
62		-yy
	67	+== JDBC connectivity ==
	68	+
	69	+It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.
	70	+
	71	+|=Namespace|=Extension function|=PoC
	72	+|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]
	73	+
	74	+The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result. The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] one will read some tuples (JDBC driver, database URL, username, passsword) in a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).

xalanj-write.xsl

Author

...	...	@@ -1,0 +1,1 @@
	1	+xwiki:XWiki.NicolasGregoire

Size

...	...	@@ -1,0 +1,1 @@
	1	+373 bytes

Content

...	...	@@ -1,0 +1,13 @@
	1	+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	2	+ xmlns:redir="http://xml.apache.org/xalan/redirect"
	3	+ extension-element-prefixes="redir"
	4	+ version='1.0'>
	5	+
	6	+ <xsl:template match="/">
	7	+ <redir:write file="/tmp/created_by_xalanj_write" method="text">
	8	+ <xsl:text>Just a PoC</xsl:text>
	9	+ </redir:write>
	10	+ </xsl:template>
	11	+
	12	+</xsl:stylesheet>
	13	+