Changes for page Engine_XalanJ

Last modified by Nicolas Gregoire on 2012/01/31 17:35

From version Icon 76.1 Icon
edited by Nicolas Gregoire
on 2012/01/17 12:02
Change comment: There is no comment for this version
To version Icon 70.1 Icon
edited by Nicolas Gregoire
on 2012/01/14 17:47
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -45,8 +45,6 @@
45 45  
46 46  = Java code execution =
47 47  
48 -== Basic Java calls ==
49 -
50 50  The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
51 51  
52 52  |=Namespace|=Extension function|=PoC|=Sample output
... ... @@ -53,17 +53,6 @@
53 53  |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
54 54  Wed Jan 11 22:45:07 CET 2012
55 55  
56 -== Executing arbitrary classes ==
57 -
58 --- It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-( --
59 -
60 -{{warning}}
61 -TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
62 -$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh
63 -List supported payloads !
64 -Check supported versions of Xalan !
65 -{{/warning}}
66 -
67 67  = OS command execution =
68 68  
69 69  Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.
... ... @@ -90,6 +90,10 @@
90 90  
91 91  It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.
92 92  
80 += A pure Java reverse-shell =
81 +
82 +It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-(
83 +
93 93  = File creation =
94 94  
95 95  The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.