Skip to Content

Changes for page Engine_XalanJ

Last modified by Nicolas Gregoire on 2012/01/31 17:35
From version Icon 79.1 Icon
edited by Nicolas Gregoire
on 2012/01/31 18:34
Change comment: There is no comment for this version
To version Icon 68.1 Icon
edited by Nicolas Gregoire
on 2012/01/12 23:12
Change comment: There is no comment for this version

Summary

Details

Icon Page properties
Content
... ... @@ -1,26 +5,23 @@
1 -{{toc/}}
2 -
3 -= Introduction =
4 -
5 5  [[Xalan-J>>http://xml.apache.org/xalan-j/||rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project.
6 6  
7 -= Supported version =
8 8  
4 +== Supported version ==
5 +
9 9  1.0
10 10  
11 -= Command line =
8 +== Command line ==
12 12  
13 13  $> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
14 14  
15 15  __Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
16 16  
17 -= Identification strings =
14 +== Identification strings ==
18 18  
19 19  |=xsl:vendor-url|http:~/~/xml.apache.org/xalan-j
20 20  |=xsl:vendor|Apache Software Foundation
21 21  |=xsl:version|1.0
22 22  
23 -= Special features =
20 +== Special features ==
24 24  
25 25  * Java properties disclosure
26 26  * Java environment disclosure
... ... @@ -29,7 +29,7 @@
29 29  * File creation
30 30  * JDBC connectivity
31 31  
32 -= Java properties disclosure =
29 +== Java properties disclosure ==
33 33  
34 34  The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value.
35 35  
... ... @@ -36,7 +36,7 @@
36 36  |=Namespace|=Function|=PoC|=Sample output
37 37  |http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]]
38 38  
39 -= Java environment disclosure =
36 +== Java environment disclosure ==
40 40  
41 41  The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...).
42 42  
... ... @@ -43,10 +43,8 @@
43 43  |=Namespace|=Extension function|=PoC|=Sample output
44 44  |http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]]
45 45  
46 -= Java code execution =
43 +== Java code execution ==
47 47  
48 -== Basic Java calls ==
49 -
50 50  The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
51 51  
52 52  |=Namespace|=Extension function|=PoC|=Sample output
... ... @@ -53,22 +53,11 @@
53 53  |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
54 54  Wed Jan 11 22:45:07 CET 2012
55 55  
56 -== Executing arbitrary classes ==
51 +== OS command execution ==
57 57  
58 --- It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-( --
59 -
60 -{{warning}}
61 -TODO : javapayload => loading arbitrary byte code (aka classes) via reflection
62 -$> java javapayload.builder.Builder Template XalanJ.xsl bind-jsh-4444.xsl BindTCP 127.0.0.1 4444 - - JSh
63 -List supported payloads !
64 -Check supported versions of Xalan !
65 -{{/warning}}
66 -
67 -= OS command execution =
68 -
69 69  Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.
70 70  
71 -== Command without output ==
55 +=== Command without output ===
72 72  
73 73  The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)
74 74  
... ... @@ -77,7 +77,7 @@
77 77  
78 78  __Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].
79 79  
80 -== Reading stdout ==
64 +=== Reading stdout ===
81 81  
82 82  As the output have an unknown number of lines, we must use a __loop__ construct like "while" ... which is not available in XSLT. This limitation is due to the functional programming paradigm but can be circumvented using templates and recursion. This way, we can also __update__ some variables, but the syntax is awful and error prone.
83 83  
... ... @@ -90,18 +90,22 @@
90 90  
91 91  It is of course possible to include commands for multiples OS in one file and to execute only the relevant ones.
92 92  
93 -= File creation =
77 +=== A pure Java reverse-shell ===
94 94  
79 +It is afaik not possible to get a pure Java reverse-shell, as we can't create threads :-(
80 +
81 +== File creation ==
82 +
95 95  The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
96 96  
97 97  |=Namespace|=Extension element|=Parameter|=PoC
98 98  |http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]
99 99  
100 -= JDBC connectivity =
88 +== JDBC connectivity ==
101 101  
102 102  It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.
103 103  
104 -== Simple connection ==
92 +=== Simple connection ===
105 105  
106 106  The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.
107 107  
... ... @@ -108,7 +108,7 @@
108 108  |=Namespace|=Extension function|=PoC
109 109  |org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]
110 110  
111 -== Credentials brute-forcing ==
99 +=== Credentials brute-forcing ===
112 112  
113 113  The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).
114 114  
... ... @@ -120,12 +120,3 @@
120 120  Username : [root] / Password : [uberpasswd] :
121 121  Username : [root] / Password : [cnam] : OK !!
122 122  Username : [pma] / Password : [pma] : ##
123 -
124 -= Anti XEE =
125 -
126 -DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
127 -builderFactory.setExpandEntityReferences(false); <<<<==[Here]==<<<<
128 -DocumentBuilder builder = builderFactory.newDocumentBuilder();
129 -DOMSource xmlSource = new DOMSource(builder.parse(new ByteArrayInputStream(myXmlString.getBytes(~)~)~));
130 -
131 -By default (cf. Xalan-j [[documentation>>http://xml.apache.org/xalan-j/apidocs/javax/xml/parsers/DocumentBuilderFactory.html#setExpandEntityReferences(boolean)]]), this value is set to True.