Wiki source code of Engine_XalanJ

Version 61.1 by Nicolas Gregoire on 2012/01/12 22:11
Hide last authors
Nicolas Gregoire 1.1 1 [[Xalan-J>>http://xml.apache.org/xalan-j/||rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project.
2
3
Nicolas Gregoire 19.1 4 == Supported version ==
Nicolas Gregoire 1.1 5
Nicolas Gregoire 19.1 6 1.0
Nicolas Gregoire 1.1 7
Nicolas Gregoire 17.1 8 == Command line ==
9
Nicolas Gregoire 18.1 10 $> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl
Nicolas Gregoire 17.1 11
Nicolas Gregoire 20.1 12 __Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH
13
Nicolas Gregoire 2.1 14 == Identification strings ==
Nicolas Gregoire 1.1 15
Nicolas Gregoire 22.1 16 |=xsl:vendor-url|http:~/~/xml.apache.org/xalan-j
17 |=xsl:vendor|Apache Software Foundation
18 |=xsl:version|1.0
Nicolas Gregoire 1.1 19
Nicolas Gregoire 2.1 20 == Special features ==
Nicolas Gregoire 1.1 21
Nicolas Gregoire 38.1 22 * Java properties disclosure
23 * Java environment disclosure
24 * Java code execution
Nicolas Gregoire 43.1 25 * OS command execution
Nicolas Gregoire 1.1 26 * File creation
27 * JDBC connectivity
Nicolas Gregoire 3.1 28
Nicolas Gregoire 35.1 29 == Java properties disclosure ==
30
Nicolas Gregoire 37.1 31 The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value.
Nicolas Gregoire 35.1 32
Nicolas Gregoire 37.1 33 |=Namespace|=Function|=PoC|=Sample output
34 |http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]]
Nicolas Gregoire 35.1 35
Nicolas Gregoire 30.1 36 == Java environment disclosure ==
Nicolas Gregoire 9.1 37
Nicolas Gregoire 39.1 38 The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...).
Nicolas Gregoire 9.1 39
Nicolas Gregoire 32.1 40 |=Namespace|=Extension function|=PoC|=Sample output
Nicolas Gregoire 33.1 41 |http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]]
Nicolas Gregoire 31.1 42
Nicolas Gregoire 3.1 43 == Java code execution ==
44
Nicolas Gregoire 33.1 45 The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.
Nicolas Gregoire 3.1 46
Nicolas Gregoire 33.1 47 |=Namespace|=Extension function|=PoC|=Sample output
Nicolas Gregoire 34.1 48 |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date:
49 Wed Jan 11 22:45:07 CET 2012
Nicolas Gregoire 33.1 50
Nicolas Gregoire 44.1 51 == OS command execution ==
Nicolas Gregoire 6.1 52
Nicolas Gregoire 48.1 53 Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)
Nicolas Gregoire 46.1 54
Nicolas Gregoire 52.1 55 |=Namespace|=Extension functions|=PoC
Nicolas Gregoire 53.1 56 |http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]]
Nicolas Gregoire 49.1 57
Nicolas Gregoire 53.1 58 __Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]].
Nicolas Gregoire 54.1 59
60 == File creation ==
61
Nicolas Gregoire 57.2 62 The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten.
Nicolas Gregoire 54.1 63
Nicolas Gregoire 55.1 64 |=Namespace|=Extension element|=Parameter|=PoC
Nicolas Gregoire 57.1 65 |http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]]
Nicolas Gregoire 55.1 66
Nicolas Gregoire 54.1 67 == JDBC connectivity ==
68
Nicolas Gregoire 60.1 69 It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.
Nicolas Gregoire 59.1 70
71 |=Namespace|=Extension function|=PoC
72 |org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]]
73
Nicolas Gregoire 60.1 74 === Brute-force ===
75
76 The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).
77
Nicolas Gregoire 61.1 78
Nicolas Gregoire 60.1 79 Here's the output when launched from the CLI :
Nicolas Gregoire 61.1 80
81 ##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null
Nicolas Gregoire 60.1 82 Username : [root] / Password : [] :
83 Username : [root] / Password : [uberpasswd] :
84 Username : [root] / Password : [cnam] : OK !!
Nicolas Gregoire 61.1 85 Username : [pma] / Password : [pma] : ##