Engine_XalanJ

Version 64.1 by Nicolas Gregoire on 2012/01/12 22:35

Xalan-J is a Java based XSLT engine by the Apache Project.

Supported version

1.0

Command line

$> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl

Note : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH

Identification strings

xsl:vendor-urlhttp://xml.apache.org/xalan-j
xsl:vendorApache Software Foundation
xsl:version1.0

Special features

  • Java properties disclosure
  • Java environment disclosure
  • Java code execution
  • OS command execution
  • File creation
  • JDBC connectivity

Java properties disclosure

The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file (properties.xml). The XSLT code will, for each property, display its name and its value.

NamespaceFunctionPoCSample output
http://www.w3.org/1999/XSL/Transformsystem-property()xalanj-java-properties.xslxalanj-java-properties-output.txt

Java environment disclosure

The checkEnvironment() extension function (documented here) will display some information about the execution context (including available packages, paths, versions, ...).

NamespaceExtension functionPoCSample output
http://xml.apache.org/xalancheckEnvironment()xalanj-checkenv.xslxalanj-checkenv-output.txt

Java code execution

The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution.

NamespaceExtension functionPoCSample output
http://xml.apache.org/xalan/java/java.util.Datenew()xalanj-java-date.xslCurrent date:
Wed Jan 11 22:45:07 CET 2012

OS command execution

Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class.

Command without output

The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-)

NamespaceExtension functionsPoC
http://xml.apache.org/xalan/javasplit(), getRuntime(), exec() and toString()xalanj-reverse-bash.xsl

Note : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to exec(String[] cmdarray).

Reading stdout

As the output have an unknown number of lines, we must use a loop construct like "while" ... which is not available in XSLT. This limitation is due to the functional programming paradigm but can be circumvented using templates and recursion. This way, we can also update some variables (yeah !), but the syntax is awful and error prone. It's far better to directly write loops using non standard constructs and then convert them in templates + recursion using a dedicated tool like the XSLT Loop Compiler.

File creation

The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. 

NamespaceExtension elementParameterPoC
http://xml.apache.org/xalan/redirectwritefilexalanj-write.xsl

JDBC connectivity

It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver.

Simple connection

The xalanj-jdbc-query.xsl PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result.

NamespaceExtension functionPoC
org.apache.xalan.lib.sql.XConnectionnew(), query() and close()xalanj-jdbc-query.xsl

Credentials brute-forcing

The xalanj-jdbc-bruteforce.xsl file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file (xalanj-jdbc-bruteforce.xml) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-).

Here's the output when launched from the CLI :

$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null
Username : [root] / Password : [] :
Username : [root] / Password : [uberpasswd] :
Username : [root] / Password : [cnam] : OK !!
Username : [pma] / Password : [pma] :