Wiki source code of Engine_XalanJ
Version 61.1 by Nicolas Gregoire on 2012/01/12 22:11
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | [[Xalan-J>>http://xml.apache.org/xalan-j/||rel="__blank" title="Xalan-J Home Page"]] is a Java based XSLT engine by the Apache Project. | ||
| 2 | |||
| 3 | |||
| 4 | == Supported version == | ||
| 5 | |||
| 6 | 1.0 | ||
| 7 | |||
| 8 | == Command line == | ||
| 9 | |||
| 10 | $> java org.apache.xalan.xslt.Process -in foo.xml -xsl foo.xsl | ||
| 11 | |||
| 12 | __Note__ : xml-apis.jar, xercesImpl.jar and xalan*.jar must be in the $CLASSPATH | ||
| 13 | |||
| 14 | == Identification strings == | ||
| 15 | |||
| 16 | |=xsl:vendor-url|http:~/~/xml.apache.org/xalan-j | ||
| 17 | |=xsl:vendor|Apache Software Foundation | ||
| 18 | |=xsl:version|1.0 | ||
| 19 | |||
| 20 | == Special features == | ||
| 21 | |||
| 22 | * Java properties disclosure | ||
| 23 | * Java environment disclosure | ||
| 24 | * Java code execution | ||
| 25 | * OS command execution | ||
| 26 | * File creation | ||
| 27 | * JDBC connectivity | ||
| 28 | |||
| 29 | == Java properties disclosure == | ||
| 30 | |||
| 31 | The xsl:system-property() standard function can be called with non standard arguments, mapped to Java properties. In this example, the name of the Java properties is stored in a separate XML file ([[properties.xml>>attach:properties.xml]]). The XSLT code will, for each property, display its name and its value. | ||
| 32 | |||
| 33 | |=Namespace|=Function|=PoC|=Sample output | ||
| 34 | |http:~/~/www.w3.org/1999/XSL/Transform|system-property()|[[xalanj-java-properties.xsl>>attach:xalanj-java-properties.xsl]]|[[xalanj-java-properties-output.txt>>attach:xalanj-java-properties-output.txt]] | ||
| 35 | |||
| 36 | == Java environment disclosure == | ||
| 37 | |||
| 38 | The checkEnvironment() extension function (documented [[here>>http://xml.apache.org/xalan-j/faq.html#faq-N10064||rel="__blank"]]) will display some information about the execution context (including available packages, paths, versions, ...). | ||
| 39 | |||
| 40 | |=Namespace|=Extension function|=PoC|=Sample output | ||
| 41 | |http:~/~/xml.apache.org/xalan|checkEnvironment()|[[xalanj-checkenv.xsl>>attach:xalanj-checkenv.xsl]]|[[xalanj-checkenv-output.txt>>attach:xalanj-checkenv-output.txt]] | ||
| 42 | |||
| 43 | == Java code execution == | ||
| 44 | |||
| 45 | The attached code will display the current date using a newly created "java.util.Date" object. This should be enough to demonstrate Java code execution. | ||
| 46 | |||
| 47 | |=Namespace|=Extension function|=PoC|=Sample output | ||
| 48 | |http:~/~/xml.apache.org/xalan/java/java.util.Date|new()|[[xalanj-java-date.xsl>>attach:xalanj-java-date.xsl]]|Current date: | ||
| 49 | Wed Jan 11 22:45:07 CET 2012 | ||
| 50 | |||
| 51 | == OS command execution == | ||
| 52 | |||
| 53 | Once Java code execution is possible, it is trivial to execute arbitrary OS commands using the java.lang.Runtime class. The attached PoC will not read the output of the executed command (because loops are hard in XSLT). But this is not a problem if a reverse-shell have already been started, isn't it ;-) | ||
| 54 | |||
| 55 | |=Namespace|=Extension functions|=PoC | ||
| 56 | |http:~/~/xml.apache.org/xalan/java|split(), getRuntime(), exec() and toString()|[[xalanj-reverse-bash.xsl>>attach:xalanj-reverse-bash.xsl]] | ||
| 57 | |||
| 58 | __Note__ : as arrays are not a native type in XSLT, we create one in Java via split() before passing it as an argument to [[exec(String[] cmdarray)>>http://docs.oracle.com/javase/1.4.2/docs/api/java/lang/Runtime.html#exec(java.lang.String[])||rel="__blank"]]. | ||
| 59 | |||
| 60 | == File creation == | ||
| 61 | |||
| 62 | The "write" extension element allows to create files on the engine side. The content written to the file must be valid UTF-8 (so plain ASCII works too). Existing files can be overwritten. | ||
| 63 | |||
| 64 | |=Namespace|=Extension element|=Parameter|=PoC | ||
| 65 | |http:~/~/xml.apache.org/xalan/redirect|write|file|[[xalanj-write.xsl>>attach:xalanj-write.xsl]] | ||
| 66 | |||
| 67 | == JDBC connectivity == | ||
| 68 | |||
| 69 | It is possible to use XSLT to connect to any database having a corresponding installed JDBC driver. The [[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] PoC simply connects to a local MySQL database using some hard-coded credentials, executes a query and displays the result. | ||
| 70 | |||
| 71 | |=Namespace|=Extension function|=PoC | ||
| 72 | |org.apache.xalan.lib.sql.XConnection|new(), query() and close()|[[xalanj-jdbc-query.xsl>>attach:xalanj-jdbc-query.xsl]] | ||
| 73 | |||
| 74 | === Brute-force === | ||
| 75 | |||
| 76 | The [[xalanj-jdbc-bruteforce.xsl>>attach:xalanj-jdbc-bruteforce.xsl]] file will read some tuples (JDBC driver, database URL, username, passsword) from a XML file ([[xalanj-jdbc-bruteforce.xml>>attach:xalanj-jdbc-bruteforce.xml]]) and try to login with each one, effectively brute-forcing credentials from the engine side (usually on the backend ;-). | ||
| 77 | |||
| 78 | |||
| 79 | Here's the output when launched from the CLI : | ||
| 80 | |||
| 81 | ##$> java org.apache.xalan.xslt.Process -in xalanj-jdbc-bruteforce.xml -xsl xalanj-jdbc-bruteforce.xsl 2> /dev/null | ||
| 82 | Username : [root] / Password : [] : | ||
| 83 | Username : [root] / Password : [uberpasswd] : | ||
| 84 | Username : [root] / Password : [cnam] : OK !! | ||
| 85 | Username : [pma] / Password : [pma] : ## |