Info extracted from HTB Academy
Info
eXtensible Stylesheet Language Transformation (XSLT)ย is a language enabling the transformation of XML documents. For instance, it can select specific nodes from an XML document and change the XML structure.
eXtensible Stylesheet Language Transformation (XSLT)
Since XSLT operates on XML-based data, we will consider the following sample XML document to explore how XSLT operates:
XSLT can be used to define a data format which is subsequently enriched with data from the XML document. XSLT data is structured similarly to XML. However, it contains XSL elements within nodes prefixed with theย xsl
-prefix. The following are some commonly used XSL elements:
<xsl:template>
: This element indicates an XSL template. It can contain aยmatch
ย attribute that contains a path in the XML document that the template applies to<xsl:value-of>
: This element extracts the value of the XML node specified in theยselect
ย attribute<xsl:for-each>
: This element enables looping over all XML nodes specified in theยselect
ย attribute
For instance, a simple XSLT document used to output all fruits contained within the XML document as well as their color, may look like this:
As we can see, the XSLT document contains a singleย <xsl:template>
ย XSL element that is applied to theย <fruits>
ย node in the XML document. The template consists of the static stringย Here are all the fruits:
ย and a loop over allย <fruit>
ย nodes in the XML document. For each of these nodes, the values of theย <name>
ย andย <color>
ย nodes are printed using theย <xsl:value-of>
ย XSL element. Combining the sample XML document with the above XSLT data results in the following output:
Here are all the fruits:
ย ย ย Apple (Red)
ย ย ย Banana (Yellow)
ย ย ย Strawberry (Red)
Here are some additional XSL elements that can be used to narrow down further or customize the data from an XML document:
-
<xsl:sort>
: This element specifies how to sort elements in a for loop in theยselect
ย argument. Additionally, a sort order may be specified in theยorder
ย argument -
<xsl:if>
: This element can be used to test for conditions on a node. The condition is specified in theยtest
ย argument.
For instance, we can use these XSL elements to create a list of all fruits that are of a medium size ordered by their color in descending order:
This results in the following data:
Here are all fruits of medium size ordered by their color:
Banana (Yellow)
Apple (Red)
XSLT can be used to generate arbitrary output strings. For instance, web applications may use it to embed data from XML documents within an HTML response.
Information Disclosure
We can try to infer some basic information about the XSLT processor in use by injecting the following XSLT elements:
The web application provides the following response:
Since the web application interpreted the XSLT elements we provided, this confirms an XSLT injection vulnerability. Furthermore, we can deduce that the web application seems to rely on theย libxslt
ย library and supports XSLT versionย 1.0
.
Local File Inclusion (LFI)
We can try to use multiple different functions to read a local file. Whether a payload will work depends on the XSLT version and the configuration of the XSLT library. For instance, XSLT contains a functionย unparsed-text
ย that can be used to read a local file:
However, it was only introduced in XSLT version 2.0. Thus, our sample web application does not support this function and instead errors out. However, if the XSLT library is configured to support PHP functions, we can call the PHP functionย file_get_contents
ย using the following XSLT element:
Our sample web application is configured to support PHP functions. As such, the local file is displayed in the response:
Remote Code Execution (RCE)
If an XSLT processor supports PHP functions, we can call a PHP function that executes a local system command to obtain RCE. For instance, we can call the PHP functionย system
ย to execute a command: