diff --git a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md index c188b6bb75c..1cb3bd01304 100644 --- a/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md +++ b/src/pentesting-web/xslt-server-side-injection-extensible-stylesheet-language-transformations.md @@ -289,6 +289,26 @@ Upload this and take information ``` +### **`document()` usually expects XML** + +On **libxslt**, `document()` is useful for SSRF and for reading **other XML documents**, but trying to read arbitrary local text files such as `/etc/passwd` will often fail because the referenced resource is parsed as XML. + +- `document('/path/to/file.xml')` may work if the target file is valid XML. +- `document('/etc/passwd')` commonly errors because the file is not XML. + +This is useful when triaging a target: a failed `document('/etc/passwd')` does **not** necessarily mean the XSLT processor is hardened. + +### Parser asymmetry: XML hardened, XSLT still dangerous + +Some applications harden the **input XML** parser but not the **stylesheet** parser. With lxml, options such as `resolve_entities=False`, `no_network=True`, `dtd_validation=False`, and `load_dtd=False` can block classic XXE in the uploaded XML while the XSLT still gets parsed with default settings or extension features enabled. + +That pattern usually means: + +- XXE in the XML document may fail. +- XSLT-specific features such as `system-property()`, `document()`, extension functions, and EXSLT elements may still be reachable. + +So if XXE payloads fail, fingerprint the processor first and then switch to processor-specific XSLT payloads instead of stopping at the XML parser result. + ### **Internal (PHP-function)** ```xml @@ -346,6 +366,32 @@ Upload this and take information ``` +### **libxslt / EXSLT `exsl:document`** + +If the target fingerprints as **libxslt** (`system-property('xsl:vendor')`) and the application lets you upload or store attacker-controlled XSLT, test **EXSLT secondary output**. `exsl:document` can write a new document to an arbitrary path writable by the XSLT process. + +```xml + + + + +0xdf was here! + + + +``` + +Practical workflow: + +- First write a marker into a **web-served path** to confirm the primitive. +- Then write into an **execution sink** already present on the host, such as a cron-polled script directory, a parser auto-reload path, or another scheduled task input. + +If you are generating shell payloads through XML, remember that this is **XML encoding**, not URL encoding. For example, use `&` to generate a literal `&` inside the written file. Writing `%26` will usually persist `%26` literally and break shell redirections. + Other ways to write files in the PDF ## Include external XSL @@ -428,5 +474,9 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/xslt.txt - [XSLT_SSRF](https://feelsec.info/wp-content/uploads/2018/11/XSLT_SSRF.pdf) - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20IO%20Active.pdf) - [http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf](http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Abusing%20XSLT%20for%20practical%20attacks%20-%20Arnaboldi%20-%20Blackhat%202015.pdf) +- [0xdf - HTB Conversor](https://0xdf.gitlab.io/2026/03/21/htb-conversor.html) +- [PayloadsAllTheThings - XSLT Injection](https://swisskyrepo.github.io/PayloadsAllTheThings/XSLT%20Injection/) +- [EXSLT - exsl:document](https://exslt.github.io/exsl/elements/document/index.html) +- [lxml API - XMLParser](https://lxml.de/api/lxml.etree.XMLParser-class.html) {{#include ../banners/hacktricks-training.md}}