Use XSLT to continue cracking XML

Use XSLT to continue cracking XML

0x00 Introduction

XSL

First, we should say that this XSLT should be broken: XSL-T. XSL refers to the EXtensible Stylesheet Language, which is directly translated into the extended style sheet Language. This language has a great relationship with xml: XSL is equivalent to CSS in HTML. Every element of HTML is predefined, such

The browser also knows how to identify the tag to define a table. CSS can easily tell the browser how to display the table. However, since any tag in XML can be defined by the programmer, soAn XSL language is required to describe how to display xml documents.This is a web Security Article, so we still discuss web-related xsl security, while xslt v1 can be called on the web. So we only discuss the story of version1.   XSLT XSL consists of three parts: XSLT, XPath, and XSL-FO. In the security field, Xpath has already been studied by our predecessors (xpath injection), and almost no one cares about the other two. At last year's black hat hackers' conference, a security organization (IOActive) finally shared its research findings, Abusing XSLT. XSLT, as its name implies, is used to convert XML into XHTML or other XML documents. When other documents are generated using XML (e.g. xhtml), XSL can be referenced as XML. At the same time, XSL can be embedded into XML to play a role. Considering XSLT security, we have to consider their application scenarios. In this article, we will analyze the vulnerability of XSLT implementation from the client and server. To simplify the discussion, we will discuss the security issues of these vendors: Libxslt: libxslt provides XSL Parsing for backend Python, PHP, PERL, RUBY, and safari, opera, and chrome. Transformiix: It is discussed because it is called by firefox to process external Microsoft: it can be understood without explanation. Microsoft's own IE must use its own Parsing Library. 0x01 attack model Customer/Server: digital representation and operational risks XSL has its own "unique" Understanding of mathematics. Let's first discuss how it processes big integers: Large Integers For example And Its Style In the libxslt processing software such as Xsltproc, Php, Perl, Ruby, Python, Safari, Chrome, and Opera, the above xml is interpreted as follows (chrome ): The problem is obvious. IOActive provides the results of their research. Random Number Similarly, some vendor of xsl are quite freehand in generating random numbers. However, this rough vendor is still the most widely used libxslt. Because this library does not have IV when generating random numbers, the random numbers generated each time remain unchanged. Let's bring this together with PRG for hi... Client: Safari SOP Bypass Safari's same-source policy may also be damaged by the xml style language. As mentioned above, safari has long supported xml and xhtml conversion. However, using document () in XSLT, we can use the corresponding cookies to read resources in other regions of safari across domains. In this way, we can steal user information from other websites through the document ()-> value-of ()/copy-of () process, and finally, attackers can use JavaScript to send messages. I reproduced the ioactive poc, but the result is different from that of IOActive: In the IOActive report No doubt the result is successfully obtained, and BYPASS is successful. I got this prompt in the Safari control tower during a local test. No doubt the sop has been suspended. If apple fixes the vulnerability or uses the incorrect posture, I put the POC at the end of the article. You can download it and study it. Server: Arbitrary File Reading The XSLT document is terminated immediately when an execution error occurs. It is similar to the XML of its brother, and an error will be thrown if a small error occurs. However, the error message can also bring some useful information to attackers. XSLT provides three methods for reading files. Document (): used to access information in another xml document (also used in cross-origin) include (): Used to merge two style sheets import (): used to overwrite one style sheet to another For example, the following style Table #!xml /etc/passwd And B #!xml When B is parsed, it tries to call table A, while Table A tries to read/etc/passwd content using document (). Obviously this is not an xml document, therefore, it is impossible to read. Fortunately, in the output error message, we can see that the first line of the target text is output. Although there is only the first line, the first line can get a lot of Ming information. /Etc/passwd: Linux root password/etc/shadow: Linux root password. htpasswd: Apache password. pgpass: PostgreSQL password This time, all the methods (document (), import (), and include () in the four languages of xsltproc php perl ruby are affected (php is indeed the best language in the world, everything has his shares)