XSL Java

This exercise covers the exploitation of a Java application using XSL

PRO
Tier
Medium
< 1 Hr.
91
Media Badge

In this challenge, we are going to look at Extensible Stylesheet Language (XSL) and how it can be used to trigger unexpected behaviors in applications leveraging them, specifically in a Java application. To solve this challenge, you will need to gain command execution. This involves leveraging the xsl:variable tag to access the current Runtime, which will allow you to call the method exec with the desired command.

The process starts with uploading an XSL file to transform the given XML. By creating an object from rt:getRuntime(), you can get the current runtime. Using this runtime object, you can call exec with your command. This method is effectively demonstrated in the video, where the command is replaced with the score command, uploaded, and executed, ultimately solving the challenge.

Want to learn more? Get started with PentesterLab Pro! GOPRO