XSL Java

This exercise covers the exploitation of a Java application using XSL

< 1 Hr.
Media Badge


In this challenge, we are going to look at Extensible Stylesheet Language (XSL) and how it can be used to trigger unexpected behaviors in applications leveraging them, specifically in a Java application. To solve this challenge, you will need to gain command execution. This involves leveraging the `xsl:variable` tag to access the current `Runtime`, which will allow you to call the method `exec` with the desired command.

The process starts with uploading an XSL file to transform the given XML. By creating an object from `rt:getRuntime()`, you can get the current runtime. Using this runtime object, you can call `exec` with your command. This method is effectively demonstrated in the video, where the command is replaced with the score command, uploaded, and executed, ultimately solving the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO