This exercise covers the exploitation of a PHP application using XSL

< 1 Hr.
Media Badge


In this challenge, we are going to explore Extensible Stylesheet Language (XSL) and its potential to trigger unexpected behaviors in PHP applications that utilize them. XSL is a language used to transform XML documents into other formats such as HTML, XML, or even PDF. By leveraging the syntax `` in your XSL, you can manipulate the document object model to read local files.

The PHP XSL processor also allows the execution of native PHP functions if the developer calls `registerPHPFunctions()` on the `XSLTProcessor()` object, though this feature is disabled by default. In this challenge, you'll focus on using XSL to retrieve local files from the filesystem, such as by using the syntax `document('/etc/passwd')` to get the content of `/etc/passwd`. The task is to create an XSL file that reads the key from `/app/key.txt` and upload it to complete the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO