XSL PHP

This exercise covers the exploitation of a PHP application using XSL

PRO
Tier
Medium
< 1 Hr.
220
Media Badge

Course


In this challenge, we are going to explore Extensible Stylesheet Language (XSL) and its potential to trigger unexpected behaviors in PHP applications that utilize them. XSL is a language used to transform XML documents into other formats such as HTML, XML, or even PDF. By leveraging the syntax `` in your XSL, you can manipulate the document object model to read local files.

The PHP XSL processor also allows the execution of native PHP functions if the developer calls `registerPHPFunctions()` on the `XSLTProcessor()` object, though this feature is disabled by default. In this challenge, you'll focus on using XSL to retrieve local files from the filesystem, such as by using the syntax `document('/etc/passwd')` to get the content of `/etc/passwd`. The task is to create an XSL file that reads the key from `/app/key.txt` and upload it to complete the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO