This exercise covers the exploitation of a PHP application using XSL

2-4 Hrs.
Media Badge


In this challenge, we delve into the intricacies of Extensible Stylesheet Language (XSL) and its potential to trigger unexpected behaviors in applications that utilize them, specifically focusing on a PHP application. The objective is to achieve command execution by exploiting the support for one native PHP function that has been enabled. The challenge involves identifying this function, which allows a single operation that can be leveraged to execute code.

The video walkthrough demonstrates the process of retrieving the source code, identifying the `file_put_contents` function, and crafting a payload to write data into a file. By encoding special characters to avoid breaking the XML syntax, we manage to create a web shell. This shell can then be accessed to run any command, ultimately gaining code execution and solving the challenge.

Want to learn more? Get started with PentesterLab Pro! GO PRO