xpath injection of bWAPP

Others 2021-03-28 03:17:57 views: null

table of Contents

一. XML/XPath Injection (Login Form)

1. Source code analysis

2. Construction bypass

一. XML/XPath Injection (Login Form)

The xpath injection of bWAPP is as follows, let us log in here

Entering a single quotation mark for the user name found that a parsing error of xami was reported. It can be seen that the user login information parsed by xml/xpath was used.

Here we do not worry about logging in, first look at the source code to learn about this vulnerability

1. Source code analysis

The key code is as follows:

1. The program received the username and password from the front desk without any filtering

2. Then load a local xml file

3. Use xpath language to find the user name and password from the loaded xml file, if found, log in

-"After an analysis, we know the location of the vulnerability. The program does not filter when receiving data for xpath query. For this point, we can construct a bypass and log in directly.

if(isset($_REQUEST["login"]) & isset($_REQUEST["password"]))
{

    $login = $_REQUEST["login"]; 
    $login = xmli($login);    //接收登录的用户名

    $password = $_REQUEST["password"];
    $password = xmli($password);  //接收登录的密码

    // Loads the XML file
    $xml = simplexml_load_file("passwords/heroes.xml"); //加载xml数据

    // XPath search
    $result = $xml->xpath("/heroes/hero[login='" . $login . "' and password='" . $password . "']");   //用xpath查询内容
    if($result)
    {
    ...
    }
}

2. Construction bypass

Bypass login without knowing the username and password. Take out the query code first,

$result = $xml->xpath("/heroes/hero[login='" . $login . "' and password='" . $password . "']");

Actually that's it

$result = $xml->xpath("/heroes/hero[login='用户名' and password=' 密码']");

Construct the user name as follows, and enter the password casually

test' or '1' or '

This is the case after inserting the proceed statement

$xml->xpath("/heroes/hero[login=' test' or '1' or ' ' and password=' xxx']");

We need to know that operators have precedence. Generally, the precedence of the equal sign = is greater than and, and the precedence of and is greater than or. That is,'='>'and'>'or'. login='test' is false, password='xx' is false, or '1' is true, or'' is false

So $result is true, bypassing the login

 

 

Guess you like

Origin blog.csdn.net/qq_44159028/article/details/115101114
Recommended
Ranking
C # program structure (study notes 01)
Data center hosting solutions
글로벌R&D센터 시티특별컨설팅 연구팀이 기린시큐리티를 방문하여 점검 및 안내를 받았습니다.
零基础学java的最佳学习方法和最全java知识大纲(含50G学习资料)
Nginx push pull stream flow --- demand broadcast
Design Patterns: Study Notes (13) - Strategy Mode
10 Cases of White Wolf with Empty Gloves: Make Big Money for Yourself Without Spending a Penny
[Learn PMP with questions] [4.4] Monitor project work
Relations and differences between C and C ++ | CC ++ language 0
How to manually uninstall Teenking
Daily
More
2024-06-07(0)
2024-06-06(0)
2024-06-05(0)
2024-06-04(0)
2024-06-03(1)
2024-06-02(0)
2024-06-01(1)
2024-05-31(1)
2024-05-30(0)
2024-05-29(1)

Code World

© 2018 codetd.com