Web security test study notes - XPath injection

Others 2020-01-10 11:19:16 views: null

Basics

XPath is a W3C standard supports the use of path expressions to select nodes in an XML document or set of nodes 100 and defines a plurality of built-in functions. XML document includes seven types of nodes: element, attribute, text, namespaces, processing instructions, comments and document node (or root).

XPath syntax reference: https://www.runoob.com/xpath/xpath-intro.html

Wrote seleniumUI automated small partner is not also used XPath, yes, he is, this XPath XPath. HTML document itself XML.

 

Using the principle of

Like, are input by constructing, executing malicious statements to the unlawful acquisition / operation of the server data / information purposes (XPath syntax support and, or, fuzzy matching, etc.) and SQL injection principle, except that the object is a SQL injection attack database, XPath target of attack is an XML document. XML documents and no user authentication and access control, XPath injection can be achieved as long as you can access the entire XML document ...> _ <...

 

Use

1. universal password (user login scenarios):

  Xpath assume when the user logs in as follows:

"/heroes/hero[login='" . $login . "' and password='" . $password . "']"

  Injection as follows:

  Username Password Input: 1 'or' 1 '=' 1, corresponding to:

"/heroes/hero[login='1' or '1'='1' and password='1' or '1'='1']"

2. arguments passed in the built-in function

"//hero[contains(genre, '$genre')]/movie"

  Injection method: action ')] | // * | // * [(', corresponding to:

"//hero[contains(genre, 'action')] | //* | //*[('')]/movie"

  * // use after implantation can get the entire XML document.

3. Mekurachu

Guess the number of the upper node: 'or count (../*)= 1, corresponding to:

"/heroes/hero[login='1' or count(../*)=1 and password='1' or count(../*)=1 ]"

Guess the parent name: 'or substring (name (parent :: * [position () = 1]), 1,1) =' a, 'or substring (name (/ * [position () = 1]), 2 , 1) = 'o' ...., corresponding to:

"/heroes/hero[login='1 or substring(name(parent::*[position()=1]),1,1)='a'  and password='or substring(name(parent::*[position()=1]),1,1)='a']"
"/heroes/hero[login='1 or substring(name(parent::*[position()=1]),2,1)='a'  and password='or substring(name(parent::*[position()=1]),2,1)='a']"
....... 

defensive approach

1 into the reference detector

2. parameterized

 

Guess you like

Origin www.cnblogs.com/sallyzhang/p/12172494.html
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com