Watch your door-attack data store (4)-xpath injection attack

The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.

1, some superfluous words

XPath injection and SQL injection, very similar in principle
But XPath injects objects primarily to XML, which is relatively more dangerous.

2. Save XML for user information

<?xml version= "1.0" encoding= "Utf-8"?><root><user><ID>1</ID><username>Admin</username><password>123</password></user><user><ID>5</ID><username>Ffm</username><password>1</password></user></root>

3. Matching statement of potential vulnerability

xpath.compile("//root/user[username/text()=‘"                + username + "‘and password/text()=‘" + password  + "‘]");

Similar to this assembled statement, there is a natural possibility of being attacked.

3, implementation of XPath injection Java login Verification source code

 PackageCom.struts2;Importjavax.xml.parsers.*;Importjavax.xml.xpath.*;Importorg.w3c.dom.*;ImportCom.opensymphony.xwork2.ActionSupport;/** * A simple XPath authentication feature for illustrative situations only * * @author Fan Fangming */ Public  class xpathloginaction extends actionsupport {     PublicStringExecute()throwsException {return "Success"; } Public Boolean Getxpathinfo(string username, string password)throwsException {documentbuilderfactory domfactory = documentbuilderfactory.newinstance (); Domfactory.setnamespaceaware (true);        Documentbuilder builder = Domfactory.newdocumentbuilder ();        Xpathfactory factory = Xpathfactory.newinstance ();        XPath XPath = Factory.newxpath (); Document doc = Builder.parse ("D:/ffm83/user.xml"); XPathExpression expr = Xpath.compile ("//root/user[username/text () = '"+ Username +"' and password/text () = '"+ Password +"']");        Object result = Expr.evaluate (doc, Xpathconstants.nodeset); NodeList nodes = (NodeList) result;if(Nodes.getlength () >=1) {System.out.println ("The landing was successful. ");return true; }Else{System.out.println ("User name or password error, Login failed." ");return false; }    } Public Static void Main(string[] args)throwsException {Xpathloginaction XPath =NewXpathloginaction (); Xpath.getxpathinfo ("FFM","1"); }}

5. Operation condition

Xpath.getxpathinfo ("FFM", "1");
Landed successfully.

Xpath.getxpathinfo ("FFM", "2");

User name or password error, Login failed.

6. Simple Analog attack

In the Password field, enter: ' or ' 1 ' = ' 1
Xpath.getxpathinfo ("FFM", "' or ' 1 ' = ' 1");
After running discovery:
Landed successfully.

XPath injection has been successfully performed.

Watch your door-attack data store (4)-xpath injection attack