首先需要声明,本文纯属一个毫无远见和真才实学的小小开发人员的愚昧见解,仅供用于web系统安全方面的参考。
1、一些多余的话
XPath注入和SQL注入,原理上非常相似
但是XPath注入的对象主要是XML,相对来说,危害性更加大
2、保存用户信息的XML
<?xml version="1.0" encoding="utf-8" ?>
<root>
<user>
<id>1</id>
<username>admin</username>
<password>123</password>
</user>
<user>
<id>5</id>
<username>ffm</username>
<password>1</password>
</user>
</root>3、潜在漏洞的匹配语句
XPathExpression expr = xpath.compile("//root/user[username/text()=‘"
+ username + "‘and password/text()=‘" + password + "‘]");
类似这种拼装的语句,天生就有被攻击的可能性。
3、实现XPath注入的JAVA登陆验证源代码
package com.struts2;
import javax.xml.parsers.*;
import javax.xml.xpath.*;
import org.w3c.dom.*;
import com.opensymphony.xwork2.ActionSupport;
/**
* 一个简单的XPath认证功能,仅用于说明情况
*
* @author 范芳铭
*/
public class XPathLoginAction extends ActionSupport {
public String execute() throws Exception {
return "success";
}
public boolean getXPathInfo(String username, String password)
throws Exception {
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setNamespaceAware(true);
DocumentBuilder builder = domFactory.newDocumentBuilder();
XPathFactory factory = XPathFactory.newInstance();
XPath xpath = factory.newXPath();
Document doc = builder.parse("D:/ffm83/user.xml");
XPathExpression expr = xpath.compile("//root/user[username/text()=‘"
+ username + "‘and password/text()=‘" + password + "‘]");
Object result = expr.evaluate(doc, XPathConstants.NODESET);
NodeList nodes = (NodeList) result;
if (nodes.getLength() >= 1) {
System.out.println("登陆成功。");
return true;
}
else {
System.out.println("用户名或者密码错误,登陆失败。");
return false;
}
}
public static void main(String[] args) throws Exception {
XPathLoginAction xpath = new XPathLoginAction();
xpath.getXPathInfo("ffm", "1");
}
}5、运行情况
xpath.getXPathInfo(“ffm”, “1”);
登陆成功。
xpath.getXPathInfo(“ffm”, “2”);
用户名或者密码错误,登陆失败。
6、简单模拟攻击
在密码字段输入:’ or ‘1’=’1
xpath.getXPathInfo(“ffm”, “’ or ‘1’=’1”);
运行后发现:
登陆成功。
已经被成功进行XPath注入。
时间: 2024-10-27 07:48:20