This repository has been archived by the owner on Aug 7, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
fbf6847
commit 7ed4c4b
Showing
18 changed files
with
145 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,130 @@ | ||
<?php | ||
/* | ||
XMLmao - A configurable XML/XPath injection testbed | ||
Daniel "unicornFurnace" Crowley | ||
Copyright (C) 2012 Trustwave Holdings, Inc. | ||
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. | ||
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. | ||
You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
*/ | ||
?> | ||
<html> | ||
<head> | ||
<title>XMLmao - XML Injection</title> | ||
</head> | ||
<body> | ||
<center><h1>XMLmao - XML Injection</h1></center><br> | ||
| <a href="xpath.php">XPath Injection</a> || <a href="xmlinjection.php">XML Injection</a> || <a href="challenges.htm">Challenges</a> | | ||
<hr width="40%"> | ||
<hr width="60%"> | ||
<hr width="40%"> | ||
<br> | ||
<form action='xmlinjection.php' name='inject_form' method='get'> | ||
<table><tr><td>Injection String:</td><td><input type='text' name='inject_string'></td></tr> | ||
<tr><td>Injection Location:</td><td> | ||
<select name="location"> | ||
<option value="attribute">Attribute</option> | ||
<option value="value">Node Value</option> | ||
<option value="cdatavalue">CDATA-wrapped Value</option> | ||
</select></td></tr> | ||
<tr><td><b>Input Sanitization:</b></td></tr> | ||
<tr><td>Remove Quotes?</td><td><input type='checkbox' name="quotes_remove"></td></tr> | ||
<tr><td>Remove Spaces?</td><td><input type="checkbox" name="spaces_remove"></td></tr> | ||
<tr><td>Remove Angle Brackets < >?</td><td><input type="checkbox" name="angle_remove"></td></tr> | ||
<tr><td>Remove Square Brackets [ ]?</td><td><input type="checkbox" name="brackets_remove"></td></tr> | ||
<tr><td><b>Output Level:</b></td></tr> | ||
<tr><td>Output Query Results:</td><td><select name="query_results"> | ||
<option value="all">All results</option> | ||
<option value="one">One value</option> | ||
<option value="none">No results</option> | ||
</select></td></tr> | ||
<tr><td>Show XML?</td><td><input type='checkbox' name='show_xml'></td></tr> | ||
<tr><td>Error Verbosity:</td><td><select name="error_level"> | ||
<option value="verbose">Verbose error messages</option> | ||
<option value="generic">Generic error messages</option> | ||
<option value="none">No error messages</option> | ||
</select></td></tr> | ||
</table> | ||
<input type="submit" name="submit" value="Inject!"> | ||
</form> | ||
|
||
<?php | ||
$xmldata = ' | ||
<xmlfile> | ||
<hooray attrib="Inject2"> | ||
<ilovepie>Inject1</ilovepie> | ||
</hooray> | ||
<data> | ||
<![CDATA[Inject3]]> | ||
</data> | ||
</xmlfile> | ||
'; | ||
|
||
if(isset($_REQUEST['submit'])){ | ||
|
||
//sanitization section | ||
if(isset($_REQUEST['quotes_remove']) and $_REQUEST['quotes_remove'] == 'on') $_REQUEST['inject_string'] = str_replace("'", "\'", $_REQUEST['inject_string']); | ||
if(isset($_REQUEST['spaces_remove']) and $_REQUEST['spaces_remove'] == 'on') $_REQUEST['inject_string'] = str_replace(' ', '', $_REQUEST['inject_string']); | ||
if(isset($_REQUEST['brackets_remove']) and $_REQUEST['brackets_remove'] == 'on'){ | ||
$_REQUEST['inject_string'] = str_replace('[', '', $_REQUEST['inject_string']); | ||
$_REQUEST['inject_string'] = str_replace(']', '', $_REQUEST['inject_string']); | ||
} | ||
if(isset($_REQUEST['angle_remove']) and $_REQUEST['angle_remove'] == 'on'){ | ||
$_REQUEST['inject_string'] = str_replace('<', '', $_REQUEST['inject_string']); | ||
$_REQUEST['inject_string'] = str_replace('>', '', $_REQUEST['inject_string']); | ||
} | ||
|
||
switch($_REQUEST['location']){ | ||
case 'attribute': | ||
$displayxml = str_replace('Inject2', '<u>'.$_REQUEST['inject_string'].'</u>', $xmldata); | ||
$xmldata = str_replace('Inject2', $_REQUEST['inject_string'], $xmldata); | ||
break; | ||
case 'value': | ||
$displayxml = str_replace('Inject1', '<u>'.$_REQUEST['inject_string'].'</u>', $xmldata); | ||
$xmldata = str_replace('Inject1', $_REQUEST['inject_string'], $xmldata); | ||
break; | ||
case 'cdatavalue': | ||
$displayxml = str_replace('Inject3', '<u>'.$_REQUEST['inject_string'].'</u>', $xmldata); | ||
$xmldata = str_replace('Inject3', $_REQUEST['inject_string'], $xmldata); | ||
break; | ||
} | ||
|
||
if(isset($_REQUEST['show_xml']) and $_REQUEST['show_xml'] == 'on') echo 'Resulting XML: ' . htmlentities($xmldata) . '<br>'; | ||
|
||
$xml = ''; | ||
|
||
if(isset($_REQUEST['error_level'])){ | ||
switch ($_REQUEST['error_level']){ | ||
case 'generic': | ||
ini_set('display_errors', 0); | ||
$xml = simplexml_load_string($xmldata); | ||
if(!$results) echo "An error occurred." . "\n<br>"; | ||
break; | ||
case 'verbose': | ||
ini_set('display_errors', 1); | ||
$xml = simplexml_load_string($xmldata); | ||
break; | ||
case 'none': | ||
ini_set('display_errors', 0); | ||
$xml = simplexml_load_string($xmldata); | ||
break; | ||
} | ||
} | ||
|
||
switch ($_REQUEST['query_results']){ | ||
case 'all': | ||
foreach ($xml->data as $data){ | ||
echo $data . '<br>'; | ||
} | ||
break; | ||
case 'one': | ||
echo $xml->data[0]; | ||
break; | ||
} | ||
} | ||
?> | ||
</body> | ||
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.