From 7ed4c4bd7505236f74f3f99d515174025581fbd9 Mon Sep 17 00:00:00 2001 From: unicornFurnace Date: Thu, 2 Feb 2012 22:02:47 -0600 Subject: [PATCH] added xml injection --- CHANGELOG | 7 + challenges.htm | 14 +- xmlinjection.php | 130 ++++++++++++++++++ xpath.php | 1 + .../challenge0.php | 0 .../challenge1.php | 0 .../challenge2.php | 0 .../challenge3.php | 0 .../challenge4.php | 0 .../challenge5.php | 0 .../challenge6.php | 0 .../tutorial0.txt | 0 .../tutorial1.txt | 0 .../tutorial2.txt | 0 .../tutorial3.txt | 0 .../tutorial4.txt | 0 .../tutorial5.txt | 0 .../tutorial6.txt | 0 18 files changed, 145 insertions(+), 7 deletions(-) create mode 100644 xmlinjection.php rename {challenges => xpath_challenges}/challenge0.php (100%) rename {challenges => xpath_challenges}/challenge1.php (100%) rename {challenges => xpath_challenges}/challenge2.php (100%) rename {challenges => xpath_challenges}/challenge3.php (100%) rename {challenges => xpath_challenges}/challenge4.php (100%) rename {challenges => xpath_challenges}/challenge5.php (100%) rename {challenges => xpath_challenges}/challenge6.php (100%) rename {challenges => xpath_challenges}/tutorial0.txt (100%) rename {challenges => xpath_challenges}/tutorial1.txt (100%) rename {challenges => xpath_challenges}/tutorial2.txt (100%) rename {challenges => xpath_challenges}/tutorial3.txt (100%) rename {challenges => xpath_challenges}/tutorial4.txt (100%) rename {challenges => xpath_challenges}/tutorial5.txt (100%) rename {challenges => xpath_challenges}/tutorial6.txt (100%) diff --git a/CHANGELOG b/CHANGELOG index ac4ead8..b526471 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -4,3 +4,10 @@ YAY IT WORKS v0.2 Added tutorials and more challenges Fixed "Love is Blind" challenge so it's possible with current tools and techniques. Still working on new ones to make that configuration possible! ;) +Added index.php file to make it look less ugly when you go to /xmlmao/ + +v0.3 +Probably shouldn't have incremented a minor version last update but this update deserves one +Added XML Injection page +Shifted challenges folder to be xpath_challenges in order to distinguish between xpath challenges and xml injection challenges +Minor interface changes in xpath.php diff --git a/challenges.htm b/challenges.htm index d5c1d21..e4a6f06 100644 --- a/challenges.htm +++ b/challenges.htm @@ -18,12 +18,12 @@
-Challenge 0 - Hello, world!
-Challenge 1 - Retrieve ALL the Nodes!
-Challenge 2 - The Failure of Quote Filters
-Challenge 3 - Looking Through a Keyhole
-Challenge 4 - Love is Blind
-Challenge 5 - Pipe Dream
-Challenge 6 - Up, Up, and Away!
+Challenge 0 - Hello, world!
+Challenge 1 - Retrieve ALL the Nodes!
+Challenge 2 - The Failure of Quote Filters
+Challenge 3 - Looking Through a Keyhole
+Challenge 4 - Love is Blind
+Challenge 5 - Pipe Dream
+Challenge 6 - Up, Up, and Away!
\ No newline at end of file diff --git a/xmlinjection.php b/xmlinjection.php new file mode 100644 index 0000000..8b98890 --- /dev/null +++ b/xmlinjection.php @@ -0,0 +1,130 @@ +. +*/ +?> + + +XMLmao - XML Injection + + +

XMLmao - XML Injection


+| XPath Injection || XML Injection || Challenges | +
+
+
+
+
+ + + + + + + + + + + +
Injection String:
Injection Location: +
Input Sanitization:
Remove Quotes?
Remove Spaces?
Remove Angle Brackets < >?
Remove Square Brackets [ ]?
Output Level:
Output Query Results:
Show XML?
Error Verbosity:
+ +
+ + + + Inject1 + + + + + +'; + +if(isset($_REQUEST['submit'])){ + + //sanitization section + if(isset($_REQUEST['quotes_remove']) and $_REQUEST['quotes_remove'] == 'on') $_REQUEST['inject_string'] = str_replace("'", "\'", $_REQUEST['inject_string']); + if(isset($_REQUEST['spaces_remove']) and $_REQUEST['spaces_remove'] == 'on') $_REQUEST['inject_string'] = str_replace(' ', '', $_REQUEST['inject_string']); + if(isset($_REQUEST['brackets_remove']) and $_REQUEST['brackets_remove'] == 'on'){ + $_REQUEST['inject_string'] = str_replace('[', '', $_REQUEST['inject_string']); + $_REQUEST['inject_string'] = str_replace(']', '', $_REQUEST['inject_string']); + } + if(isset($_REQUEST['angle_remove']) and $_REQUEST['angle_remove'] == 'on'){ + $_REQUEST['inject_string'] = str_replace('<', '', $_REQUEST['inject_string']); + $_REQUEST['inject_string'] = str_replace('>', '', $_REQUEST['inject_string']); + } + + switch($_REQUEST['location']){ + case 'attribute': + $displayxml = str_replace('Inject2', ''.$_REQUEST['inject_string'].'', $xmldata); + $xmldata = str_replace('Inject2', $_REQUEST['inject_string'], $xmldata); + break; + case 'value': + $displayxml = str_replace('Inject1', ''.$_REQUEST['inject_string'].'', $xmldata); + $xmldata = str_replace('Inject1', $_REQUEST['inject_string'], $xmldata); + break; + case 'cdatavalue': + $displayxml = str_replace('Inject3', ''.$_REQUEST['inject_string'].'', $xmldata); + $xmldata = str_replace('Inject3', $_REQUEST['inject_string'], $xmldata); + break; + } + + if(isset($_REQUEST['show_xml']) and $_REQUEST['show_xml'] == 'on') echo 'Resulting XML: ' . htmlentities($xmldata) . '
'; + + $xml = ''; + + if(isset($_REQUEST['error_level'])){ + switch ($_REQUEST['error_level']){ + case 'generic': + ini_set('display_errors', 0); + $xml = simplexml_load_string($xmldata); + if(!$results) echo "An error occurred." . "\n
"; + break; + case 'verbose': + ini_set('display_errors', 1); + $xml = simplexml_load_string($xmldata); + break; + case 'none': + ini_set('display_errors', 0); + $xml = simplexml_load_string($xmldata); + break; + } + } + + switch ($_REQUEST['query_results']){ + case 'all': + foreach ($xml->data as $data){ + echo $data . '
'; + } + break; + case 'one': + echo $xml->data[0]; + break; + } +} +?> + + \ No newline at end of file diff --git a/xpath.php b/xpath.php index 62818a4..2347f8e 100644 --- a/xpath.php +++ b/xpath.php @@ -17,6 +17,7 @@

XMLmao - XPath Injection


+| XPath Injection || XML Injection || Challenges |
diff --git a/challenges/challenge0.php b/xpath_challenges/challenge0.php similarity index 100% rename from challenges/challenge0.php rename to xpath_challenges/challenge0.php diff --git a/challenges/challenge1.php b/xpath_challenges/challenge1.php similarity index 100% rename from challenges/challenge1.php rename to xpath_challenges/challenge1.php diff --git a/challenges/challenge2.php b/xpath_challenges/challenge2.php similarity index 100% rename from challenges/challenge2.php rename to xpath_challenges/challenge2.php diff --git a/challenges/challenge3.php b/xpath_challenges/challenge3.php similarity index 100% rename from challenges/challenge3.php rename to xpath_challenges/challenge3.php diff --git a/challenges/challenge4.php b/xpath_challenges/challenge4.php similarity index 100% rename from challenges/challenge4.php rename to xpath_challenges/challenge4.php diff --git a/challenges/challenge5.php b/xpath_challenges/challenge5.php similarity index 100% rename from challenges/challenge5.php rename to xpath_challenges/challenge5.php diff --git a/challenges/challenge6.php b/xpath_challenges/challenge6.php similarity index 100% rename from challenges/challenge6.php rename to xpath_challenges/challenge6.php diff --git a/challenges/tutorial0.txt b/xpath_challenges/tutorial0.txt similarity index 100% rename from challenges/tutorial0.txt rename to xpath_challenges/tutorial0.txt diff --git a/challenges/tutorial1.txt b/xpath_challenges/tutorial1.txt similarity index 100% rename from challenges/tutorial1.txt rename to xpath_challenges/tutorial1.txt diff --git a/challenges/tutorial2.txt b/xpath_challenges/tutorial2.txt similarity index 100% rename from challenges/tutorial2.txt rename to xpath_challenges/tutorial2.txt diff --git a/challenges/tutorial3.txt b/xpath_challenges/tutorial3.txt similarity index 100% rename from challenges/tutorial3.txt rename to xpath_challenges/tutorial3.txt diff --git a/challenges/tutorial4.txt b/xpath_challenges/tutorial4.txt similarity index 100% rename from challenges/tutorial4.txt rename to xpath_challenges/tutorial4.txt diff --git a/challenges/tutorial5.txt b/xpath_challenges/tutorial5.txt similarity index 100% rename from challenges/tutorial5.txt rename to xpath_challenges/tutorial5.txt diff --git a/challenges/tutorial6.txt b/xpath_challenges/tutorial6.txt similarity index 100% rename from challenges/tutorial6.txt rename to xpath_challenges/tutorial6.txt