Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

What is the basic syntax of xPath injection

2025-03-29 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)05/31 Report--

This article mainly introduces the basic grammar of xPath injection, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

First of all, what is xPath:xPath? it's a language for finding information in xml.

In xPath, there are seven element nodes: elements, attributes, text, namespaces, processing instructions, comments, and documents (root nodes). Xml documents are parsed as document trees, and the root of the tree is called the document node or root node.

This is a basic xml document source code, from this xml source code, you can see that bookstore is the document node (root node), book, title, author, year, price are element nodes. The book node has four child element nodes: title, author, year, and price,title nodes have three siblings: author, year, and price. The element node title has an attribute and text node, the attribute node is lang, the value is en, and the value of the text node is HarryPotter.

There are also some descriptions of xml node relationships (similar to trees in data structures):

Parent: the parent of the book node is the bookstore,book node is the parent of the title, author, year, price node. There can be only one parent per node.

Child: book is the child of bookstore, and the child of the book node is the child of title, author, year, and price.

Element nodes can have zero, one, or more children.

Siblings: nodes with the same father, similar to sibling nodes in the tree structure. Siblings of title are author, year, and price. A node can have zero, one, or more siblings.

Ancestors: the father of the node, the father of the father, the father of the father (infinite loop), the ancestors of the title element node are book, bookstore.

Descendants: children of nodes, children of children (wireless loops), descendants of bookstore document nodes are book, title, author, year, price, lang.

Knowing the node relationship of xml is not enough, but you also need to know how it is queried. XPath uses path expressions to select nodes or node sets in the document. Nodes are selected along the path or step.

XPath uses path expressions to select nodes in the XML document. Nodes are selected by following the path or step. The most useful path expressions are listed below:

Nodename: select all hosts on this node

/: select from the root node

/: select nodes in the document from the current node selected by the match, regardless of their location

.: select the current node

..: select the parent node of the current node

@: select attribute

Let's use the xpath query syntax to query directly through js

First write a html file template about the xpath call (the code for the call is written to js), and then prepare a xml file for query.

The source code of js template is as follows:

Https://www.runoob.com/try/try.php?filename=try_xpath_select_cdnodes

Look at the js code in this html file one by one (because there is only js code)

This is an asynchronous call function for js. The important code is on line 15 and line 17. The dname function passed in by the function is the path of xml, and line 17 returns the resulting xml file.

Looking at line 20 again, the xml variable gets the xml file from the execution of the loadXMLDOC function. The 21-line path variable is the query syntax for xpath. The first if statement determines whether it is IE6 or the following browser, and if it is IE6 or the following browser, get the corresponding query to the node array, and then output the values in the array to the page.

The second if statement for non-IE6 and the following browsers, the process is the same, but the syntax is slightly different, non-IE6 and the following browsers query through the evaluate function, the format is basically fixed, practice the syntax just now.

To replace the query syntax, you only need to change the value of path.

First list the syntax for the query:

Note: if the path starts with a forward slash (/), the path always represents the absolute path to an element!

Bookstore: select all the child nodes of the bookstore element.

/ bookstore: select the root element bookstore.

Bookstore/book: select all book elements that belong to the child elements of bookstore.

/ / book: select all book child elements, regardless of their location in the document.

Bookstore//book: select all book elements that belong to the descendants of the bookstore element, no matter where they are under bookstore:.

/ / @ lang: select all attributes named lang.

However, only some of these individual queries can not get the desired query results, and they need to be combined with other query syntax. Here are some grammars to work with:

Predicate (with square brackets in order to get more accurate query results):

/ bookstore/book [1]: select the first book element that belongs to the bookstore child element.

/ bookstore/book [last ()]: select the last book element that belongs to the bookstore child element.

/ bookstore/book [last ()-1]: select the penultimate book element that belongs to the bookstore child element.

/ bookstore/book [position () 35.00]: select all book elements of the bookstore element, and the value of the price element must be greater than 35.00.

/ bookstore/book [price > 35.00] / title: select all title elements of the book element in the bookstore element, and the value of the price element must be greater than 35.00.

Select an unknown node:

*: matches any element node.

@ *: matches any attribute node.

Node (): matches any type of node.

For example:

/ bookstore/*: selects all the children of the bookstore element.

/ / *: select all elements in the document.

/ / title [@ *]: select all title elements with attributes.

Select several paths:

/ / book/title | / / book/price: select all title and price elements of the book element.

/ / title | / / price: select all title and price elements in the document.

/ bookstore/book/title | / / price: select all title elements that belong to the book element of the bookstore element, and all price elements in the document

Look at a few examples of queries:

Query the title value of the second book: / bookstore/book [1] / title

Query the title value of all book: / bookstore/book//title

Query the value of all title with lang attribute: / bookstore/book//title [@ lang]

Thank you for reading this article carefully. I hope the article "what are the basic grammars of xPath injection" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report