I am trying to execute an xpath injection in golang, I am at the point where I can extract data through the injection from the first user in the xml file ‘ or position()=1]/*[2]|/a[‘. However from the second user on the injection fails. Any idea why this could be the case?
Note this is the package I am using for xml parsing: “github.com/antchfx/xmlquery”
The go function:
func getTaskHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS, HEAD")
w.Header().Set("Content-Type", "application/json")
if r.Method != http.MethodPost {
http.Error(w, `{"message": "Method not allowed"}`, http.StatusMethodNotAllowed)
return
}
var req struct {
Name string `json:"name"`
}
err := json.NewDecoder(r.Body).Decode(&req)
if err != nil {
http.Error(w, `{"message": "Invalid request payload"}`, http.StatusBadRequest)
return
}
xmlFile, err := os.Open("tasks.xml")
if err != nil {
http.Error(w, `{"message": "Could not open XML file"}`, http.StatusInternalServerError)
return
}
defer xmlFile.Close()
doc, err := xmlquery.Parse(xmlFile)
if err != nil {
http.Error(w, `{"message": "Could not parse XML file"}`, http.StatusInternalServerError)
return
}
expression := fmt.Sprintf("//users/user[name='%s']/task", req.Name)
fmt.Println("XPath Query:", expression)
taskNode := xmlquery.FindOne(doc, expression)
if taskNode == nil {
http.Error(w, `{"message": "Task not found"}`, http.StatusNotFound)
return
}
task := taskNode.InnerText()
response := map[string]string{"task": task}
json.NewEncoder(w).Encode(response)
}
My xml file for reference:
<?xml version="1.0" encoding="UTF-8"?>
<users>
<user>
<name>Engineer</name>
<task>Build a Sentry Gun</task>
<time>Wednesday 14:00</time>
<skill>Playing the banjo</skill>
<note>Boring to play</note>
</user>
<user>
<name>Scout</name>
<task>Bashing chucklenuts</task>
<time>Monday 8:00</time>
<skill>Baseball</skill>
<note>3 fast 5 you</note>
</user>
<user>
<name>Soldier</name>
<task>Rocket Jump</task>
<time>All day everyday</time>
<skill>Leading</skill>
<note>Doesn't like his teammates</note>
</user>
<user>
<name>Pyro</name>
<task>Spy Check</task>
<time>Friday 10:00</time>
<skill>Burning things</skill>
<note>Sees everything as sunshine and rainbows</note>
</user>
<user>
<name>Demoman</name>
<task>Plant Sticky Bombs</task>
<time>Tuesday all day</time>
<skill>Aiming with one eye</skill>
<note>Has 36 jobs</note>
</user>
<user>
<name>Heavy</name>
<task>Provide Suppressive Fire</task>
<time>Sunday 5:00</time>
<skill>Carrying a heavy gun</skill>
<note>Likes to eat sandwiches</note>
</user>
<user>
<name>Medic</name>
<task>Heal Teammates</task>
<time>When someone is injured</time>
<skill>Ubercharging people</skill>
<note>Sealed a dove into Heavy</note>
</user>
<user>
<name>Sniper</name>
<task>Eliminate High-Value Targets</task>
<time>24/7/365</time>
<skill>Skilled machete user</skill>
<note>Pissjars</note>
</user>
<user>
<name>Spy</name>
<task>Infiltrate Enemy Lines</task>
<time>Thursday 18:00</time>
<skill>Disguising himself as enemies</skill>
<note>Slept with Scout's mom</note>
</user>
<user>
<name>Administrator</name>
<task>Updating the game state</task>
<time>When the battle is happening</time>
<skill>Being a skilled commentator</skill>
<note>Has a magical voice</note>
</user>
</users>
For the first node it correctly sends back the task of the soldier, however everyother user the taskNode is nil and returns the Task not found message
New contributor
Erstuuj is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.