Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
projectdiscovery
GitHub Repository: projectdiscovery/nuclei
 Path: blob/dev/integration_tests/fuzz/fuzz-body-xml-sqli.yaml
2070 views
1
id: xml-body-error-sqli

2


3
info:

4
  name: fuzzing error sqli payloads in xml body

5
  author: pdteam

6
  severity: info

7
  description: |

8
    This template attempts to find SQL injection vulnerabilities by fuzzing http body of xml type.

9
    This is achieved by performing [ruleType](example: postfix) on value of xml key

10
    Note: this is example template, and payloads/matchers need to be modified appropriately.

11


12
http:

13
  - pre-condition:

14
      - type: dsl

15
        dsl:

16
          - method != "GET"

17
          - method != "HEAD"

18
          - contains(content_type, "application/xml")

19
          - contains(path, "/user") # for scope of integration test

20
        condition: and

21
    

22
    payloads:

23
      injection:

24
        - "'"

25
        - "\""

26
        - ";"

27
    

28
    fuzzing:

29
      - part: body

30
        type: postfix

31
        mode: single

32
        fuzz:

33
          - '{{injection}}'

34
  

35
    stop-at-first-match: true

36
    matchers:

37
      - type: word

38
        words:

39
          - "unrecognized token:"

40
          - "null"

41


42