XPath injection = possible XXE via document(). If you manage to escape from the XPath context to the XSLT one, that could be even more interesting (possible RCE)
-
-
-
Tried document() but heavily firewalled (only DNS OOB). Tried escaping the context the XSLT tag but can't get it to work, don't think its possible here. also can't get basic things to work ie system-property('xsl:vendor'), so I haven't been able to do much, only blind SSRF so far
Kraj razgovora
Novi razgovor -
-
-


Does this issue raises when we apply some condition with greater than less than sign (like 5>6) ... -
We fingerprinted the behaviour for valid syntax (in this case, invalid was 200 OK, valid was 302 redirect), so we could use pretty much any conditional operators and test the truthness of the our equation, yeah
- Još 1 odgovor
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
