View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0000581||Kali Linux||[All Projects] New Tool Requests||public||2013-09-14 17:16||2018-01-29 15:19|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Target Version||Fixed in Version|
|Description||XCat is a tool for exploiting blind XPath injection flaws. While XPath injection flaws are not common they do turn up from time to time and XCat can be extremely helpful in exploring them.|
Its useful in a pentest because it's "SQLMap for xpath flaws", allowing you to:
* Read arbitrary files on the filesystem (in any format, with some limitations)
* Make the server send portions of the document to XCat via HTTP, dramatically increasing retrieval times
* Retrieve the whole document being queried using standard blind injection techniques
Its also very lightweight and only has one dependency (Python-twisted). I wrote this tool as a companion to a blackhat paper I authored a year or so ago, and I figure that it might as well be included because there isn't much else that does what xcat does.
To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):
- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool?
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [How to install] - How do you compile it?
- [How to use] - What are some basic commands/functions to demonstrate it?