Skip to main content

           XPATH INJECTION TUTORIAL

Path is a language that has been designed and developed to operate on data that is described with XML. The XPath injection allows an attacker to inject XPath elements in a query that uses this language. Some of the possible goals are to bypass authentication or access information in an unauthorized manner.

We are gonna learn using simple example. Download code from here & put it in your local server directory.(Code is created by SOu Gat





Sample XML Document which we gonna use:-

<Employees> 
<!-- Employees Database --> 
  <Employee ID="1"> 
    <FirstName>Johnny</FirstName> 
    <LastName>Bravo</LastName> 
    <UserName>jbravo</UserName> 
    <Password>test123</Password> 
    <Type>Admin</Type> 
  </Employee> 
  <Employee ID="2"> 
    <FirstName>Mark</FirstName> 
    <LastName>Brown</LastName> 
    <UserName>mbrown</UserName> 
    <Password>demopass</Password> 
    <Type>User</Type> 
  </Employee> 
  <Employee ID="3"> 
    <FirstName>William</FirstName> 
    <LastName>Gates</LastName> 
    <UserName>wgates</UserName> 
    <Password>MSRocks!</Password> 
    <Type>User</Type> 
  </Employee> 
  <Employee ID="4"> 
    <FirstName>Chris</FirstName> 
    <LastName>Dawes</LastName> 
    <UserName>cdawes</UserName> 
    <Password>letmein</Password> 
    <Type>User</Type> 
  </Employee> 
</Employees> 



Bypass Authentication :

Browse to the login.php page; here we can see simple login form.


If the application does not properly filter such input, the tester will be able to inject XPath code and interfere with the query result. For instance, the tester could input the following values:
Username: ' or '1' = '1Password:  ' or '1' = '1




Looks quite familiar, doesn't it? Using these parameters, the query becomes:
string(//Employee[uname/text()='' or '1' = '1' and passwd/text()='' or '1' = '1']/account/text())
As in a common SQL Injection attack, we have created a query that is always evaluated as true, which means that the application will authenticate the user even if a username or a password have not been provided.


Blind X-Path Injection:
If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack whose goal is to reconstruct the whole data structure.

Browse to the search.php page. Enter any number, When you provide number it will display FIRST NAME related to their ID.



Enter ' or '1' = '1 in search , & you will get all FirstName regardless of any ID(Number).


In blind Xpath injection we have to provide special crafted query to application, if query is true we will get result otherwise we will not get any result.Till now We don`t know about any parent or child node of XML document.

Guessing Of Parent Node:

Supply following query to application & observe result.

' or substring(name(parent::*[position()=1]),1,1)='a

Nothing append , we don`t get FirstName of users.It means first letter of parent node is not "a". Now supply following query

' or substring(name(parent::*[position()=1]),1,1)='E



You get result, It means first letter of parent node is "E"
To guess second letter of parent node supply following query
' or substring(name(parent::*[position()=1]),2,1)='m
Following the same procedure, we can extract the full name of the parent node, which was found to be 'Employee'.

We can also get child node. Browse to the xpath.php page & enter following query.
//Employee[position()=3]/child::node()[position()=4]/text()

You got output from parent node Employee id 3 & child node whose position is 2.



To get whole document put following query.
 //Employee 


It`s just concept how to retrieve data from XML document using XPATH injection.XPath contains two useful functions that can help you automate the preceding attack and quickly iterate through all nodes and data in the XML document:


>>    count() returns the number of child nodes of a given element, which can be used to determine the range of position() values to iterate over.
>> string-length() returns the length of a supplied string, which can be used to determine the range of substring() values to iterate over.
I used recon-ng xpath bruteforcer for xpath injection attack & we will get back end XML file.


Useful Links & Blind XPATH injection Tools:-


https://www.owasp.org/index.php/XPATH_Injection
https://www.owasp.org/index.php/Blind_XPath_Injection
XPATH BLIND EXPLORER:-  http://code.google.com/p/xpath-blind-explorer/downloads/list
XCAT:-  https://github.com/orf/xcat



Don't Forget to SUBSCRIBE Youtube Channel :Youtube Channel


Comments

Post a Comment

Popular posts from this blog

      HAVIJ Adv. SQL Injection Tool 1.17 Cracked ➝Havij PRO (SQL Injection) : is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. The distinctive power of Havij that differentiates it from similar tools lies in its unique methods of injection. The success rate of attack on vulnerable targets using Havij is above 95%. The user friendly GUI (Graphical User Interface) of Havij and its automated configuration and heuristic detections make it easy to use for everyone even amateurs. Havij PRO Supported Databases W...
1 comment
Read more
CREDIT CARD DORKS This is some of the Latest Carding dorks. If you are new here, then take a look at the next (first) post. inurl:".php?cat="+intext:"Paypal"+site:UK inurl:".php?cat="+intext:"/Buy Now/"+site:.net inurl:".php?cid="+intext:"online+betting" inurl:".php?id=" intext:"View cart" inurl:".php?id=" intext:"Buy Now" inurl:".php?id=" intext:"add to cart" inurl:".php?id=" intext:"shopping" inurl:".php?id=" intext:"boutique" inurl:".php?id=" intext:"/store/" inurl:".php?id=" intext:"/shop/" inurl:".php?id=" intext:"toys" inurl:".php?cid=" inurl:".php?cid=" intext:"shopping" inurl:".php?cid=" intext:"add to cart" inurl:".php?cid=" intext:"Buy Now" inurl:".php?cid=" intext:...
Post a Comment
Read more

Google Tricks, Tips And Hacks 2017 (Best 36+)

Google Tricks, Tips And Hacks 2017 (Best 36+) Google has rather become the face of the internet. While it was just a search engine back in the day, Google has grown a lot. This is because Google owns popular services like gmail, YouTube and also the most popular mobile OS which is Android. Therefore, anyone cannot use the internet without Google.                                                                                                                                                                                         ...
4 comments
Read more