XPATH Injection w/ extractvalue()

Similar to SQL Injection, XPath Injection is yet another method we can use to get the same type of results. XPATH Injection can occur when a web site uses client-supplied information to construct an XPath query to get XML data. The theory and practice is the same as SQL injection, poor sanitization results in the ability to determine the XML data structured, or if lucky we can fully access data that we would not normally have access to (just like in SQLi examples). I personally don’t typically resort to even testing this type of injection unless all other methods fail, but I feel it must be covered so you can have a trully full arsenal available to you (and it falls in line with my other SQLi tutorials and write ups). I will do my best to run through an example using the EXTRACTVALUE() method to show you how it works, so try to keep up and as always I hope you enjoy and find this useful…

OK, so when to use it? Let us assume we have found a vulnerable site that appears to be vulnerable from our usual quick tests, but when we try to inject using ORDER BY we get no errors generated. We double check using String injection method to make sure that it is not the problem, but still no results. Time to give up? Never, let us now try to see if we might be able to use XPATH injection.

We will start with a quick check to confirm versioning to ensure this method can be used, as it only works on MySQL version >=5.1 (best with errors present). The first check for version and user looks like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,version(),0x3a,user()))—
RESULT: 'Xpath syntax error: version info:user info’

OK, so now we have confirmation that this method will work as clearly displayed in the errors seen. We now have the version and current user info. Now we will move to checking the table info, like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))--
RESULT: 'Xpath syntax error: <Table Name Found at address used in LIMIT statement>'

This is my biggest problem with XPATH Injection, it gets tricky here. You will need to use the LIMIT statement to sort your results and keep traffic of all of the table names found. This can be very time consuming, but it is key that you use your brain to pick up on any relationships that become obvious as you are sorting through tables, while also keeping an eye out for juicy tables that may warrant further investigation in future steps. I suggest first sorting them to find the lower and upper limits so you know what type of range you are working with (some sites will be only a few and others will have thousands in total – see example below).

Basic SQL Injection for starters can be found here: Basic SQLi
Advanced Techniques on WAF Bypassing can be found here: SQLi & WAF Bypassing
Blind & Time-Based Techniques: Blind & Time-Based Injections

Once you have determined the table info, you will need to follow similar steps to pull the column details. It works very similar to tables and looks like this:

COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,column_name) from information_schema.columns limit 0,1)))--
RESULT: 'Xpath syntax error: <column name found at address used in LIMIT statement>’

This is just as time consuming as the pulling the table names and is a bit tricky as it becomes very hard to tell what columns link to what tables or database for that matter, for this reason it is key to use your brain power to make some logical determinations about what you find. This means you can use your brain to deduce that you have found a table named mysql_auth_users and columns idx, username, and password. It would not be a great stretch to assume these might go together. I tend to use a bit of trial and error on this last part but have found if you just think about it for a minute you can usually make the necessary connections to extract what you want. That being said, extraction of data works the exact same as it does for simple SQLi. You choose the columns you want and indicate what table to pull from and parse the results from the error given. It looks like this:
COMMAND: http://site.com/index.php?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,idx,0x3a,username,0x3a,password) from mysql_auth_usr)))--
RESULT:  Xpath syntax error: ‘:1:admin:password1’

Now you have successfully injected and extracted the data using XPATH injection! Now go pat yourself on the back for learning a new method and enjoy a well-deserved break ;) There are other XPATH queries that can be used but this is the one I have found the best results with. You can also use updatexml(). I will continue to add to this as I investigate this technique more, but this concludes my write up on XPATH injection using the EXTRACTVLAUE() method for now. I hope you have found this interesting and educational and as always until next time Enjoy!