Header Ads

XPath Injection Tutorial to Hack Websites Database




XPath Injection Tutorial to Hack Websites Database


Every day we hear reports of websites being hacked, and typically we think that the hacker who succeeded must be incredibly smart. Usually, the opposite is actually true. Most hackers who deface websites are novice hackers who perform these shameful acts for popularity. Web designers focus on designing their websites, and hacker focus on exploits.
XPath Injection Tutorial by HaCkeROne

Note: This article is for Educational Purposes only. Be a part of constructive society.
Let’s start with the basics. In order to follow, you must have a basic knowledge of HTML and XML. If you’re not familiar with either of these, I advise you to go to w3schools and have a quick review of these concepts.



What is XPath?
XPath is basically the syntax for defining parts of XML documents which use path expressions to navigate in the XML document and help with standard predefined functions like string values, numeric values, date and time comparison, sequence and node manipulation.
Nowadays most webmasters use XML documents to store sensitive data and uses XPath to navigate the data inside the XML documents. The main advantage for using XML documents is that they are so complex that they are almost unreadable for humans. But we know where complexity exists, there is way for hackers to play their part. Without further ado, our tutorial on xPath Injection.
What is xPath Injection?
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this vulnerability may allow an hackers to bypass complete authentication systems or access information without proper authorization.
Lets learn with the help of examples that how XPath works, in below example we have a sample XML Database File:
<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<HackingLoops_database>
<hackingloops_user>
<username>Hackingloops</username>
<password>testing123</password>
<account>Administrator</account>
</hackingloops_user>
<hackingloops_user>
<username>Lokesh</username>
<password>test1234</password>
<account>Subscriber</account>
</hackingloops_user>
<hackingloops_user>
<username>Destructive</username>
<password>mind123</password>
<account>Subscriber</account>
</hackingloops_user>
</HackingLoops_database>
The above code shows the basic format for how the XML file is used to store sensitive information.
Now if we want to retrieve the information about an administrator from the above XML file, we have to write a XPath query like below:
string(//hackingloops_user[username/text()=’Hackingloops’ and password/text()=’testing123′]/account/text())
The above XPath query is what the webmaster has embedded into his code in order to access the XML database document.
Now if the web designer has not property filtered the user input,  then the hacker will be able to inject XPath code into the website and hence interfere with the query result. Here is the example of XPath query that hacker will use to hack the XML file database:
string(//hackingloops_user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())
Did you notice what I injected in place of the username and password?
Note: The below technique web masters use XML and XPath in their website. This is how it will actually look:
<?php
$login = simplexml_load_file(“HackingLoops_database.xml”);
$result=$login->xpath(“//hackingloops_user[username/test()='”.$_POST[‘Hackingloops’].” AND password/text()='”.$_POST[‘testing123’].”‘”;
?>
Doesn’t that look similar to SQL injection?
Yes, it is, because the basic concept behind XPath and SQL injection are the same, both are possible only when the web designer has not properly handled the user input in his code (meaning the use of dynamic queries is not correctly handled). In my previous article about website hacking, H have shared a 10 step guide to stop SQL injection in websites.
Now XPath injection also has two types. The above technique is called Blind XPath injection and other one is called Advanced XPath Injection. Below is the Sample Blind XPath injection username and password:
Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1
Now let me explain what the above username signifies as most of you might not know. The above username or password will result in a query whose output is always true, which means that the website will authenticate the user even if a username or a password have not been provided. Isn’t that interesting? It’s these types of mistakes by web designers that make a hackers job easy, but if they know about this exploit, they can be easily protected.
Note: Information showing on this blog is only use for educational purpose.

No comments

Recent post

Reflected XSS

 Reflected XSS   Product : Open-AudIT v4.2.0 for Windows   POC:   Open http://localhost/open-audit/index.php/logon   login ...

Powered by Blogger.