Xpath: detecting and exploiting error-based injection security

by do son · Published April 10, 2017 · Updated November 4, 2024

What is XPath?

XPath Injection

Similar to SQL injection, XPath injection occurs when the site uses the information entered by the user to construct the request for XML data. An attacker sends specially constructed information to the site to explore how the XML used by the site is constructed, and even to obtain data that is not available in the normal way. When XML data is used for account authentication, an attacker can also elevate his privileges. By querying XML with XPath, XPath is a simple, descriptive declaration that allows an XML request to determine the location of some information in XML. (Perhaps equivalent to a path query). Similar to SQL, when looking for the information you can specify specific attributes and characteristics to match the information. When you use xml for your website, you typically accept some form of string request to confirm the location of the content and display the content on the page. This input must be reviewed to ensure that does not return the wrong data. XPath is a standard language, its syntax is generally independent, which means that attacks against it can be automated, in this respect with the SQL injection is no different (sqlmap).

More info, please read my articles here.

Xpath is a python open source Sql injector that automates the process of detecting and exploiting error-based injection security flaws. At the moment, DBMS supported by XPath is mysql. Please note that this project is an early state. As such, you might find bugs, flaws or malfunction. Use it at your own risk!.

Installation

git clone https://github.com/r0oth3x49/Xpath.git

Usage

xpath tool v2.0 - Automated Xpath Sql Injection

Author: Nasir khan (r0ot h3x49)

Usage: xpath.py [options]

Options:

  -h, --help           Show basic help message and exit

  --version            Show program's version number and exit

  Target:

    At least one of these options has to be provided to define the target(s)    

    -u URL, --url=URL  Target URL (e.g. "http://www.site.com/vuln.php?id=1")

  Request:

    These options can be used to specify how to connect to the target URL

    --data=DATA        Data string to be sent through POST

    --tor              Use Tor anonymity network

    --new-id           Request for new identity to Tor anonymity network

    --timeout=TIMEOUT  Seconds to wait before timeout connection (default 30)

  Techniques:

    These options can be used to tweak testing of specific SQL injection techniques

    --technique=TECH   SQL injection techniques to use  (default 'X')

                       error-based (DOUBLE/BIGINT) Injection (--technique=D)

                       error-based   (Geometric)   Injection (--technique=G)

                       error-based     (FLOOR)     Injection (--technique=E)

  Enumeration:

    These options can be used to enumerate the back-end database

    managment system information, structure and data contained in the tables.

    -b, --banner       Retrieve DBMS banner

    --current-user     Retrieve DBMS current user

    --current-db       Retrieve DBMS current database

    --hostname         Retrieve DBMS server hostname

    --dbs              Enumerate DBMS databases

    --tables           Enumerate DBMS database tables

    --columns          Enumerate DBMS database table columns

    --dump             Dump DBMS database table entries

    -D DB              DBMS database to enumerate

    -T TBL             DBMS database tables(s) to enumerate

    -C COL             DBMS database table column(s) to enumerate

  Example:

    xpath.py -u http://www.test.com/index.php?id=1 --dbs

    xpath.py -u http://www.test.com/ --data "index.php?id=1" --dbs