Hack Websites Database Using Xpath Injection

Everyday many website gets hacked by hackers but most of the hackers are hacking those website just for popularity nothing else. Today i am writing this tutorial on XPath Injection, in which i will explain you,How Hackers Hack Website Using XPath Injection.In a typical Web Application architecture, all data is stored on a Database server. This Database server store data in various formats like an LDAP, XML or RDBMS database. The application queries the server and accesses the information based on the user input.

Normally attackers try to extract more information than allowed by manipulating or using the query with specially crafted inputs.Here, in this tutorial we’ll be discussing XPATH Injection techniques to extract data from XML databases.

Before we go deeper into XPATH injection lets take a brief look at what XML and XPath.

What is XML?

XML stands for Extensible Markup Language and was designed or used to describe data. It provide platform for programmers to create their own customized tags to store data on database server. An XML document is mostly similar to an RDBMS Database except for the way data is stored in them. In case of a normal database, data is stored in a table rows and columns and in XML the data is stored in nodes in a tree form.

What is XPath?

XPath is a query language used to select data from XML data sources. It is increasingly common for webapplications to use XML data files on the back-end, using XPath to perform queries much the same way SQL would be used against a relational database.
XPath injection, much like SQL injection, exists when a malicious user can insert arbitrary XPath code into form fields and URL query parameters in order to inject this code directly into the XPath query evaluation engine. Doing so would allow a malicious user to bypass authentication (if an XML-based authentication system is used) or to access restricted data from the XML data source.

Lets learn with the help of examples that will show how XPath works, Let’s assume that our database is represented by the following XML file:

<?xml version=”1.0″ encoding=”ISO-8859-1″?>

The above code show how username,password and user account details stored in XML file.

Following XPath query is used to returns the account whose username is “Ashtricks” and the password is “123” : ,

string(//user[username/text()=’gandalf’ and password/text()=’!c3′]/account/text())

If the application developer does not properly filter user input, the tester or hacker will be easily able to inject XPath code and interfere with the query result. For instance, the hacker or tester could input thefollowing values:

Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1

Using these above parameters, the query becomes:

string(//user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())

As in most of the common SQL Injection attack, we have created a query that always evaluates to true, which means that the application will authenticate the user even if a username or a password have not been provided.

And as in a common SQL Injection attack, with XPath injection, the first step is to insert a single quote (‘) in the field to be tested, introducing a syntax error in the query, and to check whether the application returns an error message.

If there is no knowledge about the XML data internal details and if the application does not provide useful error messages that help us reconstruct its internal logic, it is possible to perform a Blind XPath Injection attack(i will explain that in next tutorials), whose goal is to reconstruct the whole data structure. The technique is similar to inference based SQL Injection, as the approach is to inject code that creates a query that returns one bit of information.

This Information is for Educational Purpose. If you use this Information to harm any Substance or Community personally and got caught, Then we are not responsible. Hack to learn not learn to hack.

Taken Form i-Hacker



Comments (11)

  1. Klevis April 13, 2012
  2. Waleed Waseem Khan July 9, 2012
    • ashish July 9, 2012
  3. Waleed Waseem July 9, 2012
  4. Waleed Waseem July 9, 2012
  5. Argent Code Banks September 23, 2012
  6. Argent Code Banks September 23, 2012
  7. Is-haq Habib Ali September 23, 2012
  8. Is-haq Habib Ali September 23, 2012
  9. Ajitabh Rawat September 24, 2012

Leave a Reply