as always it has been a while since I posted something. Some things never change…..
Anyways, I was privileged to speak at yet another Black Hat. This time i was a 2nd speaker and along with Tom Forbes we presented a talk on Hacking XPATH 2.0. One question which everyone wants to know, how many times have we found it in the wild? I have seen may be around 7-8 XPath injections in real life pentests and hence I agree this is not very common. XPath 2.0 was only introduced in 2010 and its still in stage of getting implemented in various technology.
Anyways, so if you happen to find a XPATH Injection, you can dump out the entire XML database from the back-end just as you would dump data in a blind sql injection. Further, if the back-end application supports XPath v2 then you can do lot more like extract data quickly over Out-of-bound channels such as DNS, HTTP etc. You can read not just the current XML document but any xml document on the system. You can do some internal network scanning etc. We then showed XQuery injection. Xquery is a superset of XPATH and supports more features like declaring variable, creating function etc. SO, if you have a XQuery injection, then you can insert what we called as “One Query To Get Them All”. This is basically one hiuge dumper script which recursively dump data to attacker’s HTTP or DNS server and with just one request you can dump any xml file on vulnerable server/app.
The paper and the slides can be found here:
Further, Tom wrote a tool to automate this which can be found here:
There were some very interesting talks. I liked Shreeraj’s talk on HTML5. One of the main points he made was that as browsers support html5, you need to worry about it even when your website does not run HTML5. I need to validate this statement, but my understanding is that he was saying with HTML5 you can pretty much issue cross domain XML HTTP request.
Of-course, I attended David Litchfield’s talk on Database goodies. He started by explaining the Lateral SQL Injection in oracle. He said that there are SYS owned objects within Oracle database and these can be exploited to do privilege escalation. Its worth noting that you need the CREATE PUBLIC SYNONYM privilege to exploit this and I am not sure how easily you can get this. He then talked about “giving 20/20 vision to a blind sql injection”. He showed a blind sql injection where app was not returning any data from back-end database and the app was passing the input to a vulnerable stored procedure. He then showed that you can declare a variable and store the output of arbitrary SQL into the variable and then print the variable with htp.print. Again, I am not 100% convinced whether *all* blind sqli can be tricked into doing this.
That’s it for now, hope to write another blog some time soon.