Blind XPath Injection
2014-04-08 11:28
489 查看
Description
XPath is a type of query language that describes how to locate specific elements (including attributes, processing instructions, etc.) in an XML document. Since it is a query language, XPath is somewhat similar to Structured Query Language (SQL),however, XPath is different in that it can be used to reference almost any part of an XML document without access control restrictions. In SQL, a "user" (which is a term undefined in the XPath/XML context) may be restricted to certain databases, tables, columns,
or queries. Using an XPATH Injection attack, an attacker is able to modify the XPATH query to perform an action of his choosing.
XPath 是一种查询语言,该语言描述了如何定位XML文档中的特定元素(包括属性、处理指令等)的位置。因为是一种查询语言,XPath在某些程度上类似于SQL语言,但是,不同之处是XPath几乎可以访问xml文档的任何部分,而不受访问控制的约束。在SQL中,用户在访问特定的数据库、数据表、列或者查询时受到限制。使用XPath注入攻击,攻击者可以通过修改XPath查询进行其选择的操作。
Blind XPath Injection attacks can be used to extract data from an application that embeds user supplied data in an unsafe way. When input is not properly sanitized, an attacker can supply valid XPath code that is executed. This type of attack is
used in situations where the attacker has no knowledge about the structure of the XML document, or perhaps error message are suppressed, and is only able to pull once piece of information at a time by asking true/false questions(booleanized queries), much
like Blind SQL Injection.
XPath盲注入攻击可用于从应用程序中提取数据,这些应用程序以一种不安全的方式嵌入用户输入数据。当输入被能被有效的进行验证时,攻击者可执行有效的XPath代码。这种攻击可用于以下的情况:攻击者不知道XML文档的结构,或者提供错误信息且每次通过真/假(布尔查询)的问题仅能获得一条信息,很像SQL盲注。
For more information, please see the article on regular XPATH Injection.
Risk Factors
TBDExamples
The attacker may mount a successful attack using two methods: Boolenization and XML Crawling. By adding to the XPath syntax, the attacker uses additional expressions (replacing what the attacker entered in theplace of the injection).
攻击者可以依靠两种技术进行攻击:布尔查询和XML爬行。
Boolenization
Using the "Boolenization" method the attacker may find out if the given XPath expression is True or False. Let's assume that the aim of the attacker is to log in to an account in a web application. A Successful log in would return "True" and failedlog in attempt would return "False". Only a small portion of the information is targeted via the analyzed character or number. When the attacker focuses on a string he may reveal it in its entirety by checking every single character within the class/range
of characters this string belongs to.
使用布尔查询方法,攻击者可发现给定的XPath语句返回值是真还是假。假定攻击者的目的是在网络应用程序中登录一个账户。成功登录会返回“True”,登录失败则会返回“False”。通过分析字符和数字仅有一小部分信息可视为目标。当攻击者将一个字符串作为目标时,他可以通过尝试检测该字符串所属字符范围中的的每个字符从而重现该字符串。
Using a string-length(S) function, where S is a string, the attacker may find out the length of this string. With the appropriate number of substring(S,N,1) function
iterations, where S is a previously mentioned string, N is a start character, and "1" is a next character counting from N character, the attacker is able to enumerate the whole string.
通过string-length(S)函数,攻击者可找出字符串S的长度。substring(S,N,1)
可从S字符串中提取出从第N个字符开始的长度为1的字符。
Code:
<?xml version="1.0" encoding="UTF-8"?> <data> <user> <login>admin</login> <password>test</password> <realname>SuperUser</realname> </user> <user> <login>rezos</login> <password>rezos123</password> <realname>Simple User</realname> </user> </data>
Function:
string.stringlength(//user[position()=1]/child::node()[position()=2]) returns the length of the second string of the first user (8),
substring((//user[position()=1]/child::node()[position()=2),1,1) returns the first character of this user ('r').
XML Crawling
To get to know the XML document structure the attacker may use:count(expression)
count(//user/child::node()
This will return the number of nodes (in this case 2).
stringlength(string)
string-length(//user[position()=1]/child::node()[position()=2])=6
Using this query the attacker will find out if the second string (password) of the first node (user 'admin') consists of 6 characters.
substring(string, number, number)
substring((//user[position()=1]/child::node()[position()=2]),1,1)="a"
This query will confirm (True) or deny (False) that the first character of the user ('admin') password is an "a" character.
If the log in form would look like this:
C#:
String FindUser; FindUser = "//user[login/text()='" + Request("Username") + "' And password/text()='" + Request("Password") + "']";
then the attacker should inject the following code:
Username: ' or substring((//user[position()=1]/child::node()[position()=2]),1,1)="a" or ''='
The XPath syntax may remind you of common SQL Injection attacks but the
attacker must consider that this language disallows commenting out the rest of expresssion. To omit this limitation the attacker should use
OR expressions to void all expressions, which may disrupt the attack.
Because of Boolenization the number of queries, even within a small XML document, may be very high (thousands, houndred of thousands and more). That is why this attack is not conducted manually. Knowing a few basic
XPath functions, the attacker is able to write an application in a short time which will rebuild the structure of the document and will fill it with data by itself.
Related Threat
Agents
TBDRelated Attacks
Blind_SQL_InjectionXPATH_Injection
Related Vulnerabilities
Injection_problemRelated Controls
Category:Input ValidationReferences
http://dl.packetstormsecurity.net/papers/bypass/Blind_XPath_Injection_20040518.pdf -by Amit Klein (much more detailes, in my opinion the best source about Blind XPath Injection).
http://www.ibm.com/developerworks/xml/library/x-xpathinjection/index.html
http://projects.webappsec.org/w/page/13247005/XPath%20Injection
相关文章推荐
- 【常见Web应用安全问题】---13、Blind SQL/XPath injection
- 【常见Web应用安全问题】---13、Blind SQL/XPath injection
- 【常见Web应用安全问题】---13、Blind SQL/XPath injection
- 如何从代码层防御10大安全威胁中的 Xpath Injection?
- Optimized Blind MySQL Injection Data Retrieval
- 如何从代码层防御10大安全威胁中的 Xpath Injection?
- Faster Blind MySQL Injection Using Bit Shifting
- Blind Injection in MySQL Databases
- 《Optimized Blind MySQL Injection Data Retrieval》
- [漏洞分析] WordPress Traffic Analyzer Plugin 3.4.2 - Blind SQL Injection
- Tips of Oracle BlindInjection
- [轉]False SQL Injection and Advanced Blind SQL Injection
- False SQL Injection and Advanced Blind SQL Injection
- False SQL Injection and Advanced Blind SQL Injection
- WebGoat教程学习(七)--XPATH 注入(XPATH-Injection)
- Time-Based Blind SQL Injection Attacks
- Methods of quick exploitation of blind SQL Injection Vulnerabilities in Oracle
- Blind SQL injection sample
- PHPCMS V9 BLind SQL Injection Vulnerability
- Faster Blind MySQL Injection Using Bit Shifting