search

⚠️Error Based Injection using Extractvalue

hashtag
Error-based SQL Injection using SQLmap:

sqlmap -u "http://example.com/vulnerable.php?id=1" --technique E --dump

hashtag
-------------------------------------------------------------

hashtag
Use this Method when Union Select Not Output

hashtag
-------------------------------------------------------------

hashtag
we are just using one of the XPATH function which is Extractvalue() to generate error and get the output.

The &qout;ExtractValue&qout; function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form:

ExtractValue('xmldatahere', 'xpathqueryhere')

If the XPath query is syntactically incorrect, we are presented with an error message:

XPATH syntax error: 'xpathqueryhere'

hashtag
Some times Different queries and web application behaviour makes is difficult to inject some injections and a web application may be just checking the input validity and not showing any output from the database. So as per the conditions we may have to use different Injection to get our way into the database.

hashtag
-------------------------------------------------------------

hashtag
what condition should i use this injection?

hashtag
As per my experience most of the times the condition where we start injecting with a single qoute, double quote etc we get the error, well and good. We now comment out the query and start searching for the number of columns. huh we got the columns also using order by. Let us assume there were 5 columns.

hashtag
Now when we inject Union Based injection, what the F..?? we cant see any output there. Earlier when we used to inject we gets an output which tells us the vulnerable column to inject. So this is the condition when you can depend on XPATH injection.

hashtag
-------------------------------------------------------------

hashtag
okay let us Start from the same condition we discussed above.5 columns found tried following Injection but no output.

hashtag
As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like. Query:

hashtag
So let us continue our injection using XPATH injection.

hashtag
Getting the Current Database :

hashtag
as we got the Database let us continue

hashtag
-------------------------------------------------------------

hashtag
Getting tables in current Database:

hashtag
-------------------------------------------------------------

As you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer :P to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option.

hashtag
So Now lets assume we got the following tables using the above Query:

  • Posts

  • Assets

  • Banner

  • Links

  • Users

hashtag
Let us continue and try to get the columns:

hashtag
-------------------------------------------------------------

hashtag
Let Us say we got the 3 Columns:

  • id

  • username

  • password

hashtag
Let us Dump the data from them, but before that lets count the number of Columns. Counting the number of columns:

hashtag
You can use the same trick to count the tables or columns also. So now let us continue dumping the data

hashtag
-------------------------------------------------------------

PreviousInsert Query InjectionNextErrpr Based Other Payloads

Last updated