In this writing you will learn about XPath injections and I will try to be as clear as possible.

What is an xpath injection?

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

https://portswigger.net/kb/issues/00100600_xpath-injection

Las vulnerabilidades de inyección…

En este escrito aprenderás acerca de inyecciones Xpath e intentaré ser lo mas claro posible.

Qué es una inyección xpath?

XPath injection vulnerabilities arise when user-controllable data is incorporated into XPath queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Depending on the purpose for which the vulnerable query is being used, an attacker may be able to exploit an XPath injection flaw to read sensitive application data or interfere with application logic.

https://portswigger.net/kb/issues/00100600_xpath-injection

Las vulnerabilidades de inyección XPath surgen cuando los…

En esta ocasión me gustaría relatar paso a paso otra de las inyecciones que mas me han gustado

Se trata de un sitio que me llegó de parte de un colega para testear juntos!

El parametro en donde se hace el ataque sirve para mostrar un documento en PDF y es exactamente con esto que nos guiamos para descubrir cuantas columnas vamos a tener para esta inyección!

Empezamos!

Primero tenemos el link

site/ejemplo/parametro=25527

Con esto estamos viendo que el sitio web funciona correctamente!.. …

On this occasion I would like to relate step by step another of the injections that I liked the most.

This is a site that came to me from a colleague to test together!

The parameter where the attack is made is used to display a PDF document and it is exactly with this that we guide ourselves to discover how many columns we are going to have for this injection!
We started!

First we have the link

site/ejemplo/parametro=25527

With this we are seeing that the website works correctly! .. but as happens in most sites vulnerable to sql injection…

What is dorking?

Google hacking or Dorking is nothing more than a way of looking for things a little more specialized, by the name “Google Hacking” you can give the impression that it is only used in google, but that is not correct. Dorking is nothing more than an advanced search where we use operators that function as a filter to direct the search directly to where we want, we also use symbols to search for exact words or phrases. This will help us to search almost any search engine that we find on the internet.

Importance

Knowing a little about “Dorking” helps us…

In this writing I will leave some tips for sql injections, where I will try to explain only specific points.

First we will talk about how to find a vulnerable page thanks to google hacking.

Dorks

En este escrito dejaré algunos tips para inyecciones sql, en donde trataré de explicar solamente puntos específicos.

Primero hablaremos de como encontrar una página vulnerable gracias a google hacking.

Dorks

In this writing I would like to show you a somewhat peculiar case with which I came across testing a website.

This is an sql injection where I could bypass the “mod_security” waf.
When I start the sql injection test I realize that the website is using that waf.

We get the error when using a simple:

site/ejemplo?parameter=-1+union+selec+1,2,3,4,5,6,7+--+

Now, I’m not going to lie to you, just by encoding the payload with comments, I was able to bypass the waf filter.

site/ejemplo?parameter=-1+/*!50000union*/+/*!50000selec*/+1,2,3,4,5,6,7+--+