1
00:00:00,850 --> 00:00:08,410
OK, let's discuss a new vulnerability called XML or XPath injection.

2
00:00:09,240 --> 00:00:13,800
And to demonstrate this, I want you to navigate to your bebop application.

3
00:00:14,920 --> 00:00:24,790
Under here, I want to scroll a little bit down and find this right here, as it says, XML, XPath

4
00:00:24,790 --> 00:00:29,620
injection, let's click on this one first, which is search for.

5
00:00:30,130 --> 00:00:36,170
So let's click on that click on HECH and it will load this application right here.

6
00:00:36,820 --> 00:00:41,410
Now this vulnerability is kind of similar to ask you out injection.

7
00:00:42,040 --> 00:00:46,990
The input that we send could be processed and filtered through XPath.

8
00:00:47,890 --> 00:00:53,020
Now, since we don't really have any input right here that we can type in, we can assume that this

9
00:00:53,020 --> 00:01:00,880
button is our input so we can select the movie channel, action, horror and science fiction.

10
00:01:01,390 --> 00:01:07,600
If we go with science fiction and we can search, it will output all the science fiction movies.

11
00:01:08,890 --> 00:01:09,220
OK.

12
00:01:10,100 --> 00:01:13,940
Now, let's try intercepting this request without burps.

13
00:01:14,510 --> 00:01:15,710
Let's go right here.

14
00:01:16,040 --> 00:01:19,580
Let's turn on the intercept and let's click on Search.

15
00:01:20,520 --> 00:01:28,410
So we can see our parameters are getting sense through this link, we get Shanor to be action and action

16
00:01:28,410 --> 00:01:29,160
equals such.

17
00:01:30,170 --> 00:01:34,160
Now, let's try a simple injection.

18
00:01:34,490 --> 00:01:40,220
Let's try to see whether we can get error by specifying a single foot the same way that we did with

19
00:01:40,220 --> 00:01:41,410
our Eskow injection.

20
00:01:41,510 --> 00:01:43,700
So let's type action, single quote.

21
00:01:44,060 --> 00:01:46,570
And let's forward this packet.

22
00:01:47,240 --> 00:01:48,260
Let's go back here.

23
00:01:48,530 --> 00:01:50,870
And we do get some error.

24
00:01:50,990 --> 00:01:52,790
We get warning, simple example.

25
00:01:52,790 --> 00:01:55,610
Element XPath, invalid expression.

26
00:01:56,650 --> 00:02:04,120
Now, there is one thing that this application can do, we can check whether it requires entire name

27
00:02:04,390 --> 00:02:11,920
of genre, which is action, or can it determine which genre it is with just a first few letters from

28
00:02:11,920 --> 00:02:12,290
the name.

29
00:02:12,370 --> 00:02:18,140
For example, if we type asked, we can determine that we want the action genre.

30
00:02:18,670 --> 00:02:22,060
Let's give it a try by intercepting the request once again.

31
00:02:22,570 --> 00:02:29,770
And instead of sending action, let's delete last three letters and just leave it on act.

32
00:02:30,370 --> 00:02:38,860
If we forward this go back, it does actually load the action movies so it can determine that we meant

33
00:02:38,860 --> 00:02:45,900
to search for action movies just by looking at first three letters that we specified from the genre

34
00:02:45,910 --> 00:02:46,180
name.

35
00:02:47,060 --> 00:02:52,850
Now, while to check for this, well, if we still get results like that, this could mean that the

36
00:02:52,850 --> 00:03:00,650
application uses function called containers and that function looks something like this, like we just

37
00:03:00,650 --> 00:03:02,600
nano example.

38
00:03:05,480 --> 00:03:09,380
This is the function that our application could possibly use.

39
00:03:10,310 --> 00:03:15,620
And since we're testing this is a black box, we won't be looking at the source code, but we can assume

40
00:03:15,620 --> 00:03:19,280
that the code to the application could look something like this.

41
00:03:20,070 --> 00:03:22,700
Open square brackets contains.

42
00:03:25,790 --> 00:03:34,250
Open normal brackets, genre, comma, and then, quote, dollar sign and something like Shanor input,

43
00:03:34,340 --> 00:03:39,770
it doesn't have to be called like this, but let's just assume that the application could have a code

44
00:03:39,770 --> 00:03:40,900
that looks something like this.

45
00:03:41,780 --> 00:03:48,140
So if the Janner input is contained in the name, then it will just load that.

46
00:03:50,040 --> 00:03:56,880
So let's also use this campins function ourselves to try to get everything outputted that the application

47
00:03:56,880 --> 00:04:01,020
offers, and to do that we need to craft our payload.

48
00:04:01,830 --> 00:04:08,550
Since we assume that the application could potentially use function like this, we need to escape it

49
00:04:08,550 --> 00:04:15,630
first and we're going to escape it with closing off our brackets first and our single code to our input.

50
00:04:16,170 --> 00:04:17,550
So we start like this.

51
00:04:20,589 --> 00:04:27,360
This is our first two characters, and then we must use this syntax, which is slash and then sign,

52
00:04:27,520 --> 00:04:33,180
then pipe, since we're pumping another command for you slash and against our sign.

53
00:04:33,190 --> 00:04:39,880
And now we use our own contains function, which we can access by opening square brackets and then panes.

54
00:04:40,690 --> 00:04:51,460
Then let's open normal brackets and specify one comma, one inside of the single quotes and the last

55
00:04:51,460 --> 00:04:56,190
single code for not specifying due to the same reasons as in the escrow injection.

56
00:04:56,200 --> 00:05:02,050
It's probably already specified inside of the application at the end of our genau input.

57
00:05:03,140 --> 00:05:10,220
So what we did right here is we pretty much closed off this code in the application by specifying these

58
00:05:10,220 --> 00:05:19,670
three signs, then we added our own complaints function and the leftover signs that we closed off in

59
00:05:19,670 --> 00:05:23,450
the application code are getting added at the end right here.

60
00:05:23,480 --> 00:05:25,670
Therefore, we don't need to type it in twice.

61
00:05:26,550 --> 00:05:27,840
If we copied this code.

62
00:05:30,480 --> 00:05:39,480
And we go and intercept our request once again, we instead of typing action, we can delete this and

63
00:05:39,480 --> 00:05:43,530
specify our code, which is this one right here.

64
00:05:43,980 --> 00:05:46,950
If we forward this, go back to the application.

65
00:05:48,490 --> 00:05:52,060
Here it is, we get all the output right here.

66
00:05:52,940 --> 00:05:59,600
You can see the entire database drop, even though it's not a database, but we do get all of the movies

67
00:05:59,600 --> 00:06:06,890
that are in this application just by exploiting the contents function and the unfiltered input through

68
00:06:06,890 --> 00:06:08,430
this genre tap.

69
00:06:09,140 --> 00:06:15,320
Also in the next video, we're going to check another example of XPath injection that we have up, which

70
00:06:15,320 --> 00:06:18,360
will be really, really similar to Eskil injection.

71
00:06:18,920 --> 00:06:21,830
Thank you for watching and I'll see you in the next lecture.