XPath Injection Tutorial to Hack Websites Database

XPath Injection Tutorial to Hack Websites Database

Every day we hear reports of websites being hacked, and typically we think that the hacker who succeeded must be incredibly smart. Usually, the opposite is actually true. Most hackers who deface websites are novice hackers who perform these shameful acts for popularity. Web designers focus on designing their websites, and hacker focus on exploits.

Note: This article is for Educational Purposes only. Be a part of constructive society.

Let’s start with the basics. In order to follow, you must have a basic knowledge of HTML and XML. If you’re not familiar with either of these, I advise you to go to w3schools and have a quick review of these concepts.

XPath Injection Tutorial by HackingLoops

What is XPath?

XPath is basically the syntax for defining parts of XML documents which use path expressions to navigate in the XML document and help with standard predefined functions like string values, numeric values, date and time comparison, sequence and node manipulation.

Nowadays most webmasters use XML documents to store sensitive data and uses XPath to navigate the data inside the XML documents. The main advantage for using XML documents is that they are so complex that they are almost unreadable for humans. But we know where complexity exists, there is way for hackers to play their part. Without further ado, our tutorial on xPath Injection.

What is xPath Injection?

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents. It can be used directly by an application to query an XML document, as part of a larger operation such as applying an XSLT transformation to an XML document, or applying an XQuery to an XML document.
In XPath injection, we try to inject data into an application so that it executes user-controlled XPath queries. When successfully injected, this vulnerability may allow an hackers to bypass complete authentication systems or access information without proper authorization.

Lets learn with the help of examples that how XPath works, in below example we have a sample XML Database File:

<?xml version=”1.0″ encoding=”ISO-8859-1″?>
<HackingLoops_database>
<hackingloops_user>
<username>Hackingloops</username>
<password>testing123</password>
<account>Administrator</account>
</hackingloops_user>
<hackingloops_user>
<username>Lokesh</username>
<password>test1234</password>
<account>Subscriber</account>
</hackingloops_user>
<hackingloops_user>
<username>Destructive</username>
<password>mind123</password>
<account>Subscriber</account>
</hackingloops_user>
</HackingLoops_database>

The above code shows the basic format for how the XML file is used to store sensitive information.
Now if we want to retrieve the information about an administrator from the above XML file, we have to write a XPath query like below:

string(//hackingloops_user[username/text()=’Hackingloops’ and password/text()=’testing123′]/account/text())

The above XPath query is what the webmaster has embedded into his code in order to access the XML database document.

Now if the web designer has not property filtered the user input,  then the hacker will be able to inject XPath code into the website and hence interfere with the query result. Here is the example of XPath query that hacker will use to hack the XML file database:

string(//hackingloops_user[username/text()=” or ‘1’ = ‘1’ and password/text()=” or ‘1’ = ‘1’]/account/text())

Did you notice what I injected in place of the username and password?

Note: The below technique web masters use XML and XPath in their website. This is how it will actually look:

<?php
$login = simplexml_load_file(“HackingLoops_database.xml”);
$result=$login->xpath(“//hackingloops_user[username/test()='”.$_POST[‘Hackingloops’].” AND password/text()='”.$_POST[‘testing123’].”‘”;
?>

Doesn’t that look similar to SQL injection?
Yes, it is, because the basic concept behind XPath and SQL injection are the same, both are possible only when the web designer has not properly handled the user input in his code (meaning the use of dynamic queries is not correctly handled). In my previous article about website hacking, H have shared a 10 step guide to stop SQL injection in websites.

Now XPath injection also has two types. The above technique is called Blind XPath injection and other one is called Advanced XPath Injection. Below is the Sample Blind XPath injection username and password:

Username: ‘ or ‘1’ = ‘1
Password: ‘ or ‘1’ = ‘1

Now let me explain what the above username signifies as most of you might not know. The above username or password will result in a query whose output is always true, which means that the website will authenticate the user even if a username or a password have not been provided. Isn’t that interesting? It’s these types of mistakes by web designers that make a hackers job easy, but if they know about this exploit, they can be easily protected.

 

Gmail SMS Verfication Loophole Exposed by 

Hello friends, so the first day of the new year has come to an end and we all are safe (some rumors circulated that the world would be destroyed in 2012).  is dedicating 2012 to online web security i.e. exposing the loopholes and fixing them, or escalating them to webmasters to fix.

Gmail is the world’s most famous free email service, and it’s a prominent part of the Google brand. Google is always quick to fix loopholes, like when I exposed the GX cookie loophole, where hackers could own a user’s Gmail account from cookies. Google provided a temporary solution to that loophole just 4 business days after I exposed it, and completely fixed it after a month. So friends, let me tell you about the new bug, so that Google will hopefully fix it as soon as possible.

Gmail Mobile verification Loopholes

This is not just one loophole, but two big ones that I have discovered in the Gmail SMS verification and password reset method.

1. Mobile number as optional field

My knowledge of security norms leads me to conclude that Google should make the mobile phone verification mandatory, at least at the time of a new account’s creation. These would be the benefits:

a. Tracing a user will be easier: Hackers uses anonymous or fake Gmail accounts to access keylogger logs and send fake emails to users. If we have the mobile number of the Gmail account user, we can trace him in a matter of seconds.

b. The mobile number and its location should be validated using Google maps and the IP address used to register the account: Hackingloops is suggesting this because as a hacker, I always try to create a spoof account in which almost every detail is wrong. For complete traceability, it should be validated geographically. This is not a difficult task for a coder.

This loophole is a minor one in its category, but it will prove its worth when a hacker tries to hack something serious using a anonymous Gmail account. If Google realizes these things earlier, they can surely put a track on malicious users and monitor their day to day activity. Unfortunately, I said before, until I publicly expose these hacks, Google will not fix it.

2. Forgot Password SMS verification code message

This is an extremely dangerous loophole and can be heavily exploited using the Social Engineering technique. A few days ago, a client informed me that his Gmail account had been hacked. He told me that he is aware of these techniques, like key stroke logging or phishing that hackers use to hack email accounts. Below is the scenario between the Hackingloops client (who works in software firm) and myself:

Client: My Gmail account has been hacked.
Me (Lokesh): Have you gotten any emails?


Client: Yes, I get a lot of emails on a daily basis.
Me: I mean any suspicious or unsolicited, or Lottery Prize emails.


Client: Yes, lots of emails like that, but I never open any, and I haven’t opened any links from my email.
Me: Okay. It’s nice that you are aware of those scams. Maybe you installed a new application or software on your PC or got your hands on a hack tool.


Client: No, I haven’t installed anything in the last few weeks.
Me: Okay. Did you sign up for a new website.


Client: Yes, I signed on one website yesterday and after that I became unable to login to my account. But I don’t use the same password there that I use for my Gmail.
Me: Okay, how did you find this site? Did you find it in a browser or did someone refer you?


Client: Yeah, a person with an email ID like earnunlimitedmoney@gmail.com told me about that site. But today that site is also down.
Me: What was the website’s name.


Client: Something like “make money by displaying ads on your website.”
Me: Okay. Do you know the person with the email “earnmoneyunlimited@gmail.com.” Is he a friends of your’s?


Client: No, I just got his Gtalk invitation, a day back. But I have talked with him personally and he told me I would get 50% of his Google Adsense revenue for every article that I wrote on his website. 
Me: Okay, did he ask anything special, like a registration or mobile verification code or anything similar?


Client: Yes, he told me that I would get a verification code from Google on my mobile phone, that I needed to provide him the code so that he could attach it with my Google Adsense account.
Me: Can you forward me that message?

The message that he received said “Your Google Verification code is 516826.” Take a second to think about what the message might have been.

Did you guess? It’s a Google verification code that you get when you select the FORGOT PASSWORD option and then enter your mobile number to get the password reset code.

This is an incredibly dangerous loophole, anybody can be fooled using this trick.

If any Gmail or Google employee is reading, please ask your boss to raise a change request for this.

I made the situation even worse. At this point, the hacker had reset my client’s passwords, and he was even smarter than I thought; he changed all of the recovery options, even the mobile number. My client had no chance to get his credentials back. But luckily, my client told me about the scenario and he got his account back, along with an apology from the hacker…after I hacked the hacker’s system using his IP address, which I got through readnotify. I will explain that procedure later someday, because its unethical to hack someone…

Let’s concentrate on loopholes, now consider my point:

Don’t you think the password reset message should contain a message such as: “the text password reset code is ___.” I had never thought such scenario could happen. Anybody can exploit this loophole. Google team, please correct these bugs. It won’t cost you much, but the ramifications are steep for an email user who has blind faith in you.

Some suggestions by HackingLoops:

1. For Gmail Password Reset:

The message can be something like

“Dear Gmail User(Name), 

Your Gmail Password reset verification code is 123456″

or

“Dear user,

You have requested a password reset for your Google account (email). Your verification code is 123456″

Both of these are less than 100 characters and can easily be configured into Google’s SMS module.

2. If Google doesn’t want to change much of their functionality, then you can use something like:

Dear user(name),

You have requested a Password Reset verification code for account(email). Your code is 123456″

I think friends, you have all recognized these loopholes. Google stays on top of their publicly announced loopholes, so let’s see how quickly they fix this one.

Stay connected with SPARK HACKING TOOL and keep getting the latest security updates and tricks.

Advanced Port Scanning techniques tutorial

Hello friends, in yesterday’s tutorial i have explained Port scanning basics, today i will teach you different types of port scanning and their analysis, drawbacks etc. Lets start with a brief overview of yesterday’s tutorial.
In simple words, Port Scanning is a series of attempts by a hacker or network administrator to examine which ports on a network are open/closed/filtered by attempting to connect to a range of ports and then gathering information from responding open ports to detect what applications or which service is associated or running on those ports. Port Scanning is accomplished by running port scanner against the host to scan 0 to 65536 potentially available ports on computer.
Now you all will be thinking why the hell, i am explaining different types of scans when we can simply do a normal port scan using any port scanning tool like NMAP or Free port scanner etc. Friends i am explaining this to you because different type of Port scan technique will result into different information gathering and scenerio will be different for each type. First of all we must need to choose which Port scanning technique we gonna use to scan the victim. Most elite hackers opt for Stealth Scan as its run in background without the knowledge of the user. So lets focus more on different scanning techniques..

Different type of port scanning

Different types of port scanning techniques:
1. Open Scan : Also known as vanilla scan. In this type of scan hacker try to connect to all the ports of the victim. This scan uses a normal TCP connection to determine port availability and utilizes a TCP 3-way handshake connection that typically every other TCP application will use on a network . Because of this fact this technique has a drawback that it can be easily detected and blocked.  

How open scan works? 

When the port is open, the client sends a SYN flag, the server replies a SYN+ACK flag, which is acknowledged back with an ACK flag by client. Once the handshaking is completed, the connection is terminated by the client. This confirm an open port. When the port is closed or “not listening” the server response a RST+ACK flag, which is acknowledged back with an RST flag by client, and then the connection is closed.
The disadvantage of this scan technique is that the attacker cannot spoof his identity as spoofing would require sending a correct sequence number as well as setting the appropriate return flags to setup data connection. Moreover, most stately IDS and firewall detect and log this scan, exposing both the attempt and the attacker’s IP. The advantage is fast accurate scan that require no additional privilege.

2. Half Open Scan : Half open scan is similar to Open or vanilla scan. The only difference is that it does not establishes a complete connection with the host so it becomes little bit typical for victim firewall to detect it but it still detectable as for receiving ICMP echos a connection has to be established between your PC and victim. 

How Half Open Scan works?

In half-open scan, a complete TCP connection is not established. Instead as soon as the server acknowledge with a SYN+ACK response, the client tears down the connection by sending RST flag. This way, the attacker detect an open port and not establish full connection.
However, some good IDS and firewall like zone alarm can detect a SYN packet from the void and prevent half open scan. Besides, this scan require attacker to make a customer IP packet, which in turn requires the access to SOCK_RAW (getprotbyname(‘raw’) under most system) or /dev/bpf (Berkeley packet filter), /dev/nit (Sun network interface tap). This requires admin privilege access.

3. Strobe Scan – In strobe scan, hackers try to scan only a selected number of port connections.(usually under 20) and rest of the working is similar to open scan. The only difference is that its light weight scan where hackers scan specific ports on the host and analyze the results. A strobe does a narrower scan, only looking for those services the attacker knows how to exploit. Almost 90% of crackers uses this technique as its fastest and accurate.

Drawback: Limited scan may not produce expected results but its too fast. Free Port scanner works on strobe scan technique only. It only scan the internet and web application services ports.

4. Stealth Scan – In this type of scanning technique, scanning is done in stealth manner, which aims to prevent the “request for connection” being logged.

Initially half open scans were considered stealth, however as IDS software evolved, these scan were easily logged. Now, stealth scan refers to the type of scan where packets are flagged with a particular set of flags other than SYN, or a combination of flags, no flag set, with all flag set, appearing as normal traffic, using fragmented packet or avoiding filtering devices by any other means. All these techniques resort to inverse mapping to determine open ports.

Different type of Stealth scans:

• SYN|ACK Scan
  Client sends a SYN+ACK flag to the target. For a closed port, server will reply a RST response while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection. This scan may generate certain amount of false positives. For instance, packets dropped by filtering devices, network traffic, timeouts etc can give a wrong inference of an open port while the port may or may not be open. However this is a fast scan that avoid three-way handshake.
• FIN Scan
  Similar to SNY|ACK scan, instead a FIN flag is sent to the target. The closed ports are required to reply to the probe packet with RST, while open ports must ignore the packet in question. This scan attempt to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that can return good result. However, most OS applied patches to correct the problem, still there remains a possibility that the attacker may come across one where these patches have not be applied.
• ACK Scan
  The scan take advantage of the IP routing function to deduce the state of the port from the TTL value. This is based on the fact that IP function is a routing function. Therefore TTL value will be decremented by on by an interface when the IP packet passes through it.
• NULL Scan
  In NULL scan, the packet is sent without any flag set. This takes advantage of RFC 793 as the RFC does not specify how the system should respond. Most UNIX and UNIX related system respond with a RST (if the port is open) to close the connection. However, Microsoft’s implementation does not abide with this standard and reacts differently to such scan. An attacker can use this to differentiate between a Windows machine and others by collaborating with other scan results. For example, if -sF, -sX or -sN scan shows all ports are closed, but a SYN (-sS) scan shows ports are opened, the attacker can infer that he is scanning a windows machine. This is not an exclusive property though, as this behavior is also shown by Cisco, BSDI, HP/UX, MVS and IRIX. Also note that the reserved bits (RES1, RES2) do not affect the result of any scan. Therefore this scan will work only with UNIX and related systems.
• Xmas Scan
  In Xmas scan, all flags are set. All the available flags in the TCP header are set (ACK, FIN, RST, SYN, URG, PSH) to give the scan an ornamental look. This scan will work on UNIX and related systems and cause the kernel to drop the packet if the receiving port is open.

5. FTP Bounce Scan – The ability to hide their tracks is important task for hackers. And in port scanning this is achieved using FTP bounce scan technique.

FTP bounce scanning takes advantage of a vulnerability of the FTP protocol itself. This scan takes advantage of the FTP servers with read/write access. The advantage of this scan can be both anonymity and accessibility. Suppose the target network allows FTP data transfer from only its recognized partners. An attacker might discover a service business partner who has a FTP service running with a world-writable directory that any anonymous user can drop files into and read them back from. It could even be the ISP hosting services on its FTP server. The attacker, who has a FTP server and able to run in passive mode, logs in anonymously to the legitimate server and issues instructions for scanning or accessing the target server through a series of FTP commands. He may choose to make this into a batch file and execute it from the legitimate server to avoid detection.
If a connection is established as a means of active data transfer processing (DTP), the client knows a port is open, with a 150 and 226 response issued by the server. If the transfer fails a 425 error will be generated with a refused build data message. The PASV listener connection can be opened on any machine that grants a file write access to the attacker and used to bounce the scan attack for anonymity. It does not even have to be an FTP server, any utility that will listen on a known TCP port and read raw data from it into a file will do.
Often these scan are executed as batch files padded with junk so that the TCP windows are full and the connection stay alive long enough for the attacker to execute this commands. Fingerprinting the OS scan help determine the TCP window size and allow the attacker to pad this commands for further access accordingly.
This scan is hard to trace, permits access to local network and evades firewalls. However, most FTP servers have patched this vulnerability by adopting countermeasures such as preventing third party connection and disallowing listing of restricted ports. Another measure adopted has been restrict write access.

6. Fragmented Packets Scans : FPS is an attempt to bypass rules in some routers. This approach is evolved from the need to avoid false positive arising from other scans due to packet filtering device. For any transmission, a minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octet, 64 bit), the initialized flags in the next, which allows the remote host to reassemble the packet upon receipt through an internet protocol module that identifies the fragmented packets by the field equivalent values of source, destination, protocol and identification.
The scan works by splitting the TCP header into small fragments and transmitting it over the network. However, there is a possibility that IP reassembly on the server-side may result in unpredictable and abnormal results – such as fragmentation of the data in the IP header. Some hosts may be incapable of parsing and reassembling the fragmented packets and thus may cause crashes, reboots or even network device monitoring dumps.
Some firewalls may have rulesets that block IP fragmentation queues in the kernel (like the CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel) – though this is not widely implemented due to the adverse affect on performance. Since several intrusion detection systems use signature-based mechanisms to signify scanning attempts based on IP and/or the TCP header, fragmentation is often able to evade this type of packet filtering and detection. There is a high possibility of causing network problems on the target network.

7. UDP Scan : As the name suggest its a one way scan as UDP is a FIRE AND GO portocol. Port scanning usually means scanning for TCP ports, which are connection-oriented and therefore give good feedback to the attacker. UDP responds in a different manner. In order to find UDP ports, the attacker generally sends empty UDP datagrams. If the port is listening, the service should send back an error message or ignore the incoming datagram. If the port is closed, then most operating systems send back an “ICMP Port Unreachable” message. Thus, you can find out if a port is NOT open, and by exclusion determine which ports are open. Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also implement retransmission of packets that appear to be lost (or you will get a bunch of false positives).

Also, this scanning technique is slow because of compensation for machines that implement the suggestions of RFC 1812 and limit ICMP error message rate. For example, a kernal may limit destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded.

Some people think UDP scanning is pointless – not so. Sometimes for example, Rpcbind can be found hiding on an undocumented UDP port somewhere above 32770. So it doesn’t matter that port 111 is blocked by the firewall. But can you find which of the more than 30,000 high ports it is listening on? With a UDP scanner you can. 

The disadvantage to the attacker is that UDP is a connectionless protocol and unlike TCP does not retransmit packet if they are lost or dropped on the network. Moreover, it is easily detected and unreliable (false positive). Linux kernel limit ICMP error message rates with destination unreachable set to 80 per 4 seconds, thereafter implmenting a 1/4 second penalty if the count is exceeded. This makes the scan slow and moreover the scan requires root access. However it avoids TCP based IDS and can scan non-TCP ports.

Some more advanced techniques:

1. TCP SCTP Scan: SCTP is a relatively new alternative to the TCP and UDP protocols, combining most characteristics of TCP and UDP, and also adding new features like multi-homing and multi-streaming. It is mostly being used for SS7/SIGTRAN related services but has the potential to be used for other applications as well. SCTP INIT scan is the SCTP equivalent of a TCP SYN scan. It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by restrictive firewalls. Like SYN scan, INIT scan is relatively unobtrusive and stealthy, since it never completes SCTP associations. It also allows clear, reliable differentiation between the open, closed, and filtered states.

2. SCTP COOKIE ECHO scan : It is more advanced SCTP scan. It takes advantage of the fact that SCTP implementations should silently drop packets containing COOKIE ECHO chunks on open ports, but send an ABORT if the port is closed. The advantage of this scan type is that it is not as obvious a port scan than an INIT scan. Also, there may be non-stateful firewall rulesets blocking INIT chunks, but not COOKIE ECHO chunks. Don’t be fooled into thinking that this will make a port scan invisible; a good IDS will be able to detect SCTP COOKIE ECHO scans too. The downside is that SCTP COOKIE ECHO scans cannot differentiate between open and filtered ports, leaving you with the state open|filtered in both cases.

That’s all for today friends, i hope now you all will be able to understand how scanning actually works and you might have chosen your favorite technique.

Note my point: Lots of features provided doesn’t matter, what matters is accuracy and smart results. Now this statement may make you think to change the scan method.

REFERENCES:

1. Wikipedia(Port scanning)

2. NMAP ORG(Port Scanning Techniques & Chapter 15: NMAP reference Guide)

3. Power Security Tools( Chapter 2: Network scanning)

4. Hackers Beware : Defending your Network (Chapter 3: Information Gathering)

5. Examining Port scan methods White paper by Deathy

6. Maximum Security: A hacker’s Guide to protect your Internet (chapter 9 Scanners).

I know, this is too advanced article and you all must be having lots of questions and queries regarding each scans. Go ahead and ask in form of comments. I will try to clear all your queries.