sQuo Posted September 23, 2012 Share Posted September 23, 2012 xcat Automate XPath injection attacks XCat is a command line program that aides in the exploitation of XPath injection vulnerabilities. It boasts a wide range of features and can utilize the more advanced features of the XPath 2.0 specification (pattern matching, unicode normilization and even http requests) or gracefully degrade to using XPath 1.0 if they are not available. XCat is built to exploit boolean XPath injections (Where only one bit of data can be extracted in one request) and it requires you to manually identifiy the exploit first, this does not do that for you. Features Exploits both GET and POST attacks Extracts all nodes, comments, attributes and data from the entire XML document Small and lightweight (only dependency is Twisted) Parallel requests XPath 2.0 supported (with graceful degrading to 1.0) Regex pattern matching to reduce character search space Unicode normalization Advanced data postback through HTTP (see below) Arbitrarily read XML files on the servers file system via the doc() function (see below) Arbitrarily read text files on the servers file system via crafted SYSTEM entities Examples If you run a windows machine you can install IronPython and start the example application (example_application/ironpython_site.py). The simplest command you can run on this site is: This is the hidden content, please Sign In or Sign Up You have to specify a condition keyword or HTTP status code (true, false, error), an argument for the attack to be appended to and a HTTP method to use. The --autopwn flag will make xcat automatically detect more exotic features (xpath version, quote character and various out of bound attacks). Usage usage: xcat.py [-h] [--method {GET,POST}] [--arg POST_ARGUMENT] [--true TRUE_KEYWORD | --false FALSE_KEYWORD | --error ERROR_KEYWORD] [--true-code TRUE_CODE | --false-code FAIL_CODE | --error-code ERROR_CODE] [--autopwn] [--schema-only] [--quotecharacter QUOTE_CHARACTER] [--executequery EXECUTEQUERY] [--max_search SEARCH_LIMIT] [--timeout TIMEOUT] [--stepsize STEP_SIZE] [--normalize {NFD,NFC,NFDK,NFKC}] [--xversion {1,2,auto}] [--lowercase] [--regex] [--connectback CONNECTBACK] [--notfoundstring NOTFOUNDCHAR] [--fileshell] [--getcwd] [--useragent USER_AGENT] [--timeit] [--ignorecomments] [--codepointstart CODEPOINTSTART] URL This is the hidden content, please Sign In or Sign Up Link to comment Share on other sites More sharing options...
Recommended Posts