MariaDB ExtractValue Injection

Context

The aim of this article is to teach practitioners how to exploit the ExtractValue function in MariaDB for error-based SQL injection. This technique is particularly useful for extracting sensitive information from a database by leveraging the errors generated during XML data processing. It is assumed that the reader has knowledge of XML structures, SQL query execution, and database error handling.

Theory

ExtractValue Function in MariaDB

The ExtractValue function in MariaDB is primarily intended to retrieve values from XML data. It takes an XML document as its first argument and an XPath expression as its second argument, returning the value that matches the XPath. However, this function can be manipulated to generate database error messages by using crafted XPath expressions. Through this misuse, attackers can extract information from error messages.

Error-Based SQL Injection

Error-based SQL injection is a technique that capitalizes on the detailed error messages provided by a database when an invalid query is executed. This method allows attackers to infer information about the database schema, such as table names, column names, and even data, by causing errors intentionally:

The attacker crafts an SQL query designed to generate an error.
The error message generated by the database can contain snippets of sensitive data.
By iterating and modifying the queries, more complex information can be deciphered.

XML Injection and Extraction Abuse

XML Injection is the concept of inserting or manipulating XML data processed by an application. In the case of MariaDB, attackers exploit this technique through the ExtractValue function by constructing queries that lead to the disclosure of concealed information:

Malicious XPath expressions are injected into the ExtractValue function.
The resulting errors from improper XML document parsing divulge data about the database's internal structure.

Practice