Starting on the name of My god "Allah" the most beneficent the most merciful
This is the second part of basics for XPATH Injection, in this tutorial we will learn the basic queries of XPATH.
Headings in this Document:
Selecting Nodes In XPATH
The Basic XPATH Expressions
Predicates In XPATH
Selecting Unknown Paths
Selecting Several Paths
Introduction to Injection in XPATH Query
Again we will take some reference from W3s then after we understand the basic queries we will learn how to inject them.
The XML Example Document
We will use the following XML document in the examples below.
Selecting Nodes
XPath uses path expressions to select nodes in an XML document. The node is selected by following a path or steps. The most useful path expressions are listed below:
Some Basic XPATH Expression
In the table below we have listed some path expressions and the result of the expressions:
Predicates
Predicates are used to find a specific node or a node that contains a specific value.
Predicates are always embedded in square brackets.
In the table below we have listed some path expressions with predicates and the result of the expressions:
Selecting Unknown Nodes
In the table below we have listed some path expressions and the result of the expressions:
Selecting Several Paths
Introduction to Injection in XPATH Query
Okay if you read the above content then let us for example take a page which takes some input as name and shows the phone number of that user if that user exist in XML file. When injecting we know that for a string type either single quote or double quoute will be used that we can check by using ' " or ""=" ' for double quote and we can use ' ' or ''=' ' for single quote check okay so which ever works we will come to know that it is used intenally into the query now lets just assume a simple query.
/root/parent/something[username='our_input_here']/user
So the username are extracted after the condition gets the username as input. Now we know that if we make the condition true using ' or ''=' we will be able to see the first users details. But then we want to enumerate with each user one by one. as we know the position() function choose each node one by one. So we can use it to enumerate each user one by one. Here we go.
This is how we can enumerate each user one by one.
I hope you learnt the basics of XPATH and XPATH injection. In next tutorial i will be explaining XPATH injection in more details and some much more better ways of Injecting in XPATH Queries.
This is the second part of basics for XPATH Injection, in this tutorial we will learn the basic queries of XPATH.
Headings in this Document:
Selecting Nodes In XPATH
The Basic XPATH Expressions
Predicates In XPATH
Selecting Unknown Paths
Selecting Several Paths
Introduction to Injection in XPATH Query
Again we will take some reference from W3s then after we understand the basic queries we will learn how to inject them.
The XML Example Document
We will use the following XML document in the examples below.
<?xml version="1.0" encoding="UTF-8"?>
<bookstore>
<book>
<title lang="eng">Harry Potter</title>
<price>76.99</price>
</book>
<book>
<title lang="eng">Learning XML</title>
<price>22.95</price>
</book>
<book>
<title lang="eng">Learning XPATH</title>
<price>30.20</price>
</book>
<book>
<title lang="eng">Learning Secrets of Injections</title>
<price>50.99</price>
</book>
<book>
<title lang="eng">Learning Programming</title>
<price>53.45</price>
</book>
</bookstore>
Selecting Nodes
XPath uses path expressions to select nodes in an XML document. The node is selected by following a path or steps. The most useful path expressions are listed below:
Expression | Description | |
---|---|---|
nodename | : | Selects all nodes with the name "nodename" |
/ | : | Selects from the root node |
// | : | Selects nodes in the document from the current node that match the selection no matter where they are |
. | : | Selects the current node |
.. | : | Selects the parent of the current node |
@ | : | Selects attributes |
Some Basic XPATH Expression
In the table below we have listed some path expressions and the result of the expressions:
Path Expression | Result | |
---|---|---|
bookstore | : | Selects all nodes with the name "bookstore" |
/bookstore | : | Selects the root element bookstore Note: If the path starts with a slash ( / ) it always represents an absolute path to an element! |
bookstore/book | : | Selects all book elements that are children of bookstore |
//book | : | Selects all book elements no matter where they are in the document |
bookstore//book | : | Selects all book elements that are descendant of the bookstore element, no matter where they are under the bookstore element |
//@lang | : | Selects all attributes that are named lang |
Predicates
Predicates are used to find a specific node or a node that contains a specific value.
Predicates are always embedded in square brackets.
In the table below we have listed some path expressions with predicates and the result of the expressions:
Path Expression | Result | |
---|---|---|
/bookstore/book[1] | : | Selects the first book element that is the child of the bookstore element. |
/bookstore/book[last()] | : | Selects the last book element that is the child of the bookstore element |
/bookstore/book[last()-1] | : | Selects all the book elements except the last one that are children of the bookstore element |
/bookstore/book[position()<3] | : | Selects the first two book elements that are children of the bookstore element |
//title[@lang] | : | Selects all the title elements that have an attribute named lang |
//title[@lang='eng'] | : | Selects all the title elements that have an attribute named lang with a value of 'eng' |
/bookstore/book[price>35.00] | : | Selects all the book elements of the bookstore element that have a price element with a value greater than 35.00 |
/bookstore/book[price>35.00]/title | : | Selects all the title elements of the book elements of the bookstore element that have a price element with a value greater than 35.00 |
Selecting Unknown Nodes
XPath wildcards can be used to select unknown XML elements.
Wildcard | Description |
---|---|
* | Matches any element node |
@* | Matches any attribute node |
node() | Matches any node of any kind |
In the table below we have listed some path expressions and the result of the expressions:
Path Expression | Result |
---|---|
/bookstore/* | Selects all the child nodes of the bookstore element |
//* | Selects all elements in the document |
//title[@*] | Selects all title elements which have any attribute |
Selecting Several Paths
By using the | operator in an XPath expression you can select several paths.
In the table below we have listed some path expressions and the result of the expressions:
Path Expression | Result |
---|---|
//book/title | //book/price | Selects all the title AND price elements of all book elements |
//title | //price | Selects all the title AND price elements in the document |
/bookstore/book/title | //price | Selects all the title elements of the book element of the bookstore element AND all the price elements in the document |
Introduction to Injection in XPATH Query
Okay if you read the above content then let us for example take a page which takes some input as name and shows the phone number of that user if that user exist in XML file. When injecting we know that for a string type either single quote or double quoute will be used that we can check by using ' " or ""=" ' for double quote and we can use ' ' or ''=' ' for single quote check okay so which ever works we will come to know that it is used intenally into the query now lets just assume a simple query.
/root/parent/something[username='our_input_here']/user
So the username are extracted after the condition gets the username as input. Now we know that if we make the condition true using ' or ''=' we will be able to see the first users details. But then we want to enumerate with each user one by one. as we know the position() function choose each node one by one. So we can use it to enumerate each user one by one. Here we go.
/root/parent/something[username='' or position()=1 or '']/user
/root/parent/something[username='' or position()=2 or '']/user
/root/parent/something[username='' or position()=3 or '']/user
/root/parent/something[username='' or position()=4 or '']/user
/root/parent/something[username='' or position()=5 or '']/user
This is how we can enumerate each user one by one.
I hope you learnt the basics of XPATH and XPATH injection. In next tutorial i will be explaining XPATH injection in more details and some much more better ways of Injecting in XPATH Queries.