This whitepaper details some novel methods of exploiting blind XPath 2.0 injection flaws that can be used to retrieve the whole document being queried (and others on the filesystem) without needing a large number of requests. It also covers exploiting some common XML databases.
bb958f4f5dc663b2b29dda1a486d1e5c6aaa2c1a738838917678623686d2a543