X marks the spot
- 1.The challenge says this is an
XPATHinjection. We can try the standard payload
blah' or 1=1 or 'a'='afrom OWASP and see if we can sign in. This results in a message saying
You're on the right path., so it looks like our query succeeded. However, we did not get redirected to an application so this looks like a "blind
- 3.Essentially, when the
You're on the right path.message is shown, we know our query returned a true value and otherwise our query was false. We can modify the query using
orto join the login query with a special query and then tell
XPATHto ignore the rest of the login query.
- 4.By using
' or string-length(//user[position()=3]/pass)=4 or ''='we can check if the length of the
passfield of the 3rd
userelement in document is 4. I guessed that the password field would be called
passbecause that is the name of the form element in the website's HTML. The
position()=3was manually checked by scanning each position starting at 1. If the name of the field is unknown, a query such as the following could be used instead:
' or string-length(//user[position()=1]/child::node()[position()=1])=4 or ''='. We can bruteforce the
4in this case and determine the length of the 3rd user's password.
- 5.Once we know the length of the password/flag, we can use
' or substring(//user[position()=3]/pass,<position>,1)="<character>" or ''='where
<position>is the position in the string and
<character>is the character we are checking. We loop though all the possible characters at position
You're on the right path.message is shown. When that loop is complete, we will know the first letter of the password/flag. We can continue doing this for each character of the password/flag until we reach the length we found in the previous step.
- 6.The solve script executes the above scripts to determine the flag character by character. Depending on your internet connection (how fast you can send requests to the server), the script may take a few minutes (≈4 minutes maximum) to run.