Confused | Defend the Web

softowl8
11 years ago

0

Hi

I am struggling with this one, I hope someone can help me :)

I have read the previous thread, and from my very inexperienced perspective I am grasping the concept of LDAP and I have been browsing the links.

My confusion is around how to alter the code… how/where are you guys writing/ altering the code. I have been trying the URL ldap://hackthis.co.uk which comes up with a search box of some kind. I have the feeling that this is not right though :/

Any other clues on how to think about this one (other than “like a programmer” - because im not :‘( …)

jayssj11
11 years ago

0

LDAP injection is not required .

JAYSSJ11- “I’d rather be hated for who I am, than loved for who I am not.”

[deleted user]
10 years ago

0

It’s not using SQL but it looks like SQL. I hope this help ^^

*********** [ADIGA]
10 years ago

0

XML Can be used just as sql.

I Hate Signatures.

[deleted user]
10 years ago

0

softowl8,

This below URL will help a lot.

https://www.owasp.org/index.php/XPATH_Injection

Vu Nhat Anh [vunhatanh]
10 years ago

0

Finally completed this level for 18 attemps :x, just make the xpath query return true with ‘Sandra Murphy’ :D

[IAmDevil]
10 years ago

0

Congrats man !!!
Hope you learn a lot more here !!

- @IAmDevil
Its good to be back! :D

softowl8
10 years ago

0

well done vna220792 im still attempting away :)

Vu Nhat Anh [vunhatanh]
10 years ago

0

Initially, you may feel stuck. When you successfull inject the true condition, you will see an other error alert. instead of “Invalid details”. :)

LoNeWollF!! [ram.vinoth.71]
10 years ago

0

Any other clues to complete this level.. i am confused.. :) thank u guyz :)

[deleted user]
10 years ago

0

All you need is the hint for the syntax and the link posted by tlotr, it’s not very hard ;)

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

Attempts: 21 Duration: 38 days
I had hard time to solve this level :| . Just a note for anyone struggling with it:

XPath query is case-sensitive.

![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)

TaaRt
10 years ago

0

Combined the second thing vna said and tlotr’s link, with zero experience (but some basic understanding) in sql injection it’s possible to solve it

“I dislike people who quote themselves” - TaaRt

Reply has been removed

Susan S [Trinity]
10 years ago

0

I just don’t believe that I was missing three characters in the solution what an idiot I was over thinking things and getting stuck in the same rut over and over again thanks to tlotr, freewind1012 and ADIGA patience, help and direction I eventually completed this level.

I wish I could explain more on here about the small part of the solution I was missing out in my injection but I mustn’t give it away and spoil it for others. Thank you guys once again, tlotr, freewind1012 and ADIGA for taking the time and not telling me to piss off as I must have been driving you guys mad, and for putting me on the right direction to solve this level. Thank you!! :)

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

@Trinity: You’re welcome. In fact I welcome all people who have patient / persistent attitude in solving problem.

![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)

Susan S [Trinity]
10 years ago

0

Well my friend freewind1012, you most certainly had patience with me. :)

[deleted user]
10 years ago

0

Trinity: You are most welcome :)

Reply has been removed

Susan S [Trinity]
10 years ago

0

Thanks again tlotr! Gonna go and do a little more on my website, later! :)