Intermediate 6 help

Sandra Murphy

xxxx [TheShadowman]
10 years ago | edited 10 years ago

0

So I am completely stumped by this one.
I’ve done reading on XML and XML injection and think I understand the concept of it.

So far I’ve been injecting >> Sandra' or 1=1 or ‘a’=‘a and this brings up a different error.
I’ve tried many different variations of this and manage to bring up the different error but can’t seem to pass the level.
Could anyone suggest any articles to read or help me out with where I’m going wrong.

Any help would be appreciated.

-Shadowman

54replies
24voices
1,001views
Cyan Wind [freewind1012]
10 years ago | edited 9 years ago

4

XPath injection requires a bit knowledge about XML schema and how XPath query works. Or I should say: Like the column name in SQLi, the element name in XPath injection is important as well.

Why are you going wrong? Because you focus on logical operators and forget the importance of element name(s), maybe. :p

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

8

This PHP example should be a bit help for this level:
```
/ Preparation stuff /
$doc = new DOMDocument;
$doc->preserveWhiteSpace = false;
$file = file_get_contents(“users.xml”); //users.xml contains users' data
$doc->loadXML($file);
/ End Preparation stuff /

/ XPath query /
$xpath = new DOMXPath($doc);

$username = “place_your_username_here”;
$password = “place_your_password_here”;
$query = “//user[username/text() = ‘” . $username . “’ and password/text() = ‘” . $password . “’]”;

$users = $xpath->query($query);
/ End XPath query /

/ Print /
foreach($users as $user) {
foreach($user->childNodes as $node) {
echo $node->nodeName.“ - ”.$node->nodeValue.“
”;
}
}
/ End Print /
```

users.xml
```
<?xml version=“1.0”?>



admin
5f4dcc3b5aa765d61d8327deb882cf99
Harry Potter

<user>  
    <username>user</username>  
    <password>202cb962ac59075b964b07152d234b70</password>  
    <realname>Gandalf</realname>  
</user>  


```

xxxx [TheShadowman]
10 years ago | edited 10 years ago

0

So from what I’ve been looking at for your example I would have to inject something along the lines of

string(//users[user/text()=‘’ or ‘1’ = ‘1’ and password/text()=‘’ or ‘1’ = ‘1’]/realname/text())

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

Yes. And don’t forget to be creative to login as Sandra Murphy. ;)

[IAmDevil]
10 years ago

1

@TheShadowman your very close to the real injection !! Just work on the injection you posted first !! And the ususal “don’t over think it .” ??

xxxx [TheShadowman]
10 years ago

0

Ok, thanks to both Freewind and IAmDevil, I’ll keep working on it :D

crawle
10 years ago

0

Thanks freewind for the assist. I was able to finish the level after having viewed the code. However, I must admit that it took me 63 attempts to figure out what the solution was. Rather embarrassing but still, relieved to have finished it.

This particular level helped me sharpen my concepts regarding sql injection. Now that I read the hint again, I realized that the hint is a BIG giveaway. Anyway, thanks for an awesome challenge. Love this site. :)

Reply has been removed
Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

Try to apply a bit logic when injecting. Your code is non-sense.

Fe@r-!5 [fear-15]
10 years ago

0

ok i know i have to inject something like this >> Sandra' or 1=1 or ‘a’=‘a but i have been trying this but of no use


0

Of course it is no use because it is wrong.

Fe@r-!5 [fear-15]
10 years ago

0

ok but just tell am i in right path i know i have to use the real name but where

[IAmDevil]
10 years ago

0

Yes you have the right username, and you have to put it in the ejection now!! ?

Wallace-
10 years ago | edited 10 years ago

0

If the injection =

‘ or 1=1 or 'a’=‘a[/spoiler]

and

[spoiler]her real name = Sandra Murphy

then how would you combine the two in order to create a logical injection?

(Admin/Mod sidenote: I think i have hidden the answer well enough in my hint in this post but if this gives too much away, please delete this post, and apologies)

Credit goes to roun512 for explaining it this way to me which then eventually helped point me in a more logical direction. Because i did not come up with this way of hinting to it so dont thank me if this helps, thank roun512. :)

Mystery [kapuccino]
10 years ago

0

@fear-15: You may want to learn SQL injection first.

Fe@r-!5 [fear-15]
10 years ago

0

thnk u guys will take up ur advice

[deleted user]
10 years ago

0

One point to all you potential hackers out there: Read what it says carefully: This login screen is trying something a bit different and is NOT using SQL. Try and login as the user whose real name is ‘Sandra Murphy’. Take your time over it and even though it is not using SQL reading up on SQL will help you to understand what you have to do and also help to pass the level. Good luck. :)

midnightclub2
10 years ago

0

Guys, I would just like to share some hints, if possible :)

the thing is that you know you dont have ‘username’ and ‘password’, but you know the ‘realname’, can you write up a logical sequence such that if ‘realname’ is TRUE, the entire code still returns TRUE, though ‘username’ and ‘password’ both return FALSE.

That is a f**king big hint, isnt it :D :D

[IAmDevil]
10 years ago | edited 10 years ago

0

Hmm… I think making the injection script is the hard part where everyone gets confused.
Well if someone really read the hint real carefully the he will surely get it in one go.
The hint there by @Wallace- is just more than enough! ?

Wibben
10 years ago

0

Everyone knows how to do a regular SQL injection, and it’s almost the same for Xpath but combining the realname within the injection is what stomps a lot of people.

don’t try to add to the end of the injection,change a part of the original injection itself to encompass the information you already know

Abhi
10 years ago | edited 10 years ago

1

I think this has been told , but just let me make it clear again !! In sql injection we inject something like :

username : blah' OR 1=1 OR ‘a’=‘a
and password : blah

Now , we have to use all the info that is given to us to make a logical injection for the level.
One more thing, though sql injection is much similar to XPATH Injection but sql query is different from XPATH query.
Keep this in mind and go for it !! Good luck :)

[deleted user]
10 years ago | edited 10 years ago

0

Now I think everyone should be able to complete this level based on the explanation provided by @Abhi_hacker

[IAmDevil]
10 years ago

0

How many of ya’ll think @Abhi_hacker ’s hint was too much? ?
I vote to delete it! ?

midnightclub2
10 years ago

0

its the combination of hints that is giving away too much :D :D

Abhi
10 years ago | edited 10 years ago

0

Should I delete it ?? I have tried to be as limited as possible but if you say so , I can delete it or edit it !!
Only they can interpret the hint who have read about sql injection and Xpath Query…..whereas for others(newbies) its still quite concealed……. But just tell me , if you want me to remove it !! :)

[deleted user]
10 years ago | edited 10 years ago

0

Hey Abhi_hacker, that is too close mate. You have given a too close hint it is more like the answer. Please either alter your post or remove it. It’s more or less the same a shadowman’s spoiler. Okay mate?? :)

Abhi
10 years ago | edited 10 years ago

0

Okk…I’ll just change it right away. No problem !!
Re : I have edited the post and removed the hint that was disclosing the answer……all that is left is a bit related to SQL( I think they should get at least that much ) and some general instructions regarding the level !!
Hope this doesn’t causes any further problems . :)

[deleted user]
10 years ago

0

Yes mate no problem. Not all down to you as there are others just as much to blame in giving too much away for the level. Thanks for your action. :)

[IAmDevil]
10 years ago

0

Ha its a lot better now. Only the spoiler was a bit too much. But it looks good now! :D

? [bolofecal]
9 years ago | edited 9 years ago

0

I’ve used this site: http://www.xpathtester.com/xpath

In this case:

<?xml version="1.0" encoding="UTF-8"?> <users> <user> <username>admin</username> <password>5f4dcc3b5aa765d61d8327deb882cf99</password> <realname>Harry Potter</realname> </user> <user> <username>user</username> <password>202cb962ac59075b964b07152d234b70</password> <realname>Gandalf</realname> </user> <user> <username>sandramurphyuser</username> <password>hardpass</password> <realname>Sandra Murphy</realname> </user> </users>

when I submit:

string(//user[realname='Sandra Murphy']/username/text())
returns: sandramurphyuser
and
string(//user[realname='Sandra Murphy']/password/text())
returns: hardpass

I’m in the right way? I need send the first in login and the second in the password?

Mugi [Mugiwara27]
9 years ago

0

Xpath injection = Sql + xpath query
There you just use xpath query

? [bolofecal]
9 years ago | edited 9 years ago

0

Based in this:

$query = "//user[username/text() = '" . $username . "' and password/text() = '" . $password . "']";

I tried this:

user: ' OR //user[realname/text() = 'Sandra Murphy']/username/text() OR ''=' pass: ' OR //user[realname/text() = 'Sandra Murphy']/password/text() OR ''='

$query = "//user[username/text() = '' OR //user[realname/text() = 'Sandra Murphy']/username/text() OR ''='' and password/text() = '' OR //user[realname/text() = 'Sandra Murphy']/password/text() OR ''='']";

But does’t work. I will study XPath harder…

Nighttshad3
9 years ago

1

Expanding on what @Wallace- said:
If we were doing an SQL injection we would use the following:

‘ or 1=1 or 'a’=‘a [/Spoiler]
And we need to trick it into using the real name and forgetting the username and password. And we know that…
[Spoiler] her realname='Sandra Murphy’

How could you insert her real name into the injection to make it = true for just her real name?

If you don’t overthink it and keep trying things you’ll get it eventually.

? [bolofecal]
9 years ago

0

$query = "//user[username/text() = ' ' or 1=1 or 'a'='a' and password/text() = ' ' or 1=1 or 'a'='a'];

true and true, it works, but it connect in the first user? (not ‘Sandra Murphy)

The users data are stored like this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="login">userlogin</xs:element> <xs:element type="xs:string" name="password">hardpassword</xs:element> <xs:element type="xs:string" name="realname">Sandra Muphy</xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>

or like this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="userlogin"/> <xs:element type="xs:string" name="hardpassword"/> <xs:element type="xs:string" name="Sandra Murphy"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>

dloser
9 years ago

0

Perhaps you should study even more harder… For example, learn how to distinguish XML from XML schemas. You already posted usable XML example and a site to check your queries. This should be more than enough to figure out how to solve the challenge.

[deleted user]
9 years ago

0

So as i have understand for username needs to use this code $query = "//user[username/text() = ' ' or 1=1 or 'a'='a' and for password this password/text() = ' ' or 1=1 or 'a'='a']; but must to connect in Sandra Murphy user ?

? [bolofecal]
9 years ago

0

If you put “$query” in the field your syntax is wrong. In your query have nothing specified about Sandra Murphy, so the server will not guessing about it.

[deleted user]
9 years ago

0

So base this <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="login"/> <xs:element type="xs:string" name="password"/> <xs:element type="xs:string" name="realname"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> i try instand of “$query” to put “login” login = "//user[username/text() = ' ' or 1=1 or 'a'='a' but also this is not the correct ansewer so … Plese give a hint.

? [bolofecal]
9 years ago | edited 9 years ago

0

@freewind1012 post a good example:

```/ Preparation stuff /
$doc = new DOMDocument;
$doc->preserveWhiteSpace = false;
$file = file_get_contents(“users.xml”); //users.xml contains users' data
$doc->loadXML($file);
/ End Preparation stuff /

/ XPath query /
$xpath = new DOMXPath($doc);

$username = “place_your_username_here”;
$password = “place_your_password_here”;
$query = “//user[username/text() = ‘” . $username. “’ and password/text() = ‘” . $password . “’]”;

$users = $xpath->query($query);
/ End XPath query /

/ Print /
foreach($users as $user) {
foreach($user->childNodes as $node) {
echo $node->nodeName.“ - ”.$node->nodeValue.“
”;
}
}
/ End Print /```

your input will be insert in $username and $password, this will be replaced in the query, and about the code that you post now:

[quote=dloser]Perhaps you should study even more harder… For example, learn how to distinguish XML from XML schemas. You already posted usable XML example and a site to check your queries. This should be more than enough to figure out how to solve the challenge.[/quote]

[deleted user]
9 years ago

0

So for userename$username = "//user[username/text() = ' ' or 1=1 or 'a'='a' and for password password/text() = ' ' or 1=1 or 'a'='a']; but needs to login as “Sandra Murphy” …… ?

Mugi [Mugiwara27]
9 years ago

0

Try and login as the user whose real name is ‘Sandra Murphy’.

Here you are using username.
Do you think you have to use it ?

dino84
9 years ago

0

je me casse la tete a regarder partout mais j'y arrive pas a se niveau un petit coup de pouce silvouplait merci.

p4p1 [lexostras]
9 years ago

0

@dino84 Salut dino84 a tu fait de la recherche sur les injections xpath et a tu bien compris lalgorithme de bool, comprendre ces deux chose on fait que j'ai rssit ce niveau. La prochaine fois essaye de faire tes message sur les forums en anglais.
PS: [quote=HackThis.co.uk]This is an English only forum, please refrain from posting in other languages. We are working on adapting the site for your language. [/quote]

Traduction for english speakers:

hy dino84 did you do some research on xpath injections and have you understood boolean algorithme, understanding those 2 things helped me to finish this level.

? [bolofecal]
9 years ago

0

Right and the code of @freewind1012 here is another help.

Mugi [Mugiwara27]
9 years ago

0

@dino84 What about reading the whole forum about this level?

longlequy
8 years ago | edited 8 years ago

0

Giveaway

Use this to test your xpath query - because you must user xpath query
[div]Simplest - hacker all user 1 by 1 - google position()=[/div]

Reply has been removed
pulthack
7 years ago

0

Took me awhile to get this right..

Indeed all the hints is already on this forum. for further hints, i think you could think along the line on how you could achieve all true condition in SQL injection where you could insert comment to by pass the checks. it work for xpath. just that, this case the big hint with real user name is already given.

erraticSheep
7 years ago | edited 7 years ago

0

Am i anywhere near? My trial is along the lines of:

//elementA/elementAA[elementAAA[text()=‘whatWeKnow’]]/elementAAB

Yes or no question, there are many things i could be missing based on the forum, so i just wanted to be more oriented.

Mugi [Mugiwara27]
7 years ago

0

You’re way too much far, read the threads, you’ll learn almost step by step how it works :)

erraticSheep
7 years ago

0

I wasn’t talking about the injection itself, but the xpath, it probabbly is different because it is a xml scheme instead of a.just xml, so i wanted to know if it worked the same, as for the xpath.

I have studied some things, and i am probabbly missing out, but what keeps getting me confused is the 1 = 1 or ‘a’ = ‘a’, it seems like something obvious to do for everybody, but why do you need to do it? i haven’t found a single piece of information that tells me what the 1=1 is for, is it just to make an statement inmmediately true?
As you can easily notice i know nothing about SQLI, so do not use that as an example. (unless you are recommending me to learn SQLI first)

Mugi [Mugiwara27]
7 years ago

0

I sent you a PM ;)

Everything I sent you as PM has already been said in previous threads :)

heningto
6 years ago | edited 6 years ago

0

Crap i’m sorry! Thought I was in solution thread….

dloser
6 years ago

0

@heningto**: I hate to tell you, but your absolute first post is absolutely in the wrong place. Please remove the spoiler from the level board and post it in the solutions board.

krzivn
6 years ago

0

Gotta say, freewind1012 had the perfect tip on this.

I’d give karma, but still too n00b on the site.

Darwin [DIDIx13]
6 years ago

0

@freewind1012 was one of the greatest users of the website so sad that we haven’t seen him since 2014 :(

You must be logged in to reply to this discussion. Login
1 of 55

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss