Dashboard Articles Playground Discussions More
Follow

Xpath syntax

Sandra Murphy

KUP1D
10 years ago | edited 10 years ago

0

Hello,

I have learned a lot about xpath syntax and xml but I am still going in circles.
I have tried lots of ways of making the realname return true. (I’ve read all the threads).

first input: users/user/realname[text()=‘SandraMurphy’
second input: bleh'
]

Where am I going wrong ? Thanks for any insight.

11replies
6voices
302views
KUP1D
10 years ago

0

I don’t know how to use the spoiler tags can someone help out ?

Fireshard
10 years ago

0

spoilers are in [ ] not in < > :P please edit your post

Wish I could help you more but I don’t remember much about the level.

 

Don’t post answers on the forums!

Search other forums before making new threads called “help” !

Click me for an interesting post on the forum!

[deleted user]
10 years ago | edited 10 years ago

0

@KUP1D : The basic XPATH injection >> <!- <!- <!- <!- blah' or 1=1 or ‘a’=‘a -!> -!> -!> -!>

You can read about it more over here. Also check the other threads that are out there. There are a lot of useful information on those thread which will help you complete this level.

XPATH Injection

Mugi [Mugiwara27]
10 years ago

0

Tlotr : That is not a Xpath injection but Sql I think

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’‘ at line 1

Mugi [Mugiwara27]
10 years ago | edited 10 years ago

0

What you have to do :

<!-
<!-
<!-
<!-
<!-
<!-
You have to put an Xpath query in that sql Injection :
<!-
bah' or 1=1 or ‘a’=‘a

-!>
-!>
-!>
-!>
-!>
-!>
-!>

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’‘ at line 1

KUP1D
10 years ago

0

thanks guys. fixed the spoiler. I know about basic sql, that’s not helping me too much. Does anyone know what is wrong with my injection above ? thanks

Cyan Wind [freewind1012]
10 years ago | edited 10 years ago

0

What happened to the spoiler tag? Testing…

Testing…

Edit: I see what you guys did there.

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
[deleted user]
10 years ago

1

@Mugiwara27 : That is what it shows on the website which I have mentioned in the above post which is of XPATH Injection. Those are not my words, I am just the messenger. :p

Cyan Wind [freewind1012]
10 years ago

0

@KUP1D: You have to learn about logical operators. Don’t tell me that people can easily access to database without “tricking” the system.

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
Mugi [Mugiwara27]
10 years ago

0

Read other thread, there are a lot of hints :)

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’‘ at line 1

[IAmDevil]
10 years ago

0

Other threads are just enough to complete this level! What are the problems here? It just requires programing logic. The hint plays a very important part! :)

 

- @IAmDevil
Its good to be back! :D

You must be logged in to reply to this discussion. Login
1 of 12

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss