Dashboard Articles Playground Discussions More
Follow

Error With Request

Sandra Murphy

moneyrule001
9 years ago

0

Hi,

I read many links given by the smart people’s like you and also did many more stuffs regarding xpath injection, xml etc.

But the problem is, I got again and again the same warning i.e “Error With Request”. I’m partially right that it is some what correct but now the question arises where to put realname.

I tried realname in Username textbox but still don’t get correct answer. Can Anyone help me regarding this is highly appreciable

10replies
6voices
260views
[deleted user]
9 years ago

0

Here you go XPATH INJECTION

Abhi
9 years ago

0

You don’t have to put the real name in Username field. You gotta make a Xpath Query. Check out the link given by @tlotr !!

 

“ENJOY LEARNING AS YOU HACK !! ”
Image

[IAmDevil]
9 years ago

0

Haha yeah! A Query is needed here. The other threads are helpful check those out. A pointer - its more like SQLi but not completely like that.

 

- @IAmDevil
Its good to be back! :D

moneyrule001
9 years ago

0

Yes I read the link given by the tlotr, but the example given there is only for username and password not the third element.
I just confused in the third component given as “Sandra Murphy”. How to use this…

Cyan Wind [freewind1012]
9 years ago | edited 9 years ago

0

[quote=moneyrule001]the example given there is only for username and password not the third element[/quote]
Then just add the third element into your query. Be confident! You have already known the XML Schema of this level, right?

 
![Image](https://www.hackthis.co.uk/user/userbar.png?user=freewind1012%20//%20Navigator)
moneyrule001
9 years ago | edited 9 years ago

0

I know the xml schema….. ok I tell you what I wrote in Username. Please suggest me where I m wrong

jjj' or 1=1 and name(//users/user)=‘Sandra Murphy

[deleted user]
9 years ago

0

@moneyrule001 : Why are you using 1=1. It is only used when you don’t know any username but over here you know a username a.k.a realname. Try to change your query and eventually you will get it. Hope this hint helps you in completing the level.

moneyrule001
9 years ago | edited 9 years ago

0

sdsa' And realname/text()=‘Sandra Murphy

SFisher
9 years ago

0

Cool but you have to put it in the level, not here. Also try to use the [ spoiler] [ /spoiler] tag (without spaces).

 

Sorry if that sounded stupid.
All your karamas are belong to us.

Reply has been removed
[IAmDevil]
9 years ago

0

Well check out the hint! See what variables are used there. That will help!

 

- @IAmDevil
Its good to be back! :D

You must be logged in to reply to this discussion. Login
1 of 11

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss