I’m trying to get the flag for the Xpath Blind Exploitation topic in the Injection Attacks module and I simply can’t figure it out. I was able to figure out the XML schema and the number of nodes, as well as the name of the fields and their lengths. Then I wrote a python script to automate the process of getting those fields and was able to find all of values on those fields. However, none of them have the usual flag format and when I try to do HTB{value} where value is one of the fields I found during the data exfiltration step, the flag doesn’t work. The value even has the same number of characters an usual flag has (32 characters)!! I’m stuck. Any help would be very appreciated.
any luck?
If there is anybody struggling with this I made a script which completes this. Though if you would like the full script DM though in this section I will only provide the functions which I used.
Firstly,
you will of course need to connect to the URL (what a shock!) the payload that you want is something like this
invalid' or (predicate) and '1'='1 This will create the actual data and then we can filter for the success phrase “Message successfully sent!”
Secondly,
We will need an oracle function (or not this is how I did it), this will determine the XPath expression is true or false. It takes a predicate, passes to another function (this will be the iterative process) to build the payload over and over again. So sends the HTTP POST request, returns True if response contains the correct message and False if otherwise.
Thirdly,
I implemented a binary search to find the length of a string in the XML. Instead of going through lengths like 1,2,3 etc I just ran a query like >25, then try >40 or <25 this will make it much faster and much more targeted
Fourthly,
We want to extract the actual string character by character this can look like leak_string(expr: str) -> int
Fifthly,
We will now need to iteratively move up positions
`count(path/[1])=1, count(path/[2])=1
Lastly,
Extract this
Hope this helps someone and feel free to DM if you would like the script 