Based on the Challenge Name, you can see that we will use Blind XPath Injection to solve this problem. You can read more about Blind XPath Injection here.
Firstly, the injection point is at the Members section.
The injection point is the userid parameter. You can check by enter or operator (|), an error will occur. We can use this to check if our conditional expression is true or not and achive our goal. If our exploit code is true, the page will not display any error. If not, we will see the error sceen. We will use this to blind Xpath Injection.
And now we know where should we exploit. I will use it to check for John's password length because he is administrator.
After check his password length with my exploit code (I will show it at the end of this writeup), i see that John's password length is 14. But after brute-force John's password, its length is actually 13 and I don't know why @@
And now we know that the password length is 13, we can bruteforce the password. But when you use the substring function with single quote or double quotes, you will see that they are filter.
You can extract any character in the above table with the substring function. The XML of this table has four tag (i think so :D), which is <username> for the Username row, <email> for Email row, <account> for Account Type row and a hidden tag <password> for Password. Example is using a = substring(//user[userid=2]/account,1,1) to get the character a, because the account type of user who has userid=2 is administrator, and the first character of this string is a.
This is my code to exploit this challenge, it's on my Github, Sorry for this inconvience because I still haven't figure out how to upload my code to Blogger.
Anyway, the flag (password) is ueiJ4a65@1.oS
Nhận xét
Đăng nhận xét