webPromedium

Lab 334 — DocuNest — XPath Injection in Knowledge Base Search

hackadvisor

Task: Flask knowledge base with XML-backed search; /search?q= is vulnerable to XPath injection, but @visible attribute filtering in both XPath and app code prevents direct display of hidden articles. Solution: Blind boolean-based XPath injection using union query oracle to enumerate XML structure, locate hidden article 19 containing the flag, and extract it character-by-character via substring().

$ ls tags/ techniques/

flask access_control_bypass xml honeypot_flag boolean_oracle knowledge_base xpath_injection blind_xpath union_xpath case_sensitive_search

honeypot_flag_identificationblind_boolean_xpath_injectionxpath_union_query_oraclexml_structure_enumeration_via_blind_injectioncharacter_by_character_substring_extractionxpath_count_enumerationxpath_attribute_brute_force

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]DocuNest— hackadvisor
[web][Pro]Lab 328 — DataNest — NoSQL Operator Injection in Authentication— hackadvisor
[web][Pro]Knowledge Base— miptctf
[web][Pro]Dosie X (Dossier X)— hackerlab
[web][Pro]Lab 335 — LeadForge — XPath Injection in XML-Based CRM— hackadvisor