webPromedium
Lab 335 — LeadForge — XPath Injection in XML-Based CRM
hackadvisor
Task: CRM platform using XML file-based data store with contact search feature that interpolates user input directly into XPath expressions. Decoy flags in HTML mislead scanners. Solution: XPath injection via search endpoint — union-based injection to enumerate XML structure, then boolean-based blind extraction using substring() oracle to extract flag from /crm/secret/flag node character by character.
$ ls tags/ techniques/
nodejsnginxexpressxmlboolean_basedcrmxpath_injectionblind_extractionfile_based_datastoreanti_bot_decoy
xpath_injectionboolean_based_blind_extractionunion_based_xpathxml_structure_enumerationsubstring_extraction
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 373 — PipelineIQ — Django ORM Filter Injection— hackadvisor
- [web][Pro]Lab 86 — DealForge — SQL Injection via Backslash Escape Bypass of Quote-Doubling in H2— hackadvisor
- [web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
- [web][Pro]Lab 330 — AuthVault — Blind LDAP Injection in Directory Lookup— hackadvisor
- [web][Pro]Lab 329 — PipelineIQ — NoSQL Injection Authentication Bypass— hackadvisor