Xpath

Dojo #4

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Obfuscated code

The admin love to use obfuscated queries, but you want to prove him that security through obscurity is not failproof.

We know that a valid serial number is in the form 0000-0000-0000-0000

There is 7 valid serial for this XPATH query

BRUTEFORCE IS NOT ALLOWED

Goal

  • Find the 7 $serial that output Access granted!
  • Submit your writeup report to the program, including details on how you reversed the code.

Hints

Hint #1
expand_more

Hint #1

If you want to write an automatic solver you can look the z3 project from microsoft.

https://github.com/Z3Prover/z3

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result