Xpath

Going up

by YesWeHack
drag_indicator
info
drag_indicator
inputs
drag_indicator
inspect

Time to read some data

Here we have a query that allow to fetch any information about the address of an user.

Try with username = admin

and node set to one of [city, street, number, country, postalcode]

Goal: leak the admin password

Hints

Hint #1
expand_more

The password is not in the address node, maybe you can access the parent node.

Hint #2
expand_more

You can select the parent node with ..

Solution

Read the solution
expand_more

$user = admin $node = ../password

Explanation

You are able to go up in the node tree by using .. and then go down again and fetch the password.

drag_indicator
waf
INPUT
OUTPUT
drag_indicator
code
drag_indicator
result