You forgot something

[quote=Intermediate Level 6]This login screen is trying something a bit different and is not using SQL.[/quote]

hum i didn’t forget it but maybe misconception of this point

the request isn’t something like this

$xpath = “//user[username=‘” . $GET['username’] . “‘ and password=’” . $GET[‘password’] . “‘]”;[/Spoiler]

so if i had my line the new xpath is :

[Spoiler]$xpath = “//user[username=‘” . $GET['username’] . ‘ or realname='Sandra Murphy’ or 1=1 “‘ and password=’” . $GET[‘password’] . “‘]”;

This @freewind1012 code may helps https://www.hackthis.co.uk/forum/level-discussion/intermediate-levels/intermediate-level-6/3696-intermediate-6-help I suggest you simulate in your own host if you can not complete.

Hi,

First thanks for your help, I read the post and try some different thing

now i try to put that into the username

‘or '1’=‘1’ or realname/text()=‘Sandra Murphy

and something random in the password .

that didn’t work.

is my reflection totally wrong ? I try with the code from freewind2012 with some modification :

$query = "//user[username/text() = '" . $username . "' and realname/text() = '" . $realname . "' and password/text() = '" . $password . "']";

$username = "'or '1'='1' or '1'='1"; $password = "'or realname/text()='cool";

like this it works