tl;dr

• Leak admin’s hash using wildcard target origin in postMessage or by calculating sha256('').
• Create an XSS payload to read /api/flag and send it to attacker server.

First of all, a big shoutout to the challenge author. All the challenges in this set are available here.

## Analysis

Going through the challenge source, we can see that two JavaScript files are imported.

1
2

    <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script>
    <script src="js/main.js"></script>

arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

let data = {
    small: "Hi, there!",
    big: "Hello, world!"
}

const vuln = document.querySelector("#vuln");
let queryStrings = window.location.search;
let params = new URLSearchParams(queryStrings);

let vulnParams = () => {
    let fragments = Arg.parse(location.hash.substr(1));
    if(data[params.get("type")] !== undefined) vuln.innerHTML = "<h2>"+data[params.get("type")]+"</h2";
    else vuln.innerHTML = "<h2>This region seems like something you need to look at.</h2>";
}

window.onhashchange = () => {
    vulnParams();
}

vulnParams();

We can see that main.js uses Arg library to parse location.hash and uses URLSearchParams to parse query strings.

tl;dr

• Make a GET request to /gettoken%3fcreditcard=mmm&promocode=FREEWAF to get the token.
• Using the token make another request with {"name":"' union select flag, 1, 1, 1 from flag -- -", "name":"x"} to get the flag.

# Intro

Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug.

I found the bug on a jewelry website. They did not have any vulnerability disclosure programs, but I was lucky enough to get a positive response from them. It was on a fine evening, after all the “hustle and bustle” of online classes ended, I was scrolling through my Instagram feed and I noticed an advertisement for a jewelry website.

tl;dr

• Rename table and exploit SQL Injection to get the flag.

# Challenge Description

Who let the blacklists out?

# Source Code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

<?php
require('database.php');

$user = $_GET['user'];
$pass = $_GET['pass'];

if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass))
{
    highlight_file(__FILE__);
    exit;
}

$mysql = get_db();
$mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'");

do
{
    if ($result = $mysql->store_result())
    {
        if ($row = $result->fetch_assoc())
        {
            echo json_encode($row) . '<br/>';
        }
        $result->free();
    }
}
while ($mysql->next_result());

$mysql->close();

# Analysis

• Parameters user and pass are directly fed into the query and might cause SQL Injection.
• The filters applied for the parameters are not strong enough.
• Multiple queries can be executed at a time since multi_query function is used.
• Inserting single quotes are not allowed.

# Solution

1. Inserting \ as value for user parameter causes a part of the query to be treated as a string, and the pass parameter can be used for SQL Injection. The query becomes