First of all, a big shoutout to the challenge author. All the challenges in this set are available here. ## Analysis Going through the challenge source, we can see that two JavaScript files are imported. 1 2 <script src="https://raw.githack.com/stretchr/arg.js/master/dist/arg-1.4.js"></script> <script src="js/main.js"></script> arg-1.4.js is a popular library for parsing URL parameters. And main.js has the following content. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 let data = { small: "Hi, there!

# Intro Hello everyone, it’s been over a month I have shared something on my blog. I was busy with academic stuff and CTFs. But finally, I have decided to take some time to write a post on my first bug bounty. The bug was small and easy to exploit, however, let this be a motivation to all who haven’t yet found their first bug. I found the bug on a jewelry website.

tl;dr Rename table and exploit SQL Injection to get the flag. # Challenge Description Who let the blacklists out? # Source Code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 <?php require('database.php'); $user = $_GET['user']; $pass = $_GET['pass']; if (!isset($user) || !isset($pass) || preg_match_all('/(select|union|where|\(|\.|\')/i', $user.$pass)) { highlight_file(__FILE__); exit; } $mysql = get_db(); $mysql->multi_query("SELECT * FROM `users` WHERE `username` = '${user}' AND `password` = '${pass}'"); do { if ($result = $mysql->store_result()) { if ($row = $result->fetch_assoc()) { echo json_encode($row) .