Skip to main content

Day 2: Toy Management

challenge description
The evil elves have changed the admin access to Santa's Toy Management Portal.
Can you get the access back and save the Christmas?

Source code review

It's always great to have a peek at the source code. While there are a lot of files, the one that stands out is the fact that the programmer made some odd decisions on how to perform SQL queries...

database.js
async listToys(approved=1) {
return new Promise(async (resolve, reject) => {
let stmt = `SELECT * FROM toylist WHERE approved = ?`;
this.connection.query(stmt, [approved], (err, result) => {
if(err)
reject(err)
try {
resolve(JSON.parse(JSON.stringify(result)))
}
catch (e) {
reject(e)
}
})

});
}

async loginUser(user, pass) {
return new Promise(async (resolve, reject) => {
let stmt = `SELECT username FROM users WHERE username = '${user}' and password = '${pass}'`;
this.connection.query(stmt, (err, result) => {
if(err)
reject(err)
try {
resolve(JSON.parse(JSON.stringify(result)))
}
catch (e) {
reject(e)
}
}) });
}

Somehow the more secure prepared statements using ? are used for normal queries but string concatation is used for user logins...

SQLi

Thus, with simple payload of admin'-- - for the username would lead us to the flag.

admin dashboard

Flag

HTB{1nj3cti0n_1s_in3v1t4bl3}