Someone just recently making a new website, find the full name of the author.
Please solve it in locally first!
BOT: http://152.42.183.87:8182/
Submit the Flag With This Format: CJ{[a-z0-9\\s]}
Here’s a breakdown of how to approach this challenge by chaining multiple vulnerabilities together to retrieve the flag stored in the full_name of the admin user.
The first vulnerability here is an ORM oracle. You can exploit this to leak specific columns, particularly the full_name column from the users table.
Vulnerable Code:
public static function applyFilters(Builder $query, array $params, int $user_id): Builder
{
foreach ($params as $key => $value) {
if (strpos($key, '.') !== false) {
$relations = explode('.', $key);
if (count($relations) === 2) {
list($relation, $field) = $relations;
$query->whereHas($relation, function ($q) use ($field, $value, $user_id) {
$q->where($field, 'LIKE', '%' . $value . '%');
});
}
} else {
$query->where($key, 'LIKE', '%' . $value . '%');
}
}
$query->where('user_id', '=', $user_id);
return $query;
}
The second vulnerability is an XSS issue, caused by an exploitable username field in search.html.
Vulnerable Code:
...snip...
$(function () {
var owner = "{{username}}";
var playerTrack = $("#player-track"),
...snip...
A limitation here is that the username field has a max character limit of 64, so any XSS payloads need to be concise. Using jQuery’s $.globalEval can help shorten the payload further and bypass Content Security Policy (CSP) restrictions unsafe-eval.
CSP restrictions might prevent certain scripts from running, but $.globalEval can be used to bypass this as it using different approach to execute a string as a script. maybe the implementation will look like this: