Wait; pay extra for premium?!

Description

Our shop has a nice product page feature where you can take a look through all the different Flags. Sadly the product page is not listing the shiny fl4g, which is only available for premium customers. You can buy a premium subscription for 1 Bitcoin or you can try to make the shop also list the whole flag database for non-premium customers. ;)

You can reach our shop at: https://sfl.cs.tu-dortmund.de:10004/

Solution

This solution was done with the Firefox webbrowser.

The Webshop has a page where all the items are displayed. On this page you can filter the items via a Dropdown-button.

Webshop itempage with filter button

There is an option for "premium flags" but it is not useable. Lets take a look at the page with the webbrowser development tools, especial we want to know how the filter works. For that we will open the development tools and click on the network tab.

Once you selected an item form the Dropdown and clicked the search button the page performs a POST request to the /items/ endpoint.

firefox network tab with post request

Inspecting the post request we can see the selected value from the Dropdown is submitted in a JSON format with the key "search-string". Maybe this value will be used to search our Flag in the Database? Edit the request with a right-click -> Edit and resend. Change the body of the request to {"search-string":"'austria flag' or 1=1"} then send it!

edited json body

The request does now contain an additional item named: "ctf fl4g SkrF5UMtqxI1JVEA"

results page wit extra flag

The image of this item contains the flag needed to submit the challenge. The link to the image is shown if you switch the response view to raw mode.

sql flag, pirate flag with a flag text