Tags: web sqlinjection
Rating:
# game-leaderboard (web - 174 points)
## Context
The application shows a leaderboard and the source code leaks an api to call each user ID in order to get information. If the user ID is the winner, the flag is shown
## Vulnerabilities
- SQL injection
- broken authorization
## Exploitation
In order to get the user information we need to find out what is the `profile_id` of the first user, which is not printed out in the leaderboard but it is requested to the database. The query is vulnerable to SQL injection after the clause `WHERE score >` because there is no sanitization before the query is executed. I used the following query to leak the `profile_id` and print it out after the players (I used burp to intercept the request because client side checks do not allow letter insertion): `1 UNION select 1,profile_id,1 FROM leaderboard where score>42--` (url encoded)
The last step is to call enpoint `user/:profile_id` and get the flag :)
Flag: `tjctf{h3llo_w1nn3r_0r_4re_y0u?} `