The website was a normal Expense Tracker website with a Login and Sign-Up page. Based on the given challenge description and name, it was clear that the challenge is mostly related to SQL Injection. So, first I decided to see how the websites work and what are its functionalities.

After signing up a dummy account, I was logged in and redirected to the dashboard page. There were 2 more pages as Expenses and Logout

In the expense page, we can add expenses that are to be tracked and even generate a report of it.

On clicking on “GENERATE REPORT”, we get a message saying:
Report generation requested successfully! Check your inbox after 10 seconds!!!

On the Inbox page, we can see that a csv file is ready to be downloaded.

Now, I spent a lot of time searching for where the SQLi vulnerability would be present. My first page to test was obviously the Expenses Page. After trying SQLi payloads in all possible parameters (Description, Amount and Date), I came to the conclusion that the Expenses Page is not vulnerable to SQLi.

SQLi can also be found in Login and Sign-Up pages of a website. So, I made more dummy accounts with SQLi payloads in it this time. Still, it didn’t give any hint for SQL Injection Vulnerability.

I had tested majorly all functions except Generate Report and finally decided to give it a go. I assumed that the website would have either used my username or email as identifier to get my expense records from the database.

So, I made a fake account with credentials:
username: dum’
email: [email protected]
Password: Anything

After logging in, I went to the Expenses page and clicked on Generate Report. On checking the inbox, we find that the Report Generation failed.

So, we have finally found the vulnerable endpoint and now we need to just exploit it.

I assumed that the backend SQL Query is somewhat similar to the following query:

SELECT id, amount, categthe no. of columnsory, description, date
FROM expenses
WHERE username = <username>; //SQLi Vulnerable

The challenge most likely wanted us to perform UNION based SQL Injection. Using UNION Based queries, we can get output of multiple tables together. For this, the first step is to get the no. of columns present in the current table.

Payloads:
' ORDER BY 1--
' ORDER BY 2--
' ORDER BY 3--
' ORDER BY 4--
...
//Keep increasing the number until an error occurs
//Eg: If error occurs at "' ORDER BY 4--", then the no. of columns are 3

To execute this, I had to logout and make accounts with username having these payloads.

On using payload ‘ ORDER BY 4 —’, we get an error. This means that the no. of columns are 3 for that table.

Now, since I had the no. of columns for that table, the next step is to get the name of tables present. In SQLite, the metadata is stored in “sqlite_master”.

' UNION SELECT name,NULL,NULL FROM sqlite_master WHERE type='table'--

On making a new account with this payload in our username, we get a successful generate report response.

On downloading the csv file, we see that we have the names of all tables present with us.

From the list of tables:

aDNyM19uMF9mMTRn:h3r3_n0_f14g (Base64 Encoded String)

This looked suspicious to me, and I decided to dump the data in that table this time.

Payload:
' UNION SELECT *,NULL FROM aDNyM19uMF9mMTRn--

On making another account with the above payload and generating the report again, we get a successful generate report response.

On downloading the csv file, we finally get the flag.

Flag: picoCTF{s3c0nd_0rd3r_1t_1s_4611c226}

Let’s Connect:
Linkedin: Vedant Pillai | LinkedIn
Github: Codewith-Vedant (Vedant Pillai)