Challenge Type: Web Exploitation | Difficulty: Medium | Category: CTF
Overview
This challenge featured a custom web application with a user profile management system. The vulnerability chain combined an Insecure Direct Object Reference (IDOR) to leak admin user IDs, followed by a union-based SQL injection to exfiltrate credentials and gain admin access.
Step 1 — Reconnaissance
The application allowed viewing any user profile at /profile?id=X. Incrementing the ID parameter revealed different user profiles — including one with role: admin at ID 1. This is an IDOR — no authorisation check prevents accessing other profiles.
Step 2 — SQL Injection Discovery
The search functionality at /search?q= was injectable. Testing with a single quote ' returned a database error. Confirming with:
q=test' OR '1'='1Returned all users, confirming string-based SQLi.
Step 3 — Union-Based Extraction
q=test' UNION SELECT 1,username,password,4 FROM users-- -This returned plaintext (MD5-hashed) admin credentials. Cracking offline with hashcat:
hashcat -m 0 -a 0 hash.txt rockyou.txtRemediation
- Implement authorisation checks on every object reference (IDOR fix)
- Use parameterised queries / prepared statements to prevent SQLi
- Hash passwords with bcrypt/argon2 — not MD5
- Implement rate limiting and WAF rules for search endpoints