Published on: February 6, 2025
2 min read · Posted by Baba is Dead
Baba does a form every single day, but need other people to help him fill in forms for him! So, he created a simple website to spread forms to everyone! NOTE: ADMIN_CREDS have been set in
The challenge involved a "Formhub" Website in which users were able to login to post their own forms! An admin bot will visit their forms if they clicked the report button.
With admin bots being involved, it should hint at either CSRF or XSS.
This challenge involves both XSS and SQL injection vulnerabilities, which can be exploited as follows:
The following code snippet is vulnerable to SQL injection:
cursor.executescript(f"INSERT INTO forms (formName, formLink, creatorId, formDescription) VALUES ('{formName}', '{formLink}', '{userId}', '{formDescription}')")
This line allows the execution of multiple SQL queries by injecting malicious SQL into the formDescription field. For example, setting formDescription to '; {SQL} -- allows for arbitrary SQL execution.
The welcome page contains a vulnerability that can be exploited for XSS:
{{username | safe}}
The |safe filter indicates that the username will not be escaped or filtered, making it susceptible to XSS attacks. If you can change the username of the admin user to your XSS payload via SQL injection, you can trigger the XSS when the admin user visits the /welcome page.
There is a simple filter implemented for reporting pages:
if "forms" not in url:
url = url + "/forms"
This can be bypassed by setting the URL to something like /welcome?forms, effectively bypassing the filter.
welcome page, where your XSS payload will execute.To exfiltrate cookies or other sensitive information via the XSS payload, you can use a webhook (e.g., RequestBin) to capture the data.
Surprised there was only 1 solve on this. I figured I made this too easy for a medium challenge. Making this challenge was fun tho :P
Please login to comment
No comments yet