A login page was showed up when we try to access the website.
It also had source code, so let's review it first.
We can see on the flags on database.sql
as a toy name
.
From routes/index.js
you can see what happened if we request into /api/toylists
. It first check our username. If it equals to admin
, then the approved
are changed into 0
and listToys()
were called with approved
value. But if our username was not equal to admin
, then the listToys()
were called with approved
default value, which is 1
.
The listToys
function was defined on database.js
. It doing sql request for all column where the approved value are the parameter which being inputed on routes/index.js
above.
So we need to login into admin account because the flags "approved"
value are 0. We can do this with sql injection since the user's input are passed directly into the queries.
You can logged in as admin with this payload