https://s3-us-west-2.amazonaws.com/secure.notion-static.com/4d0ef329-850d-49bc-9c92-3e91cbbbbd02/Untitled.png

Actually I have not heard about ORM before this.

Solution

  1. Look through app.js

    It can be seen that the username is "admin" and the query made to the database is as shown below.

    "SELECT * FROM users WHERE username='" + req.body.username + "' AND password='" + req.body.password + "'"

    This challenge does look like a standard SQL injection should be performed to bypass the check.

    We can send in the username as such:

    admin' OR 1=1--

    The single quote is a meta-character. A meta-character is a special character that changes the meaning of the characters that follow. Single quote is used to "close" the user input for the username variable.

    1=1 is a tautology that always results to TRUE. The 2 dashes is also a meta-character and can is used to comment out the rest of the SQL query, thus it would not matter if the rest of the query is syntactically correct.

    Query that the database receives:

    SELECT * FROM users WHERE username = 'admin' OR 1=1 -- AND password = '<any random password>'

    As it can be seen above, the WHERE clause would always result to TRUE and anything written after the 2 dashes is commented out.

  2. Perform the SQL injection.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/1848fe89-cafe-416e-980b-b8e58f1f3a6c/Untitled.png

    Note: Password field can be left empty as either way it would be commented out.

    https://s3-us-west-2.amazonaws.com/secure.notion-static.com/aa6abd0e-3705-492b-bd97-bde999a9a66f/1.png

    We have successfully performed an SQL injection and the flag is displayed.

    Flag: flag{sqli_overused_again_0b4f6}