Web on Zero's Blog /tags/web/ Recent content in Web on Zero's Blog Hugo en-us Tue, 24 Feb 2026 12:58:00 +0700 0x4 - Learn CTF: Web Exploitation /posts/0x4-learn-ctf-web-exploitation/ Tue, 24 Feb 2026 12:58:00 +0700 /posts/0x4-learn-ctf-web-exploitation/ <h2 id="table-of-contents">Table of Contents</h2> <ul> <li><a href="#no-sql-injection-picoctf">No SQL Injection (picoCTF)</a></li> <li><a href="#startup-company-picoctf">Startup Company (picoCTF)</a></li> </ul> <hr> <h2 id="no-sql-injection-picoctf">No SQL Injection (picoCTF)</h2> <h3 id="summary">Summary</h3> <ul> <li><strong>Category:</strong> Web / NoSQL Injection</li> <li><strong>Challenge:</strong> <code>No SQL Injection</code></li> <li><strong>Target:</strong> <code>http://atlas.picoctf.net:54182/</code></li> <li><strong>Goal:</strong> bypass login and recover flag token.</li> </ul> <h3 id="source-analysis">Source analysis</h3> <p>From <code>server.js</code>, login handler parses user input like this:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-js" data-lang="js"><span style="display:flex;"><span><span style="color:#a6e22e">email</span><span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">email</span>.<span style="color:#a6e22e">startsWith</span>(<span style="color:#e6db74">&#34;{&#34;</span>) <span style="color:#f92672">&amp;&amp;</span> <span style="color:#a6e22e">email</span>.<span style="color:#a6e22e">endsWith</span>(<span style="color:#e6db74">&#34;}&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">?</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">parse</span>(<span style="color:#a6e22e">email</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">:</span> <span style="color:#a6e22e">email</span>, </span></span><span style="display:flex;"><span><span style="color:#a6e22e">password</span><span style="color:#f92672">:</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">password</span>.<span style="color:#a6e22e">startsWith</span>(<span style="color:#e6db74">&#34;{&#34;</span>) <span style="color:#f92672">&amp;&amp;</span> <span style="color:#a6e22e">password</span>.<span style="color:#a6e22e">endsWith</span>(<span style="color:#e6db74">&#34;}&#34;</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">?</span> <span style="color:#a6e22e">JSON</span>.<span style="color:#a6e22e">parse</span>(<span style="color:#a6e22e">password</span>) </span></span><span style="display:flex;"><span> <span style="color:#f92672">:</span> <span style="color:#a6e22e">password</span>, </span></span></code></pre></div><p>Then it performs:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-js" data-lang="js"><span style="display:flex;"><span><span style="color:#a6e22e">User</span>.<span style="color:#a6e22e">findOne</span>({ <span style="color:#a6e22e">email</span><span style="color:#f92672">:</span> <span style="color:#f92672">&lt;</span><span style="color:#a6e22e">parsed</span><span style="color:#f92672">&gt;</span>, <span style="color:#a6e22e">password</span><span style="color:#f92672">:</span> <span style="color:#f92672">&lt;</span><span style="color:#a6e22e">parsed</span><span style="color:#f92672">&gt;</span> }) </span></span></code></pre></div><p>So if we send JSON object strings, they become Mongo operators instead of plain strings.</p>