Flag Shop

hackerlab

Task: Flask shop with balance system and user-created products. Solution: Negative price injection (-99) bypasses character limit validation, increasing buyer balance instead of decreasing it. Multi-account abuse to accumulate funds and buy the flag.

flask input_validation business_logic negative_price

negative_price_injectioninteger_manipulationmulti_account_abuse

$ ls tags/ techniques/

flask input_validation business_logic negative_price

negative_price_injectioninteger_manipulationmulti_account_abuse

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 193 — ShopNova — Price Manipulation in Checkout API— hackadvisor
[web][Pro]Магазин (Gadget Shop)— hl_hacker
[web][Pro]Lab 61 — OrderNova — Negative Quantity Price Manipulation— hackadvisor
[web][Pro]156 - Сломанный магазин (Broken Shop)— duckerz
[pwn][Pro]HackerLab: Simple BOF - Я хочу купить этот флаг!!!— hackerlab