webProeasy

MetricFlow

hackadvisor

Task: Business analytics platform with Report Builder that passes metric alias names directly into Django ORM annotate() calls, placing them in double-quoted SQL identifiers. Solution: Inject double quote in alias to break out of identifier context, add subquery to SELECT clause to enumerate sqlite_master and extract flag from admin_secrets table.

$ ls tags/ techniques/

sqlite sql_injection nodejs django express blind_sqli boolean_based decoy_flag analytics orm_injection event_filter annotation_injection report_builder

binary_search_extractionsqlite_schema_enumerationboolean_based_blind_sqlidecoy_flag_avoidanceevent_filter_injectiondjango_orm_annotation_alias_injectionsubquery_injection_via_alias_breakout

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]MetricFlow— hackadvisor
[web][Pro]MetricFlow — DOM XSS via Prototype Pollution Gadget— hackadvisor
[web][Pro]Lab 168 — MetricFlow — Insecure Deserialization via Dashboard Import— hackadvisor
[web][Pro]Lab 3 — DeskFlow — SQL Injection in Ticket View— hackadvisor
[web][Pro]Lab 112 — MetricFlow — IDOR in Usage Analytics API— hackadvisor