Webverselabs Ciphered Cart Challenge File Upload

Scenario :

NovaStore is a direct-to-consumer skincare brand out of Portland that did roughly $14M in 2024 and got publicly embarrassed by a credential leak the year before. The remediation work was assigned by ticket count rather than risk, and the promo-code endpoint — owned by a junior who joined two weeks before the hardening sprint — got the smallest checkbox: a throttle in front of the form and a note that “the rest can wait for Q2.” Q2 came and went.

Solution :

When enumeraing the application , we find 2 parameters being used , the first one is category :

I tried multiple SQLi payloads on this parameter but it appears to be well secure , i even used sqlmap but nothing came out of it .

The second parameter i found was the one used to fetch for products :

Same thing i tried multiple SQLi payloads , used sqlmap but didn’t get anything out of it .

If we check our Burp History ,when we click on cart , we make a POST request to /cart.php .

I used sqlmap again to inject inside this post request but got nothing .

Now let’s try and make a purchase , first we see the coupon field :

If we enter anything , it gets sent as a POST request to the /apply_promo endpoint :

Now let’s try and use sqlmap to inject inside this request .

Perfect , the code parameter is indeed vulnerable , now let’s dump the databases then tables , and get out flag.

Since it is time based , it might take a bit too long to get the flag . That’s all for this challenge :)