LeakyPipe
Driftbed's review page is more talkative than the team realised when they shipped it. Six years of silence haven't quieted it down.
The Scenario
Driftbed's review feature was the first dynamic page on the site —
they shipped it in 2019 with a Flask debug flag still flipped on,
"just for the launch, just for one week." The launch was a success,
the team moved to the next feature, and the failure surface they'd
meant to clean up before going wide became permanent. The platform
admin configuration shares the same backing store, because that's how
the 2019 deployment was wired and no one has wanted to touch it.
Challenge Intel
Synopsis
Driftbed's review search returns full Python tracebacks on SQL errors. Coerce the admin token into the error string via SQLite's json_extract bad-path message.
What It Is
Driftbed is a D2C mattress brand. The /reviews endpoint accepts a date filter via URL parameter and renders a list of customer reviews. SQL errors are rendered straight to the page along with the full Python traceback and the original SQL query — a relic of the launch when debug=True was supposed to be temporary. The lesson is visible error-based extraction. SQLite doesn't have a built-in extract-via-error function like Postgres or MySQL, but json_extract validates its path argument and raises an error of the form "bad JSON path: '<value>'" — the offending text appears verbatim in the message. Feed it a sub-SELECT against internal_config and the admin token drops into the rendered traceback.
Who It's For
Players who've practiced blind extraction and want a faster in-band error-based extraction technique.
Skills You'll Practice
- Reading Python tracebacks for SQL injection signals
- SQLite json_extract bad-path error abuse
- Forcing target data into error strings
- Sub-SELECT inside a SQL function argument
What You'll Gain
- Error-based SQLi technique that doesn't need page-content parsing
- Comfort with SQLite-specific error patterns