Tradesman
Stylus Hi-Fi's seller dashboard login was wired up alongside the rest of the platform in 2017. The login query is still the original implementation.
The Scenario
Stylus Hi-Fi is a vintage record marketplace based in Portland — sellers
list their inventory, buyers search by Goldmine grade, the platform takes
8%. The public marketplace went through three frontend rewrites since
2017. The seller dashboard hasn't. Login still goes through the original
query.
Challenge Intel
Synopsis
Bypass Stylus Hi-Fi's seller login via classic SQL injection and read an internal admin note containing a rotating integration key.
What It Is
Stylus Hi-Fi is a Discogs-style vintage record marketplace. The seller dashboard sits behind a username/password login at /seller/login. The login handler builds the auth query by string-concatenating the handle and the password into a single SELECT statement. The first seller in the database (the platform's internal admin account) has elevated permissions that expose an admin-notes page. This is the canonical SQL-injection-for-login-bypass exercise, framed against a marketplace seller portal with a real public surface, real listings, and a real internal admin area.
Who It's For
Players moving past the WHERE-clause warm-up who want to practice the auth-bypass pattern on a marketplace UI.
Skills You'll Practice
- Recognizing string-concatenated SQL in authentication handlers
- Using comment-out / OR-true tricks to bypass password checks
- Identifying privileged accounts by row order in databases
- Reading authenticated UI for the post-auth target
What You'll Gain
- End-to-end SQLi login bypass against a real-shaped marketplace
- Habit of looking at row order / sort order for first-row implications