Rating:
**Challenge Description**:
We are given a CVE search website that claims to implement a database without SQL. The search box posts to `/search` and returns matching CVEs.
**Analysis**:
The `query` parameter is injected directly into a JavaScript regex literal (`/<query>/i`) and evaluated server-side. Any `/` in the input breaks out of the regex and lets us inject arbitrary JS into the filter expression. This leads to NoSQL injection with code execution in the query context.
We can turn this into a Boolean oracle by forcing an exception only when a condition is true:
```
a/&&((COND)?(()=>{throw 1})():1)&&/a
```
If the response contains **"There was a database error."**, the condition evaluated to `true`.
Using the oracle we discover:
1. The real CVE id field is `obj.cveId`.
2. There is a special record with `obj.cveId === "CVE-1337-1337"`.
3. Hidden fields like `obj.vendor` and `obj.product` exist for that record.
4. The flag is stored in `obj.product`.
We then extract the flag with a binary search over `charCodeAt(i)` for each character. A standalone solver script is in `web/cve_db/solve.py`.
**Exploit Strategy**:
1. Confirm oracle works with `COND=true/false`.
2. Target the specific record: `obj.cveId==="CVE-1337-1337"`.
3. Extract `obj.product` character-by-character using `charCodeAt` and a binary search on ASCII.
**Solver**:
`web/cve_db/solve.py`
**Flag**:
`ENO{This_1s_A_Tru3_S1mpl3_Ch4llenge_T0_Solv3_Congr4tz}`
