[DreamHack] Find The Lost Flag Write-up
2025. 1. 6. 17:43ㆍ보안/웹
728x90
이런 화면이 나온다. 데이터베이스라고 나와있는 걸 보니 SQL Injection 문제인 것 같다.
코드를 보면
from flask import Flask, request, render_template_string
import sqlite3
app = Flask(__name__)
def init_db():
conn = sqlite3.connect('challenge.db')
c = conn.cursor()
c.execute('''CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, password TEXT, secret TEXT)''')
c.execute("INSERT OR IGNORE INTO users (id, username, password, secret) VALUES (1, 'admin', '**[NO!]**', '**[HERE_IS_THE_FLAG]**')")
c.execute("INSERT OR IGNORE INTO users (id, username, password, secret) VALUES (2, 'guest', 'guestpassword', 'Huh? Do you think the owner will give guests the flag? :)')")
conn.commit()
conn.close()
@app.route('/')
def index():
return '<h1>Welcome to the Secret Database</h1><p>Login to see your secrets.</p>'
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
username = request.form.get('username')
password = request.form.get('password')
conn = sqlite3.connect('challenge.db')
c = conn.cursor()
query = f"SELECT secret FROM users WHERE username = '{username}' AND password = '{password}'"
print(f"Executing query: {query}")
try:
c.execute(query)
result = c.fetchone()
if result:
return f"<h1>Welcome, {username}!</h1><p>Your secret: {result[0]}</p>"
else:
return "<h1>Login failed</h1><p>Invalid username or password.</p>"
except Exception as e:
return f"<h1>Error</h1><p>{e}</p>"
finally:
conn.close()
return '''
<form method="post">
Username: <input type="text" name="username"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>
'''
if __name__ == '__main__':
init_db()
app.run(debug=True)
긴데
@app.route('/login', methods=['GET', 'POST'])
이 부분이랑
query = f"SELECT secret FROM users WHERE username = '{username}' AND password = '{password}'"
이 부분만 보면 될 것 같다.
첫 번는 /login url에 로그인을 시도해볼 수 가 있고,
두 번째는 SQL Injection이 가능한 지점을 알려준다.
우선 /login을 해 보면
로그인창이 나온다.
username에 SQL Injection을 시도해보면 문제를 해결 할 수 있다.
- 정답
- admin'and 1=1-- ‘
728x90
'보안 > 웹' 카테고리의 다른 글
| [DreamHack] Replace Trick! Write-up (0) | 2025.01.06 |
|---|---|
| [DreamHack] web-misconf-1 Write-up (0) | 2024.12.26 |
| [DreamHack] Carve Party Write-up (0) | 2024.12.26 |
| [DreamHack] 🌱 simple-web-request Write-up (0) | 2024.12.26 |
| [DreamHack] ex-reg-ex Write-up (0) | 2024.12.26 |