Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DiceCTF 2021 - Missing Flavortext #15

Open
aszx87410 opened this issue Feb 8, 2021 · 2 comments
Open

DiceCTF 2021 - Missing Flavortext #15

aszx87410 opened this issue Feb 8, 2021 · 2 comments
Labels
Web

Comments

@aszx87410
Copy link
Owner

It'a simple login page:

source code:

const crypto = require('crypto');
const db = require('better-sqlite3')('db.sqlite3')

// remake the `users` table
db.exec(`DROP TABLE IF EXISTS users;`);
db.exec(`CREATE TABLE users(
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  username TEXT,
  password TEXT
);`);

// add an admin user with a random password
db.exec(`INSERT INTO users (username, password) VALUES (
  'admin',
  '${crypto.randomBytes(16).toString('hex')}'
)`);

const express = require('express');
const bodyParser = require('body-parser');

const app = express();

// parse json and serve static files
app.use(bodyParser.urlencoded({ extended: true }));
app.use(express.static('static'));

// login route
app.post('/login', (req, res) => {
  if (!req.body.username || !req.body.password) {
    return res.redirect('/');
  }

  if ([req.body.username, req.body.password].some(v => v.includes('\''))) {
    return res.redirect('/');
  }

  // see if user is in database
  const query = `SELECT id FROM users WHERE
    username = '${req.body.username}' AND
    password = '${req.body.password}'
  `;

  let id;
  try { id = db.prepare(query).get()?.id } catch {
    return res.redirect('/');
  }

  // correct login
  if (id) return res.sendFile('flag.html', { root: __dirname });

  // incorrect login
  return res.redirect('/');
});

app.listen(3000);

We need to bypass the authentication by sql injection. But it filters single quote, how to bypass this?

Actually they already gave us a hint:

// parse json and serve static files
app.use(bodyParser.urlencoded({ extended: true }));

But the comment seems wrong, it's not parse json(it should be bodyParser.json), it's to let urlencoded can be parse by qs library which support passing array or even object.

Like this:

username[] = ' or '1' = '1
password[] = ' or '1' = '1

So both username and password is an array: ["' or '1' = '1'"]. And it will be string ' or 1' = '1' when concat with other string.
@aszx87410 aszx87410 added the Web label Feb 8, 2021
@aszx87410 aszx87410 mentioned this issue Feb 8, 2021
Open
@aszx87410
Copy link
Owner Author

@kingrootdm Nope, if we use bodyParser.json, we can pass json data like:

{
  "username": ["' or '1' = '1"]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Web
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aszx87410 and others