You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
constcrypto=require('crypto');constdb=require('better-sqlite3')('db.sqlite3')// remake the `users` tabledb.exec(`DROP TABLE IF EXISTS users;`);db.exec(`CREATE TABLE users( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT, password TEXT);`);// add an admin user with a random passworddb.exec(`INSERT INTO users (username, password) VALUES ( 'admin', '${crypto.randomBytes(16).toString('hex')}')`);constexpress=require('express');constbodyParser=require('body-parser');constapp=express();// parse json and serve static filesapp.use(bodyParser.urlencoded({extended: true}));app.use(express.static('static'));// login routeapp.post('/login',(req,res)=>{if(!req.body.username||!req.body.password){returnres.redirect('/');}if([req.body.username,req.body.password].some(v=>v.includes('\''))){returnres.redirect('/');}// see if user is in databaseconstquery=`SELECT id FROM users WHERE username = '${req.body.username}' AND password = '${req.body.password}' `;letid;try{id=db.prepare(query).get()?.id}catch{returnres.redirect('/');}// correct loginif(id)returnres.sendFile('flag.html',{root: __dirname});// incorrect loginreturnres.redirect('/');});app.listen(3000);
We need to bypass the authentication by sql injection. But it filters single quote, how to bypass this?
But the comment seems wrong, it's not parse json(it should be bodyParser.json), it's to let urlencoded can be parse by qs library which support passing array or even object.
Like this:
username[] = ' or '1' = '1
password[] = ' or '1' = '1
So both username and password is an array: ["' or '1' = '1'"]. And it will be string ' or 1' = '1' when concat with other string.
The text was updated successfully, but these errors were encountered:
It'a simple login page:
source code:
We need to bypass the authentication by sql injection. But it filters single quote, how to bypass this?
Actually they already gave us a hint:
But the comment seems wrong, it's not parse json(it should be
bodyParser.json
), it's to let urlencoded can be parse byqs
library which support passing array or even object.Like this:
So both username and password is an array:
["' or '1' = '1'"]
. And it will be string' or 1' = '1'
when concat with other string.The text was updated successfully, but these errors were encountered: