Write-up of the challenge “simple_sqli”#

This challenge is part of the “Web” category and is level 1.

Goal of the challenge#

The objective of this challenge is to perform sql injection

Program structure#

1
#!/usr/bin/python3
2
from flask import Flask, request, render_template, g
3
import sqlite3
4
import os
5
import binascii
6

7
app = Flask(__name__)
8
app.secret_key = os.urandom(32)
9

10
try:
11
    FLAG = open('./flag.txt', 'r').read()
12
except:
13
    FLAG = '[**FLAG**]'
14

15
DATABASE = "database.db"
16
if os.path.exists(DATABASE) == False:
17
    db = sqlite3.connect(DATABASE)
18
    db.execute('create table users(userid char(100), userpassword char(100));')
19
    db.execute(f'insert into users(userid, userpassword) values ("guest", "guest"), ("admin", "{binascii.hexlify(os.urandom(16)).decode("utf8")}");')
20
    db.commit()
21
    db.close()
22

23
def get_db():
24
    db = getattr(g, '_database', None)
25
    if db is None:
26
        db = g._database = sqlite3.connect(DATABASE)
27
    db.row_factory = sqlite3.Row
28
    return db
29

30
def query_db(query, one=True):
31
    cur = get_db().execute(query)
32
    rv = cur.fetchall()
33
    cur.close()
34
    return (rv[0] if rv else None) if one else rv
35

36
@app.teardown_appcontext
37
def close_connection(exception):
38
    db = getattr(g, '_database', None)
39
    if db is not None:
40
        db.close()
41

42
@app.route('/')
43
def index():
44
    return render_template('index.html')
45

46
@app.route('/login', methods=['GET', 'POST'])
47
def login():
48
    if request.method == 'GET':
49
        return render_template('login.html')
50
    else:
51
        userid = request.form.get('userid')
52
        userpassword = request.form.get('userpassword')
53
        res = query_db(f'select * from users where userid="{userid}" and userpassword="{userpassword}"')
54
        if res:
55
            userid = res[0]
56
            if userid == 'admin':
57
                return f'hello {userid} flag is {FLAG}'
58
            return f'<script>alert("hello {userid}");history.go(-1);</script>'
59
        return '<script>alert("wrong");history.go(-1);</script>'
60

61
app.run(host='0.0.0.0', port=8000)

Vulnerability#

This is bad since the userid and the userpassword are directly inserted without any input sanitization.

1
res = query_db(f'select * from users where userid="{userid}" and userpassword="{userpassword}"')

This is bad because it returns without any sanitization.

Solution#

What we will be doing is trying to change this query:

1
f'select * from users where userid="{userid}" and userpassword="{userpassword}"'

1
f'select * from users where userid="admin"'

So our solution is to provide in the userid field “admin—. This ” would close the earlier statement and comment out (—) the next statment.

You might say how did we know that there is an userid with admin?

We knew that from this basic code block:

1
if userid == 'admin':
2
    return f'hello {userid} flag is {FLAG}'