search

Blank

hashtag
Description

by Eth007

I asked ChatGPT to make me a website. It refused to make it vulnerable so I added a little something to make it interesting. I might have forgotten something though...

Attachments: Sourcearrow-up-right Server: http://blank.chal.imaginaryctf.orgarrow-up-right

hashtag
Analysis

Let's view source:

...
// Database gets created in memory, so if application is restarted no record from previous actions are stored.
const db = new sqlite3.Database(':memory:');
...
// Create users table
db.serialize(() => {
  db.run('CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT, password TEXT)');
}); 
...

Login function:

app.post('/login', (req, res) => {
  // Params from post request
  const username = req.body.username; 
  const password = req.body.password; 
	
  // SQLi detected
  db.get('SELECT * FROM users WHERE username = "' + username + '" and password = "' + password+ '"', (err, row) => {
    if (err) { 
      console.error(err); res.status(500).send('Error retrieving user');
    } else {
      if (row) {
        req.session.loggedIn = true;
        req.session.username = username;
        res.send('Login successful!');
      } else {
        res.status(401).send('Invalid username or password');
      }
    }
  });
});

Flag function:

hashtag
Solution

Attack vector is clear, use SQLi to gain admin access. But there's one huge problem, there are no users it table.

  1. We need SQLi with username admin

  2. We need SQLi to get admin

Payload:

Password values can be anything, but UNION requires same argument count and same types (or just NULL values)

Visit /flag

circle-check

Flag: ictf{sqli_too_powerful_9b36140a}

PreviousimaginaryCTFNextDiscord

Last updated