๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[DreamHack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: simple-sqli

์„ ๋‹ฌ 2022. 9. 22. 11:06
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/24/

 

simple_sqli

๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. Reference Server-side Basic

dreamhack.io

 

๋ฌธ์ œ์ •๋ณด

๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.
SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋”๋ณด๊ธฐ
#!/usr/bin/python3
from flask import Flask, request, render_template, g
import sqlite3
import os
import binascii

app = Flask(__name__)
app.secret_key = os.urandom(32)

try:
    FLAG = open('./flag.txt', 'r').read()
except:
    FLAG = '[**FLAG**]'

DATABASE = "database.db"
if os.path.exists(DATABASE) == False:
    db = sqlite3.connect(DATABASE)
    db.execute('create table users(userid char(100), userpassword char(100));')
    db.execute(f'insert into users(userid, userpassword) values ("guest", "guest"), ("admin", "{binascii.hexlify(os.urandom(16)).decode("utf8")}");')
    db.commit()
    db.close()

def get_db():
    db = getattr(g, '_database', None)
    if db is None:
        db = g._database = sqlite3.connect(DATABASE)
    db.row_factory = sqlite3.Row
    return db

def query_db(query, one=True):
    cur = get_db().execute(query)
    rv = cur.fetchall()
    cur.close()
    return (rv[0] if rv else None) if one else rv

@app.teardown_appcontext
def close_connection(exception):
    db = getattr(g, '_database', None)
    if db is not None:
        db.close()

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'GET':
        return render_template('login.html')
    else:
        userid = request.form.get('userid')
        userpassword = request.form.get('userpassword')
        res = query_db(f'select * from users where userid="{userid}" and userpassword="{userpassword}"')
        if res:
            userid = res[0]
            if userid == 'admin':
                return f'hello {userid} flag is {FLAG}'
            return f'<script>alert("hello {userid}");history.go(-1);</script>'
        return '<script>alert("wrong");history.go(-1);</script>'

app.run(host='0.0.0.0', port=8000)

 

ํ’€์ด

else:
        userid = request.form.get('userid')
        userpassword = request.form.get('userpassword')
        res = query_db(f'select * from users where userid="{userid}" and userpassword="{userpassword}"')
        if res:
            userid = res[0]
            if userid == 'admin':
                return f'hello {userid} flag is {FLAG}'
            return f'<script>alert("hello {userid}");history.go(-1);</script>'
        return '<script>alert("wrong");history.go(-1);</script>'

 

๋กœ๊ทธ์ธ ํŽ˜์ด์ง€๋กœ ์ด๋™ํ•˜๋ฉด /login ๊ฒฝ๋กœ๋กœ ๋“ค์–ด๊ฐ„๋‹ค.

์ด๊ณณ์—์„œ admin ์•„์ด๋””๋กœ ๋กœ๊ทธ์ธ์— ์„ฑ๊ณตํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

select * from users where userid="{userid}" and userpassword="{userpassword}"

userid์— ์ž…๋ ฅํ•œ ๊ฐ’์ด {userid} ๊ฐ’์— ๋“ค์–ด๊ฐ€๋ฉฐ sql ๋ฌธ์ด ์‹คํ–‰๋œ๋‹ค.

 

 

admin"/* ์„ userid ์ž๋ฆฌ์— ๋„ฃ์œผ๋ฉด 

select * from users where userid="admin" /*" and userpassword="{userpassword}"

๋‹ค์Œ๊ณผ ๊ฐ™์ด admin ๋’ท๋ถ€๋ถ„์ด /* ๋กœ ์ธํ•ด ์ฃผ์„์ฒ˜๋ฆฌ๊ฐ€ ๋˜๋ฉฐ

๋‚ด๋ถ€์— ์‚ฝ์ž…๋œ sql ๊ตฌ๋ฌธ์ด ์‹คํ–‰๋œ๋‹ค.

 

ํŒจ์Šค์›Œ๋“œ์˜ ์ผ์น˜ ์กฐ๊ฑด์—†์ด ์œ ์ €๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๊ฒŒ ๋˜๋ฏ€๋กœ ๋ฐ”๋กœ admin ๊ณ„์ •์œผ๋กœ ๋กœ๊ทธ์ธ ์„ฑ๊ณต.

๋ฐ˜์‘ํ˜•