Penguin Login - LACTF 2024
penguin-login February 2024 - Blind SQL injection “I got tired of people leaking my password from the db so I moved it out of the db.” Prior knowledge: basic web-related knowledge, SQL Context We are provided with the link to the challenge website and the corresponding source code. The website is quite simple, and the usage of its features is straightforward: All the code is in app.py: ... allowed_chars = set(string.ascii_letters + string.digits + " 'flag{a_word}'") forbidden_strs = ["like"] @cache def get_database_connection(): # Get database credentials from environment variables db_user = os.environ.get("POSTGRES_USER") db_password = os.environ.get("POSTGRES_PASSWORD") db_host = "db" # Establish a connection to the PostgreSQL database connection = psycopg2.connect(user=db_user, password=db_password, host=db_host) return connection with app.app_context(): conn = get_database_connection() create_sql = """ DROP TABLE IF EXISTS penguins; CREATE TABLE IF NOT EXISTS penguins ( name TEXT ) """ with conn.cursor() as curr: curr.execute(create_sql) curr.execute("SELECT COUNT(*) FROM penguins") if curr.fetchall()[0][0] == 0: curr.execute("INSERT INTO penguins (name) VALUES ('peng')") curr.execute("INSERT INTO penguins (name) VALUES ('emperor')") curr.execute("INSERT INTO penguins (name) VALUES ('%s')" % (flag)) conn.commit() @app.post("/submit") def submit_form(): try: username = request.form["username"] conn = get_database_connection() assert all(c in allowed_chars for c in username), "no character for u uwu" assert all( forbidden not in username.lower() for forbidden in forbidden_strs ), "no word for u uwu" with conn.cursor() as curr: curr.execute("SELECT * FROM penguins WHERE name = '%s'" % username) result = curr.fetchall() if len(result): return "We found a penguin!!!!!", 200 return "No penguins sadg", 201 except Exception as e: return f"Error: {str(e)}", 400 # need to commit to avoid connection going bad in case of error finally: conn.commit() ... We know that the website uses Postgres as the RDBMS/SQL database, and that the flag is contained in the penguins table along with the penguins. ...