LIT CTF 2023 - amogsus-api
Description
Category: Web
I’m working on this new api for the awesome game amogsus You can try it out here: http://litctf.org:31783/
Resolution
1. Overview
Here are the relevent info after reading the source code (main.py
):
- we can access to the flag with the route
/flag
but it checks ifsus
is true; - when we create an account,
sus=False
so we can’t access to the flag.
The goal is to change the value of sus
to True
.
There is a hint about the attack we should use: Also, I think I might have forgotten to sanatize an input somewhere...
.
Since data are stored in a SQLite3 database, we know that we need to do a SQL Injection.
After reading carefully the source code, we found the entrypoint for an injection:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
@app.route('/account/update', methods=['POST'])
def update():
with sqlite3.connect('database.db') as con:
cursor = con.cursor()
token = request.headers.get('Authorization', type=str)
token = token.replace('Bearer ', '')
if token:
for session in sessions:
if session['token'] == token:
data = request.form
username = data['username']
password = data['password']
if (username == '' or password == ''):
return jsonify({'message': 'Please provide your new username and password as form-data or x-www-form-urlencoded!'})
# INJECTION ENTRYPOINT
cursor.execute(f'UPDATE users SET username="{username}", password="{password}" WHERE username="{session["username"]}"')
con.commit()
session['username'] = username
return jsonify({'message': 'Account updated!'})
return jsonify({'message': 'Invalid token!'})
else:
return jsonify({'message': 'Please provide your token!'})
We can set our password to password", sus=1, password="password
so the query becomes:
1
UPDATE users SET username="{username}", password="password", sus=1, password="password" WHERE username="{session["username"]}
and we changed sus
to true
.
2. Exploit
We use Insomnia to send request with the server.
Now we can log in:
And we need to add the token for authentification for next requests:
Now we can update our account and perform SQL injection:
And access to the flag:
LITCTF{1njeC7_Th3_sUs_Am0ng_U5}
.