find / -name 'flag*’
cat /usr/share/doc/git/contrib/coccinelle/flag_55d897ab4e4d23db331b059ff90fa1215a5c1f5407bedc4ba934b046ddbb8f26
DH{b09fa30000a64e3e0b51cdf36577f725d40a104352a79b87b4bd187d06cac605}
/static/script.js
document.getElementById('password-form').addEventListener('submit', (e) => {
e.preventDefault();
const input = document.getElementById('password').value;
const resultElement = document.getElementById('result');
if (input.length !== 68) {
resultElement.textContent = 'Incorrect password!';
return;
}
const input_part1 = input.slice(0, 29);
const input_part2 = input.slice(29, 58);
const input_part3 = input.slice(58);
if (input_part1 === atob("REh7ZDc5ZTY0ODEyMjAyMTRhNzY1N2RiMmQzNWQ=") &&
input_part2 === String.fromCharCode(
0x34, 0x39, 0x32, 0x37, 0x66, 0x35, 0x37, 0x30, 0x31, 0x61, 0x37, 0x63,
0x31, 0x37, 0x35, 0x39, 0x37, 0x34, 0x37, 0x64, 0x37, 0x64, 0x33, 0x62,
0x37, 0x38, 0x33, 0x66, 0x38 )
)
{
if (input_part3[1] === "f") {
if (input_part3[2] === "0") {
if (input_part3[3] === "b") {
if (input_part3[4] === "7") {
if (input_part3[5] === "2") {
if (input_part3[6] === "2") {
if (input_part3[7] === "1") {
if (input_part3[8] === "7") {
if (input_part3[9] === "}") {
if (input_part3[0] === "c") {
resultElement.textContent = 'Correct! Here is the flag: ' + input;
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
} else {
resultElement.textContent = 'Incorrect password!';
}
});
part1:
DH{d79e6481220214a7657db2d35d
part2:
4927f5701a7c1759747d7d3b783f8
part3:
if (input_part3[1] === "f") {
if (input_part3[2] === "0") {
if (input_part3[3] === "b") {
if (input_part3[4] === "7") {
if (input_part3[5] === "2") {
if (input_part3[6] === "2") {
if (input_part3[7] === "1") {
if (input_part3[8] === "7") {
if (input_part3[9] === "}") {
if (input_part3[0] === "c") {
cf0b72217}
DH{d79e6481220214a7657db2d35d4927f5701a7c1759747d7d3b783f8cf0b72217}
@app.route('/', methods=['GET'])
def get_index():
conn, cursor = connect_mysql()
try:
query = 'SELECT name, class FROM animals'
cursor.execute(query)
animals = cursor.fetchall()
except Exception as e:
print(e, flush=True)
abort(500)
finally:
cursor.close()
conn.close()
animal_class_str = ''
animal_name = request.args.get('selected')
if animal_name is not None and animal_name != '':
conn, cursor = connect_mysql()
try:
query = 'SELECT class FROM animals WHERE name="%s"' % animal_name
print('query..', query, flush=True)
cursor.execute(query)
animal_class = cursor.fetchone()[0]
except Exception as e:
print(e, flush=True)
abort(500)
finally:
cursor.close()
conn.close()
if animal_class == 0:
animal_class_str = 'Mammals'
elif animal_class == 1:
animal_class_str = 'Fish'
elif animal_class == 2:
animal_class_str = 'Birds'
elif animal_class == 3:
animal_class_str = 'Reptiles'
else:
animal_class_str = 'Unknown'
query = 'SELECT class FROM animals WHERE name="%s"' % animal_name 에서 SQL Injection 취약점이 발생합니다. init.sql 에 따라 flag값은 users 테이블 안에 uname이 admin인 칼럼에 존재합니다.