refactored old-6

web-security/level-6/DESCRIPTION.md

@@ -0,0 +1,10 @@
+So far, the database structure has been known to you (e.g., the name of the `users` table), allowing you to knowingly craft your queries.
+As a developer, you might be tempted to prevent this by, say, randomizing your table names, so that an attacker can't specify them to query data that they are not supposed to.
+Unfortunately, this is not the slam dunk that you might think it is.
+
+Databases are complex and much too clever for their own good.
+For example, almost all modern databases keep the database layout specification itself _in a table_.
+Attackers can query this table to get the table names, field names, and whatever other information they might need!
+
+In this level, the developers have randomized the name of the (previously known as) `users` table.
+Find it, and find the flag!

web-security/level-6/server

@@ -0,0 +1,52 @@
+#!/opt/pwn.college/python
+
+import tempfile
+import sqlite3
+import random
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+class TemporaryDB:
+    def __init__(self):
+        self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
+
+    def execute(self, sql, parameters=()):
+        connection = sqlite3.connect(self.db_file.name)
+        connection.row_factory = sqlite3.Row
+        cursor = connection.cursor()
+        result = cursor.execute(sql, parameters)
+        connection.commit()
+        return result
+
+db = TemporaryDB()
+# https://www.sqlite.org/lang_createtable.html
+user_table = f"users_{random.randrange(2**32, 2**33)}"
+db.execute(f"""CREATE TABLE IF NOT EXISTS {user_table} AS SELECT "admin" AS username, ? as password""", [open("/flag").read()])
+# https://www.sqlite.org/lang_insert.html
+db.execute(f"""INSERT INTO {user_table} SELECT "guest" as username, "password" as password""")
+
+@app.route("/", methods=["GET"])
+def challenge():
+    query = flask.request.args.get("query", "%")
+
+    try:
+        # https://www.sqlite.org/schematab.htmlF
+        # https://www.sqlite.org/lang_select.html
+        sql = f'SELECT username FROM {user_table} WHERE username LIKE "{query}"'
+        results = "\n".join(user["username"] for user in db.execute(sql).fetchall())
+    except sqlite3.Error as e:
+        results = f"SQL error: {e}"
+
+    return f"""
+        <html><body>Welcome to the user query service!
+        <form>Query:<input type=text name=query value='{query}'><input type=submit value=Submit></form>
+        <hr>
+        <b>Query:</b> <pre>{sql.replace(user_table, "REDACTED")}</pre><br>
+        <b>Results:</b><pre>{results}</pre>
+        </body></html>
+        """
+
+app.secret_key = os.urandom(8)
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))

web-security/module.yml

@@ -28,7 +28,6 @@ challenges:
   name: SQLi 3
 - id: level-6
   name: SQLi 4
-  description: Exploit a structured query language injection vulnerability with an unknown database structure
 - id: level-7
   name: SQLi 5
   description: Exploit a structured query language injection vulnerability to blindly leak data