From 331d19d60da1b77f8ba77d7cc2689b7830fe3b6d Mon Sep 17 00:00:00 2001
From: Yan <yans@yancomm.net>
Date: Sat, 31 Aug 2024 23:28:40 -0700
Subject: [PATCH] refactored old-6

---
 web-security/level-6/.config        |  1 -
 web-security/level-6/DESCRIPTION.md | 10 ++++++
 web-security/level-6/run            |  1 -
 web-security/level-6/server         | 52 +++++++++++++++++++++++++++++
 web-security/module.yml             |  1 -
 5 files changed, 62 insertions(+), 3 deletions(-)
 delete mode 100644 web-security/level-6/.config
 create mode 100644 web-security/level-6/DESCRIPTION.md
 delete mode 120000 web-security/level-6/run
 create mode 100755 web-security/level-6/server

diff --git a/web-security/level-6/.config b/web-security/level-6/.config
deleted file mode 100644
index 1e8b3149..00000000
--- a/web-security/level-6/.config
+++ /dev/null
@@ -1 +0,0 @@
-6
diff --git a/web-security/level-6/DESCRIPTION.md b/web-security/level-6/DESCRIPTION.md
new file mode 100644
index 00000000..6a0ecd91
--- /dev/null
+++ b/web-security/level-6/DESCRIPTION.md
@@ -0,0 +1,10 @@
+So far, the database structure has been known to you (e.g., the name of the `users` table), allowing you to knowingly craft your queries.
+As a developer, you might be tempted to prevent this by, say, randomizing your table names, so that an attacker can't specify them to query data that they are not supposed to.
+Unfortunately, this is not the slam dunk that you might think it is.
+
+Databases are complex and much too clever for their own good.
+For example, almost all modern databases keep the database layout specification itself _in a table_.
+Attackers can query this table to get the table names, field names, and whatever other information they might need!
+
+In this level, the developers have randomized the name of the (previously known as) `users` table.
+Find it, and find the flag!
diff --git a/web-security/level-6/run b/web-security/level-6/run
deleted file mode 120000
index 84ba55b9..00000000
--- a/web-security/level-6/run
+++ /dev/null
@@ -1 +0,0 @@
-../run
\ No newline at end of file
diff --git a/web-security/level-6/server b/web-security/level-6/server
new file mode 100755
index 00000000..a58877aa
--- /dev/null
+++ b/web-security/level-6/server
@@ -0,0 +1,52 @@
+#!/opt/pwn.college/python
+
+import tempfile
+import sqlite3
+import random
+import flask
+import os
+
+app = flask.Flask(__name__)
+
+class TemporaryDB:
+    def __init__(self):
+        self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
+
+    def execute(self, sql, parameters=()):
+        connection = sqlite3.connect(self.db_file.name)
+        connection.row_factory = sqlite3.Row
+        cursor = connection.cursor()
+        result = cursor.execute(sql, parameters)
+        connection.commit()
+        return result
+
+db = TemporaryDB()
+# https://www.sqlite.org/lang_createtable.html
+user_table = f"users_{random.randrange(2**32, 2**33)}"
+db.execute(f"""CREATE TABLE IF NOT EXISTS {user_table} AS SELECT "admin" AS username, ? as password""", [open("/flag").read()])
+# https://www.sqlite.org/lang_insert.html
+db.execute(f"""INSERT INTO {user_table} SELECT "guest" as username, "password" as password""")
+
+@app.route("/", methods=["GET"])
+def challenge():
+    query = flask.request.args.get("query", "%")
+
+    try:
+        # https://www.sqlite.org/schematab.htmlF
+        # https://www.sqlite.org/lang_select.html
+        sql = f'SELECT username FROM {user_table} WHERE username LIKE "{query}"'
+        results = "\n".join(user["username"] for user in db.execute(sql).fetchall())
+    except sqlite3.Error as e:
+        results = f"SQL error: {e}"
+
+    return f"""
+        <html><body>Welcome to the user query service!
+        <form>Query:<input type=text name=query value='{query}'><input type=submit value=Submit></form>
+        <hr>
+        <b>Query:</b> <pre>{sql.replace(user_table, "REDACTED")}</pre><br>
+        <b>Results:</b><pre>{results}</pre>
+        </body></html>
+        """
+
+app.secret_key = os.urandom(8)
+app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))
diff --git a/web-security/module.yml b/web-security/module.yml
index 38bd9595..1a7b7eaf 100644
--- a/web-security/module.yml
+++ b/web-security/module.yml
@@ -28,7 +28,6 @@ challenges:
   name: SQLi 3
 - id: level-6
   name: SQLi 4
-  description: Exploit a structured query language injection vulnerability with an unknown database structure
 - id: level-7
   name: SQLi 5
   description: Exploit a structured query language injection vulnerability to blindly leak data