pwnshopped sqli-pin

pwncollege · Dec 18, 2024 · 3bcc31b · 3bcc31b
1 parent d4039e0
commit 3bcc31b
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/web-security/pwnshop.yml b/web-security/pwnshop.yml
@@ -21,3 +21,6 @@ challenges:
 - id: cmdi-ls-filter
   challenge: CommandInjectionLSFilter
   binary_name: server
+- id: sqli-pin
+  challenge: SQLInjectionPin
+  binary_name: server
diff --git a/web-security/sqli-pin/server b/web-security/sqli-pin/server
@@ -8,6 +8,7 @@ import os
 
 app = flask.Flask(__name__)
 
+
 class TemporaryDB:
     def __init__(self):
         self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
@@ -20,12 +21,14 @@ class TemporaryDB:
         connection.commit()
         return result
 
+
 db = TemporaryDB()
 # https://www.sqlite.org/lang_createtable.html
 db.execute("""CREATE TABLE users AS SELECT "admin" AS username, ? as pin""", [random.randrange(2**32, 2**63)])
 # https://www.sqlite.org/lang_insert.html
 db.execute("""INSERT INTO users SELECT "guest" as username, 1337 as pin""")
 
+
 @app.route("/", methods=["POST"])
 def challenge_post():
     username = flask.request.form.get("username")
@@ -34,7 +37,7 @@ def challenge_post():
         flask.abort(400, "Missing `username` form parameter")
     if not pin:
         flask.abort(400, "Missing `pin` form parameter")
-    
+
     if pin[0] not in "0123456789":
         flask.abort(400, "Invalid pin")
 
@@ -52,6 +55,7 @@ def challenge_post():
     flask.session["user"] = username
     return flask.redirect(flask.request.path)
 
+
 @app.route("/", methods=["GET"])
 def challenge_get():
     if not (username := flask.session.get("user", None)):
@@ -61,14 +65,18 @@ def challenge_get():
         if username == "admin":
             page += "<br>Here is your flag: " + open("/flag").read()
 
-    return page + """
+    return (
+        page
+        + """
         <hr>
         <form method=post>
         User:<input type=text name=username>PIN:<input type=text name=pin><input type=submit value=Submit>
         </form>
         </body></html>
     """
+    )
+
 
 app.secret_key = os.urandom(8)
-app.config['SERVER_NAME'] = f"challenge.localhost:80"
+app.config["SERVER_NAME"] = f"challenge.localhost:80"
 app.run("challenge.localhost", 80)