Nodepwn
Got the source code:
import { createClient } from "@libsql/client";
const client = createClient({
url: ":memory:",
});
await client.batch(
[
"CREATE TABLE users (id INTEGER PRIMARY KEY, username TEXT NOT NULL, password TEXT NOT NULL)",
`INSERT INTO users (username, password) VALUES ('admin', '${crypto.randomUUID()}')`,
],
"write"
);
import express from "express";
const app = express();
const port = 3000;
app.use(express.urlencoded({ extended: true }));
app.use(express.static("public"));
app.get("/", (req, res) => {
res.sendFile("index.html");
});
function unsafeString(str) {
return str.includes("'");
}
app.post("/login", async (req, res) => {
const { username, password } = req.body;
try {
if (unsafeString(username) || unsafeString(password)) {
res.status(400).send("Invalid input");
return;
}
const user = await client.execute(`SELECT * FROM users WHERE username = '${username}' AND password = '${password}';`);
if (user.rows.length === 0) {
res.status(401).send("Invalid username or password");
} else {
res.send(`Logged in, here is your flag: ${process.env.FLAG}`);
}
} catch (error) {
console.error(error);
res.status(500).send("Internal Server Error");
}
});
app.get("/source", (req, res) => {
res.sendFile("/app/index.mjs");
});
app.listen(port, () => console.log(`Example app listening on port ${port}`));Itโs interesting to note the /login endpoint:
Seems to be a path traversal:
Hello World
Instead of disable="disable" put enable="enable"
Baby potato
Inspecting source code i discovered a weird comment:
