medusa-2-registration-sql-injection/server.js at main · kavix/medusa-2-registration-sql-injection · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
const express = require('express');
const sqlite3 = require('sqlite3').verbose();
const path = require('path');

const app = express();
const PORT = process.env.PORT || 3000;
const CTF_FLAG = process.env.CTF_FLAG || 'Medusa{CTF_CHALLENGE_PHASE1_PASSED}';

// Disable X-Powered-By header for security
app.disable('x-powered-by');

// Middleware
app.use(express.json());
app.use(express.static(path.join(__dirname, 'dist')));

// Database connection
const db = new sqlite3.Database('database.db', (err) => {
    if (err) {
        console.error('Error opening database:', err.message);
        process.exit(1);
    }
    console.log('Connected to SQLite database.');
});

// Serve the main page
app.get('/', (req, res) => {
    res.sendFile(path.join(__dirname, 'dist', 'index.html'));
});

// VULNERABLE LOGIN ENDPOINT - INTENTIONALLY SUSCEPTIBLE TO SQL INJECTION
app.post('/login', (req, res) => {
    const { username, password } = req.body;

    if (!username || !password) {
        return res.status(401).json({
            success: false,
            message: 'Invalid credentials.'
        });
    }

    // VULNERABILITY: Direct string concatenation in SQL query
    // This is intentionally vulnerable to SQL injection
    const query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";

    db.get(query, (err, row) => {
        if (err) {
            console.error('Database error:', err.message);
            return res.status(401).json({
                success: false,
                message: 'Invalid credentials.'
            });
        }

        // Check if a row was returned and if the username is 'admin'
        if (row && row.username === 'admin') {
            // Send flag as HTTP response header
            res.setHeader('X-CTF-Flag', CTF_FLAG);
            return res.json({
                success: true,
                message: 'Login successful! Check the response headers ASAP for more rewards.',
                redirect: true // Signal to frontend to fetch redirect URL
            });
        } else {
            // For any other case (no row, non-admin user, etc.)
            return res.status(401).json({
                success: false,
                message: 'Invalid credentials.'
            });
        }
    });
});

// SECURE REWARD ENDPOINT - Hidden from frontend inspection
app.get('/reward', (req, res) => {
    // Add basic protection - only allow requests with proper headers
    const userAgent = req.headers['user-agent'];
    if (!userAgent || userAgent.includes('curl') || userAgent.includes('wget')) {
        return res.status(403).json({ error: 'Access denied' });
    }

    const rewardUrl = 'https://medusa.ecsc-uok.com/7458c148293e2f70830e369ace8d3b9c';
    res.json({ url: rewardUrl });
});

// Start server
app.listen(PORT, () => {
    console.log(`Vulnerable CTF server running on port ${PORT}`);
    console.log(`Access the application at: http://localhost:${PORT}`);
    console.log('');
    console.log('=== SQL INJECTION CHALLENGE ===');
    console.log('Goal: Login as "admin" user without knowing the password');
    console.log('');
    console.log('Hint: The username field might be vulnerable to SQL injection...');
});

// Graceful shutdown
process.on('SIGINT', () => {
    console.log('\nShutting down server...');
    db.close((err) => {
        if (err) {
            console.error('Error closing database:', err.message);
        } else {
            console.log('Database connection closed.');
        }
        process.exit(0);
    });
});