I quickly did an quick audit of the code and I would like to point out some serious issues in this codebase:
- access to unauthorized functions: administrative functions are callable by any user over the websocket
- multiple SQL injections: SQL queries are not (all) parametrized, nor is all input sanitized. You can easily perform SQL injections over the websocket (example: do a
socket.emit('getProblem', {'group': '12 or 1=1 -- ','problem': '38' }); and you'll get more results than allowed) (more serious inserts are also possible)
The SQL injections are relatively easy to fix, however the problem that the authorization of the user is not checked when administrative functions are called over the websocket is a bigger problem to tackle.
In short I would recommend to perform a serious penetration test on this software before using it for a CTF.
I quickly did an quick audit of the code and I would like to point out some serious issues in this codebase:
socket.emit('getProblem', {'group': '12 or 1=1 -- ','problem': '38' });and you'll get more results than allowed) (more serious inserts are also possible)The SQL injections are relatively easy to fix, however the problem that the authorization of the user is not checked when administrative functions are called over the websocket is a bigger problem to tackle.
In short I would recommend to perform a serious penetration test on this software before using it for a CTF.