​

lightning talks @ Pykonik Tech Talks #63

by disconnect3d

​

disconnect2d

Topics:

• 18 sesja windowsowa
• Task "Collector" from PlaidCTF 2023 aka Postgres replica "bug"
• Envvars
• CPython 3.11 speedup

17 Sesja Linuksowa

​

https://17.sesja.linuksowa.pl/

18 sesja windowsowa

18 sesja windowsowa

https://18.sesja.linuksowa.pl/

​

Now:

• https://web.archive.org/web/20230000000000*/18.sesja.linuksowa.pl
• https://web.archive.org/web/20230423160451/http://18.sesja.linuksowa.pl/

DEMO + ovh + dig

Also thx to @efpee#0659 for finding and showing this bug to me & CLUG.

Zadanko "Collector" z PlaidCTF

aka Postgres vs Postgres

Collector z Plaid CTF 2023

main db

worker db

Frontend/backend

node.js

webhook �napisany w

C na aarch64

Collector z Plaid CTF 2023

main db

worker db

Frontend/backend

node.js

webhook �napisany w

C na aarch64

Webhook:

• kind=...
• target=http:/…
• secret=...

HTTP

request

Collector z Plaid CTF 2023

main db

worker db

Frontend/backend

node.js

webhook �napisany w

C na aarch64

Webhook:

• kind=...
• target=http:/…
• secret=...

HTTP

request

webhook

webhook

Collector z Plaid CTF 2023

main db

worker db

Frontend/backend

node.js

webhook �napisany w

C na aarch64

Webhook:

• kind=...
• target=http:/…
• secret=...

HTTP

request

webhook

webhook

webhook

Collector z Plaid CTF 2023

main db

worker db

Frontend/backend

node.js

webhook �napisany w

C na aarch64

Webhook:

• kind=...
• target=http:/…
• secret=...

HTTP

request

webhook

webhook

webhook

HTTP

request��(libcurl)

Screenshot z Ghidra

Screenshot z Ghidra

Screenshot z Ghidra

Screenshot z Ghidra

Screenshot z Ghidra

Collector z Plaid CTF 2023

in a nutshell:

count1 = SQL(" select count(*) from hooks where kind='$kind' ")

​

if count1 > 10:

count1 = 10

​

count2 = SQL(" select target, secret from hooks � where kind='$kind' � order by target limit 10 ");

​

# bug gdy count1 != count2

Collector z Plaid CTF 2023

# docker exec -it --user postgres collector_maindb_1 psql -c "select 'A'>'a'"

?column?

----------

f

(1 row)

​

# docker exec -it --user postgres collector_workerdb_1 psql -c "select 'A'>'a'"

?column?

----------

t

(1 row)

​

Collector z Plaid CTF 2023

• https://www.postgresql.org/message-id/flat/BA6132ED-1F6B-4A0B-AC22-81278F5AB81E%40tripadvisor.com

​

• https://stackoverflow.com/questions/62333176/docker-difference-postgres12-from-postgres12-alpine

Environment variables�"quirk"

CPython 3.11

speedups

(https://docs.python.org/3/whatsnew/3.11.html)

…and that's all

Thanks!

​

by ~disconnect3d