From 474bbf83fd40ddee5cedfe183b983507879810a7 Mon Sep 17 00:00:00 2001 From: Curt Hash Date: Tue, 13 Oct 2009 14:03:35 -0600 Subject: [PATCH] 50pt webapp puzzle --- puzzles/webapp/10/,ctf.css | 8 ++++ puzzles/webapp/50/,binary,png | 1 + puzzles/webapp/50/,ctf.css | 1 + puzzles/webapp/50/5.cgi | 89 +++++++++++++++++++++++++++++++++++ puzzles/webapp/50/key | 2 + puzzles/webapp/summary.txt | 4 +- 6 files changed, 104 insertions(+), 1 deletion(-) create mode 120000 puzzles/webapp/50/,binary,png create mode 120000 puzzles/webapp/50/,ctf.css create mode 100755 puzzles/webapp/50/5.cgi create mode 100644 puzzles/webapp/50/key diff --git a/puzzles/webapp/10/,ctf.css b/puzzles/webapp/10/,ctf.css index 4b1b9a0..da47e69 100644 --- a/puzzles/webapp/10/,ctf.css +++ b/puzzles/webapp/10/,ctf.css @@ -52,3 +52,11 @@ h1,h2,h3,h4 { margin: 2em auto 2em auto; border-bottom: 1px dotted #222; } + +.error { + padding: 1em; + background: #fff; + color: red; + border: 1px solid red; + font-weight: bold; +} diff --git a/puzzles/webapp/50/,binary,png b/puzzles/webapp/50/,binary,png new file mode 120000 index 0000000..36053bd --- /dev/null +++ b/puzzles/webapp/50/,binary,png @@ -0,0 +1 @@ +../10/,binary.png \ No newline at end of file diff --git a/puzzles/webapp/50/,ctf.css b/puzzles/webapp/50/,ctf.css new file mode 120000 index 0000000..19b2533 --- /dev/null +++ b/puzzles/webapp/50/,ctf.css @@ -0,0 +1 @@ +../10/,ctf.css \ No newline at end of file diff --git a/puzzles/webapp/50/5.cgi b/puzzles/webapp/50/5.cgi new file mode 100755 index 0000000..23cc4e7 --- /dev/null +++ b/puzzles/webapp/50/5.cgi @@ -0,0 +1,89 @@ +#!/usr/bin/python + +import os +import cgi +import cgitb +cgitb.enable(context=10) + +if os.environ.has_key('QUERY_STRING'): + os.environ['QUERY_STRING'] = '' + +fields = cgi.FieldStorage() + +print 'Content-Type: text/html' +print '' + +print ''' + + + 5 + + + +
+
+

Web Application Challenge 5

+

Through some manipulation or interpretation of this CGI script + and the HTML page(s) that it generates, a 10 character key can be + found.

+

Find the key!

+ +
+''' + +PRODUCT_NAME = "Alex Brugh" +QUANT_LIMIT = 1 + +def purchase_success(quantity): + print ''' +

Congratulations, your order for %d "%s" has been placed.

+ ''' % (quantity, PRODUCT_NAME) + +class InvalidQuantityError(Exception): + def __init__(self, value): + self.value = value + def __str__(self): + return repr(self.value) + +quantity = None +if fields.has_key('quantity') and fields.has_key('product') and fields['product'].value == PRODUCT_NAME: + product = fields['product'].value + try: + quantity = int(fields['quantity'].value) + if quantity > QUANT_LIMIT: + # key = eVkIwHzOok + raise InvalidQuantityError("%d is not a valid quantity (limit %d)" % (quantity, QUANT_LIMIT)) + except ValueError: + print ''' +

There was an error with your order request. Sorry.

+ ''' + quantity = None + +if quantity is not None: + purchase_success(quantity) +else: + print ''' + +

SALE: %s

+

Use the order form below to place an order.

+ +
+ Orders for "%s" are limited to 1 per customer. +

+ + + +
+ ''' % (PRODUCT_NAME, PRODUCT_NAME, PRODUCT_NAME) + +print ''' + +
+ +
+ + +''' + diff --git a/puzzles/webapp/50/key b/puzzles/webapp/50/key new file mode 100644 index 0000000..9c65921 --- /dev/null +++ b/puzzles/webapp/50/key @@ -0,0 +1,2 @@ +eVkIwHzOok + diff --git a/puzzles/webapp/summary.txt b/puzzles/webapp/summary.txt index 767d14c..c2868e0 100644 --- a/puzzles/webapp/summary.txt +++ b/puzzles/webapp/summary.txt @@ -5,4 +5,6 @@ resulting traceback. 40: change the value in the POST request to a non-integer. the key is in the resulting traceback. - +50: change the quantity value (hidden form field) to something greater than the + stated quantity limit. the key is in the resulting traceback. entering non- + integers is caught and handled, so that no longer works.