From 5a8004468e34559c4912ebfa03022189c93be9ab Mon Sep 17 00:00:00 2001 From: Curt Hash Date: Tue, 13 Oct 2009 15:50:08 -0600 Subject: [PATCH] 70pt webapp puzzle --- puzzles/webapp/70/,binary.png | 1 + puzzles/webapp/70/,ctf.css | 1 + puzzles/webapp/70/7.cgi | 86 +++++++++++++++++++++++++++++++++++ puzzles/webapp/70/key | 1 + puzzles/webapp/summary.txt | 2 + 5 files changed, 91 insertions(+) create mode 120000 puzzles/webapp/70/,binary.png create mode 120000 puzzles/webapp/70/,ctf.css create mode 100755 puzzles/webapp/70/7.cgi create mode 100644 puzzles/webapp/70/key diff --git a/puzzles/webapp/70/,binary.png b/puzzles/webapp/70/,binary.png new file mode 120000 index 0000000..36053bd --- /dev/null +++ b/puzzles/webapp/70/,binary.png @@ -0,0 +1 @@ +../10/,binary.png \ No newline at end of file diff --git a/puzzles/webapp/70/,ctf.css b/puzzles/webapp/70/,ctf.css new file mode 120000 index 0000000..19b2533 --- /dev/null +++ b/puzzles/webapp/70/,ctf.css @@ -0,0 +1 @@ +../10/,ctf.css \ No newline at end of file diff --git a/puzzles/webapp/70/7.cgi b/puzzles/webapp/70/7.cgi new file mode 100755 index 0000000..1bfdf64 --- /dev/null +++ b/puzzles/webapp/70/7.cgi @@ -0,0 +1,86 @@ +#!/usr/bin/python + +import os +import cgi +import cgitb +cgitb.enable(context=10) + +#if os.environ.has_key('QUERY_STRING'): +# os.environ['QUERY_STRING'] = '' + +fields = cgi.FieldStorage() + +import Cookie +c = Cookie.SimpleCookie(os.environ.get('HTTP_COOKIE', '')) + +content = { + 'joke1' : '

An infinite number of mathematicians walk into a bar. The first one orders a beer. The second orders half a beer. The third, a quarter of a beer. The bartender says You are all idiots! and pours two beers.

', + 'joke2' : '

Two atoms are talking. One of them says I think I lost an electron! and the other says Are you sure? The first replies Yeah, I am positive!

', +} + +if c.has_key('content_name') and c.has_key('content'): + k = c['content_name'].value + try: + c['content'] = content[k] + except KeyError: + c['content'] = '

key = s4nNlaMScV

' +else: + c['content_name'] = 'joke1'; + c['content'] = content['joke1'] + + +print 'Content-Type: text/html\n%s\n\n\n' % c +print '' + +print ''' + + + 7 + + + + +
+
+

Web Application Challenge 7

+

Through some manipulation or interpretation of this CGI script + and the HTML page(s) that it generates, a 10 character key can be + found.

+

Find the key!

+ +
+
+''' + +print ''' +
+ +
+ + +''' + diff --git a/puzzles/webapp/70/key b/puzzles/webapp/70/key new file mode 100644 index 0000000..16f48e0 --- /dev/null +++ b/puzzles/webapp/70/key @@ -0,0 +1 @@ +s4nNlaMScV diff --git a/puzzles/webapp/summary.txt b/puzzles/webapp/summary.txt index c59df78..23fb9f8 100644 --- a/puzzles/webapp/summary.txt +++ b/puzzles/webapp/summary.txt @@ -10,3 +10,5 @@ integers is caught and handled, so that no longer works. 60: the key is in the cookie. note the javascript that reads a value from the cookie, hopefully causing the player to take a look at the cookie. +70: modify the cookie's content_name field to something invalid, reload the page + and the key will be printed on the page.