mirror of https://github.com/dirtbags/moth.git
80pt webapp puzzle
This commit is contained in:
Curt Hash
parent
5a8004468e
commit
e8300a3740
|
|
@ -0,0 +1 @@
|
|||
../10/,binary.png
|
||||
|
|
@ -0,0 +1 @@
|
|||
../10/,ctf.css
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
<p>An unsigned integer walks into a bar and orders a drink.<br />
|
||||
The bartender delivers it and says, "Is something wrong?"<br />
|
||||
The int looks up and replies, "Parity error."<br />
|
||||
"Ah," the bartender replies, "I thought you looked a bit off."</p>
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
<p>There are 10 types of people in the world: those who understand binary and those who don't.</p>
|
||||
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
<p>Why do programmers confuse Halloween and Christmas?<br /><br />
|
||||
Because OCT 31 == DEC 25!</p>
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
<p>Once a programmer drowned in the sea. Many people were at the beach at the time,
|
||||
but the programmer was shouting "F1! F1!" and nobody understood it.</p>
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
<p>"Knock, Knock."<br />
|
||||
"Who's there?"<br />
|
||||
<br />
|
||||
... long pause ...<br />
|
||||
<br />
|
||||
"Java."</p>
|
||||
|
|
@ -0,0 +1,43 @@
|
|||
#!/usr/bin/env python2.6
|
||||
|
||||
import os
|
||||
import sys
|
||||
import sqlite3
|
||||
import base64
|
||||
|
||||
# new db
|
||||
if os.path.exists(',zomg.sqlite3'):
|
||||
os.remove(',zomg.sqlite3')
|
||||
db = sqlite3.connect(',zomg.sqlite3')
|
||||
cur = db.cursor()
|
||||
|
||||
# pics table
|
||||
cur.execute('create table pics(id integer primary key, data blob)')
|
||||
paths = os.listdir(',pics/')
|
||||
for path in paths:
|
||||
f = open(os.path.join(',pics/', path), 'rb')
|
||||
data = f.read()
|
||||
f.close()
|
||||
encoded = base64.encodestring(data)
|
||||
html = '<img src="data:image/jpg;base64,%s"/>' % encoded
|
||||
cur.execute('insert into pics(data) values(?)', (html,))
|
||||
|
||||
# jokes table
|
||||
cur.execute('create table jokes(id integer primary key, data text)')
|
||||
paths = os.listdir(',jokes/')
|
||||
for path in paths:
|
||||
f = open(os.path.join(',jokes/', path), 'r')
|
||||
html = f.read()
|
||||
f.close()
|
||||
cur.execute('insert into jokes(data) values(?)', (html,))
|
||||
|
||||
# key
|
||||
cur.execute('create table key(id integer primary key, data text)')
|
||||
for k in [None, None, None, None, None, 'dmW5f9P54e']:
|
||||
cur.execute('insert into key(data) values(?)', (k,))
|
||||
|
||||
# clean up
|
||||
db.commit()
|
||||
cur.close()
|
||||
db.close()
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 57 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 136 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 57 KiB |
Binary file not shown.
|
|
@ -0,0 +1,150 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
import os
|
||||
import cgi
|
||||
import cgitb
|
||||
import sqlite3
|
||||
cgitb.enable(context=10)
|
||||
|
||||
if os.environ.has_key('QUERY_STRING'):
|
||||
os.environ['QUERY_STRING'] = ''
|
||||
|
||||
fields = cgi.FieldStorage()
|
||||
|
||||
q = None
|
||||
if fields.has_key('q'):
|
||||
q = fields['q'].value
|
||||
|
||||
if q is not None:
|
||||
print 'Content-Type: text/html\n'
|
||||
try:
|
||||
db = sqlite3.connect(',zomg.sqlite3')
|
||||
cur = db.cursor()
|
||||
cur.execute(q)
|
||||
results = cur.fetchall()
|
||||
|
||||
print '<table>'
|
||||
for r in results:
|
||||
print '<tr>'
|
||||
for thing in r:
|
||||
print '<td>%s</td>' % thing
|
||||
print '</tr>'
|
||||
print '</table>'
|
||||
|
||||
except Exception:
|
||||
print '<p class="error">Invlaid query: %s</p>' % q
|
||||
|
||||
else:
|
||||
print 'Content-Type: text/html\n'
|
||||
print ''
|
||||
|
||||
print '''
|
||||
<html>
|
||||
<head>
|
||||
<title>8</title>
|
||||
<link rel="stylesheet" type="text/css" href=",ctf.css" media="all" />
|
||||
<script type="text/javascript">
|
||||
|
||||
function buildQuery(table_name, result_limit) {
|
||||
var q = "SELECT * FROM " + table_name + " LIMIT " + result_limit;
|
||||
return q;
|
||||
}
|
||||
|
||||
function getXHRObject() {
|
||||
var xhr = null;
|
||||
try {
|
||||
xhr = new XMLHttpRequest();
|
||||
}
|
||||
catch (ex) {
|
||||
try {
|
||||
xhr = new ActiveXObject("msxml2.XMLHTTP");
|
||||
}
|
||||
catch (ex) {
|
||||
alert("Browser does not support AJAX!")
|
||||
return null;
|
||||
}
|
||||
}
|
||||
return xhr;
|
||||
}
|
||||
|
||||
function sendXHRPost(xhr, url, params) {
|
||||
xhr.open("POST", url, true);
|
||||
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
|
||||
xhr.setRequestHeader("Content-length", params.length);
|
||||
xhr.setRequestHeader("Connection", "close");
|
||||
xhr.send(params)
|
||||
}
|
||||
|
||||
function doQuery(q) {
|
||||
var xhr = getXHRObject();
|
||||
if (xhr != null) {
|
||||
var url = "8.cgi";
|
||||
var params = "q=" + q;
|
||||
xhr.onreadystatechange = function() {
|
||||
if (xhr.readyState == 4) {
|
||||
var response = xhr.responseText;
|
||||
var d = document.getElementById("results");
|
||||
d.innerHTML = response;
|
||||
}
|
||||
}
|
||||
sendXHRPost(xhr, url, params);
|
||||
}
|
||||
}
|
||||
|
||||
function submitForm() {
|
||||
var f = document.getElementById("the_form");
|
||||
var table_name = f.tname.value;
|
||||
var result_limit = f.rlimit.value;
|
||||
|
||||
var q = buildQuery(table_name, result_limit);
|
||||
|
||||
doQuery(q);
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<div id="wrapper">
|
||||
<div id="content">
|
||||
<h1>Web Application Challenge 8</h1>
|
||||
<p>Through some manipulation or interpretation of this CGI script
|
||||
and the HTML page(s) that it generates, a 10 character key can be
|
||||
found.</p>
|
||||
<p><strong>Find the key!</strong></p>
|
||||
|
||||
<div class="vertsep"></div>
|
||||
<h2>Database Query Wizard</h2>
|
||||
<p>Use the form below to retrieve data from the database. Select the
|
||||
type of data that you would like to view and the number of database
|
||||
entries to retrieve and then click on the "Query" button.</p>
|
||||
|
||||
<form id="the_form" action="" method="POST" onsubmit="return submitForm()">
|
||||
<br />
|
||||
Topic: <select name="tname">
|
||||
<option value="jokes">Jokes</option>
|
||||
<option value="pics">Pictures</option>
|
||||
</select>
|
||||
<br /><br />
|
||||
# Results: <select name="rlimit">
|
||||
<option value="1">1</option>
|
||||
<option value="2">2</option>
|
||||
<option value="3">3</option>
|
||||
<option value="4">4</option>
|
||||
<option value="5">5</option>
|
||||
</select>
|
||||
<br /><br />
|
||||
<input type="submit" value="Query" />
|
||||
</form>
|
||||
|
||||
<div id="results"></div>
|
||||
</div>
|
||||
<div id="footer">
|
||||
<p>Copyright © 2009 LANS, LLC.</p>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
'''
|
||||
|
||||
|
|
@ -12,3 +12,6 @@
|
|||
cookie, hopefully causing the player to take a look at the cookie.
|
||||
70: modify the cookie's content_name field to something invalid, reload the page
|
||||
and the key will be printed on the page.
|
||||
80: an sql query is being constructed in javascript from form fields. change the
|
||||
form fields such that the query is SELECT * FROM key LIMIT 6 and the key will
|
||||
be displayed.
|
||||
|
|
|
|||
Loading…
Reference in New Issue