80pt webapp puzzle

puzzles/webapp/80/,binary.png

@@ -0,0 +1 @@
+../10/,binary.png

puzzles/webapp/80/,ctf.css

@@ -0,0 +1 @@
+../10/,ctf.css

puzzles/webapp/80/,jokes/bar

@@ -0,0 +1,4 @@
+<p>An unsigned integer walks into a bar and orders a drink.<br />
+The bartender delivers it and says, &quot;Is something wrong?&quot;<br />
+The int looks up and replies, &quot;Parity error.&quot;<br />
+&quot;Ah,&quot; the bartender replies, &quot;I thought you looked a bit off.&quot;</p>

puzzles/webapp/80/,jokes/binary

@@ -0,0 +1,2 @@
+<p>There are 10 types of people in the world: those who understand binary and those who don't.</p>
+

puzzles/webapp/80/,jokes/christmas

@@ -0,0 +1,2 @@
+<p>Why do programmers confuse Halloween and Christmas?<br /><br />
+Because OCT 31 == DEC 25!</p>

puzzles/webapp/80/,jokes/help

@@ -0,0 +1,2 @@
+<p>Once a programmer drowned in the sea. Many people were at the beach at the time,
+but the programmer was shouting &quot;F1! F1!&quot; and nobody understood it.</p>

puzzles/webapp/80/,jokes/java

@@ -0,0 +1,6 @@
+<p>&quot;Knock, Knock.&quot;<br />
+&quot;Who's there?&quot;<br />
+<br />
+... long pause ...<br />
+<br />
+&quot;Java.&quot;</p>

puzzles/webapp/80/,makedb.py

@@ -0,0 +1,43 @@
+#!/usr/bin/env python2.6
+
+import os
+import sys
+import sqlite3
+import base64
+
+# new db
+if os.path.exists(',zomg.sqlite3'):
+	os.remove(',zomg.sqlite3')
+db = sqlite3.connect(',zomg.sqlite3')
+cur = db.cursor()
+
+# pics table
+cur.execute('create table pics(id integer primary key, data blob)')
+paths = os.listdir(',pics/')
+for path in paths:
+	f = open(os.path.join(',pics/', path), 'rb')
+	data = f.read()
+	f.close()
+	encoded = base64.encodestring(data)
+	html = '<img src="data:image/jpg;base64,%s"/>' % encoded
+	cur.execute('insert into pics(data) values(?)', (html,))
+
+# jokes table
+cur.execute('create table jokes(id integer primary key, data text)')
+paths = os.listdir(',jokes/')
+for path in paths:
+	f = open(os.path.join(',jokes/', path), 'r')
+	html = f.read()
+	f.close()
+	cur.execute('insert into jokes(data) values(?)', (html,))
+
+# key
+cur.execute('create table key(id integer primary key, data text)')
+for k in [None, None, None, None, None, 'dmW5f9P54e']:
+	cur.execute('insert into key(data) values(?)', (k,))
+
+# clean up
+db.commit()
+cur.close()
+db.close()
+

puzzles/webapp/80/8.cgi

@@ -0,0 +1,150 @@
+#!/usr/bin/python
+
+import os
+import cgi
+import cgitb
+import sqlite3
+cgitb.enable(context=10)
+
+if os.environ.has_key('QUERY_STRING'):
+	os.environ['QUERY_STRING'] = ''
+
+fields = cgi.FieldStorage()
+
+q = None
+if fields.has_key('q'):
+	q = fields['q'].value
+
+if q is not None:
+	print 'Content-Type: text/html\n'
+	try:
+		db = sqlite3.connect(',zomg.sqlite3')
+		cur = db.cursor()
+		cur.execute(q)
+		results = cur.fetchall()
+		
+		print '<table>'
+		for r in results:
+			print '<tr>'
+			for thing in r:
+				print '<td>%s</td>' % thing
+			print '</tr>'
+		print '</table>'
+			
+	except Exception:
+		print '<p class="error">Invlaid query: %s</p>' % q
+
+else:
+	print 'Content-Type: text/html\n'
+	print ''
+
+	print '''
+	<html>
+		<head>
+			<title>8</title>
+			<link rel="stylesheet" type="text/css" href=",ctf.css" media="all" />
+			<script type="text/javascript">
+	
+				function buildQuery(table_name, result_limit) {
+					var q = "SELECT * FROM " + table_name + " LIMIT " + result_limit;
+					return q;
+				}
+	
+				function getXHRObject() {
+					var xhr = null;
+					try {
+						xhr = new XMLHttpRequest();
+					}
+					catch (ex) {
+						try {
+							xhr = new ActiveXObject("msxml2.XMLHTTP");
+						}
+						catch (ex) {
+							alert("Browser does not support AJAX!")
+							return null;
+						}
+					}
+					return xhr;
+				}
+
+				function sendXHRPost(xhr, url, params) {
+					xhr.open("POST", url, true);
+					xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
+					xhr.setRequestHeader("Content-length", params.length);
+					xhr.setRequestHeader("Connection", "close");
+					xhr.send(params)
+				}
+	
+				function doQuery(q) {
+					var xhr = getXHRObject();
+					if (xhr != null) {
+						var url = "8.cgi";
+						var params = "q=" + q;
+						xhr.onreadystatechange = function() {
+							if (xhr.readyState == 4) {
+								var response = xhr.responseText;
+								var d = document.getElementById("results");
+								d.innerHTML = response;
+							}
+						}
+						sendXHRPost(xhr, url, params);
+					}
+				}
+
+				function submitForm() {
+					var f = document.getElementById("the_form");
+					var table_name = f.tname.value;
+					var result_limit = f.rlimit.value;
+
+					var q = buildQuery(table_name, result_limit);
+
+					doQuery(q);
+
+					return false;
+				}
+
+			</script>
+		</head>
+		<body>
+			<div id="wrapper">
+				<div id="content">
+					<h1>Web Application Challenge 8</h1>
+					<p>Through some manipulation or interpretation of this CGI script 
+					and the HTML page(s) that it generates, a 10 character key can be 
+					found.</p>
+					<p><strong>Find the key!</strong></p>
+
+					<div class="vertsep"></div>
+					<h2>Database Query Wizard</h2>
+					<p>Use the form below to retrieve data from the database. Select the
+					type of data that you would like to view and the number of database
+					entries to retrieve and then click on the &quot;Query&quot; button.</p>
+	
+					<form id="the_form" action="" method="POST" onsubmit="return submitForm()">
+						<br />
+						Topic: <select name="tname">
+							<option value="jokes">Jokes</option>
+							<option value="pics">Pictures</option>
+						</select>
+						<br /><br />
+						# Results: <select name="rlimit">
+							<option value="1">1</option>
+							<option value="2">2</option>
+							<option value="3">3</option>
+							<option value="4">4</option>
+							<option value="5">5</option>
+						</select>
+						<br /><br />
+						<input type="submit" value="Query" />
+					</form>
+
+					<div id="results"></div>
+				</div>
+				<div id="footer">
+					<p>Copyright &copy; 2009 LANS, LLC.</p>
+				</div>
+			</div>
+		</body>
+	</html>
+	'''
+

puzzles/webapp/summary.txt

@@ -12,3 +12,6 @@
 		cookie, hopefully causing the player to take a look at the cookie.
 70:		modify the cookie's content_name field to something invalid, reload the page
 		and the key will be printed on the page.
+80:		an sql query is being constructed in javascript from form fields. change the
+		form fields such that the query is SELECT * FROM key LIMIT 6 and the key will
+		be displayed.