2019fbctf web1

一.misc签到题目
irc
使用weechat登陆
kali上 apt-get install weechat

 输入   weechat    进入

/server add freenodegeorge chat.freenode.net/george  添加一个服务器

/connect freenodegeorge 链接这个服务器

/join #fbctf-2019 加入到频道  就可以看到flag了

google一下就能知道频道是多少了

https://medium.com/@defcon201/defcon-201-facebook-ctf-practice-challenge-may-31st-june-2nd-f1fe113c4148

二.web1
直接给了源码，那我们下载源码看一下，主要的内容在db.php，内容如下

<?php

/*
CREATE TABLE products (
  name char(64),
  secret char(64),
  description varchar(250)
);

INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/
error_reporting(0);
require_once("config.php"); // DB config

$db = new mysqli($MYSQL_HOST, $MYSQL_USERNAME, $MYSQL_PASSWORD, $MYSQL_DBNAME);

if ($db->connect_error) {
  die("Connection failed: " . $db->connect_error);
}

function check_errors($var) {
  if ($var === false) {
    die("Error. Please contact administrator.");
  }
}

function get_top_products() {
  global $db;
  $statement = $db->prepare(
    "SELECT name FROM products LIMIT 5"
  );
  check_errors($statement);
  check_errors($statement->execute());
  $res = $statement->get_result();
  check_errors($res);
  $products = [];
  while ( ($product = $res->fetch_assoc()) !== null) {
    array_push($products, $product);
  }
  $statement->close();
  return $products;
}

function get_product($name) {
  global $db;
  $statement = $db->prepare(
    "SELECT name, description FROM products WHERE name = ?"
  );
  check_errors($statement);
  $statement->bind_param("s", $name);
  check_errors($statement->execute());
  $res = $statement->get_result();
  check_errors($res);
  $product = $res->fetch_assoc();
  $statement->close();
  return $product;
}

function insert_product($name, $secret, $description) {
  global $db;
  $statement = $db->prepare(
    "INSERT INTO products (name, secret, description) VALUES
      (?, ?, ?)"
  );
  check_errors($statement);
  $statement->bind_param("sss", $name, $secret, $description);
  check_errors($statement->execute());
  $statement->close();
}

function check_name_secret($name, $secret) {
  global $db;
  $valid = false;
  $statement = $db->prepare(
    "SELECT name FROM products WHERE name = ? AND secret = ?"
  );
  check_errors($statement);
  $statement->bind_param("ss", $name, $secret);
  check_errors($statement->execute());
  $res = $statement->get_result();
  check_errors($res);
  if ($res->fetch_assoc() !== null) {
    $valid = true;
  }
  $statement->close();
  return $valid;
}

我们可以看到flag在facebook的description里面，看了一下，这边都用了预处理进行查询，所以那些union什么的都没有用了，查看view.php，发现也没有xss漏洞。这个时候我陷入了沉思，怎么也没有想到这个题目的考点在哪里，今天看了youtube的视频，恍然大悟。QWQ，原来是个约束攻击，我哭了。哎。约束攻击可以参考下面这个链接。

https://www.freebuf.com/articles/web/124537.html

呆呆呆了丢

发布了28 篇原创文章 · 获赞 5 · 访问量 1万+

私信关注

猜你喜欢