一.misc签到题目
irc
使用weechat登陆
kali上 apt-get install weechat
输入 weechat 进入
/server add freenodegeorge chat.freenode.net/george 添加一个服务器
/connect freenodegeorge 链接这个服务器
/join #fbctf-2019 加入到频道 就可以看到flag了
google一下就能知道频道是多少了
https://medium.com/@defcon201/defcon-201-facebook-ctf-practice-challenge-may-31st-june-2nd-f1fe113c4148
二.web1
直接给了源码,那我们下载源码看一下,主要的内容在db.php,内容如下
<?php
/*
CREATE TABLE products (
name char(64),
secret char(64),
description varchar(250)
);
INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/
error_reporting(0);
require_once("config.php"); // DB config
$db = new mysqli($MYSQL_HOST, $MYSQL_USERNAME, $MYSQL_PASSWORD, $MYSQL_DBNAME);
if ($db->connect_error) {
die("Connection failed: " . $db->connect_error);
}
function check_errors($var) {
if ($var === false) {
die("Error. Please contact administrator.");
}
}
function get_top_products() {
global $db;
$statement = $db->prepare(
"SELECT name FROM products LIMIT 5"
);
check_errors($statement);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
$products = [];
while ( ($product = $res->fetch_assoc()) !== null) {
array_push($products, $product);
}
$statement->close();
return $products;
}
function get_product($name) {
global $db;
$statement = $db->prepare(
"SELECT name, description FROM products WHERE name = ?"
);
check_errors($statement);
$statement->bind_param("s", $name);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
$product = $res->fetch_assoc();
$statement->close();
return $product;
}
function insert_product($name, $secret, $description) {
global $db;
$statement = $db->prepare(
"INSERT INTO products (name, secret, description) VALUES
(?, ?, ?)"
);
check_errors($statement);
$statement->bind_param("sss", $name, $secret, $description);
check_errors($statement->execute());
$statement->close();
}
function check_name_secret($name, $secret) {
global $db;
$valid = false;
$statement = $db->prepare(
"SELECT name FROM products WHERE name = ? AND secret = ?"
);
check_errors($statement);
$statement->bind_param("ss", $name, $secret);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
if ($res->fetch_assoc() !== null) {
$valid = true;
}
$statement->close();
return $valid;
}
我们可以看到flag在facebook的description里面,看了一下,这边都用了预处理进行查询,所以那些union什么的都没有用了,查看view.php,发现也没有xss漏洞。这个时候我陷入了沉思,怎么也没有想到这个题目的考点在哪里,今天看了youtube的视频,恍然大悟。QWQ,原来是个约束攻击,我哭了。哎。约束攻击可以参考下面这个链接。
https://www.freebuf.com/articles/web/124537.html