一.misc簽到題目
irc
使用weechat登陸
kali上 apt-get install weechat
輸入 weechat 進入
/server add freenodegeorge chat.freenode.net/george 添加一個服務器
/connect freenodegeorge 鏈接這個服務器
/join #fbctf-2019 加入到頻道 就可以看到flag了
google一下就能知道頻道是多少了
https://medium.com/@defcon201/defcon-201-facebook-ctf-practice-challenge-may-31st-june-2nd-f1fe113c4148
二.web1
直接給了源碼,那我們下載源碼看一下,主要的內容在db.php,內容如下
<?php
/*
CREATE TABLE products (
name char(64),
secret char(64),
description varchar(250)
);
INSERT INTO products VALUES('facebook', sha256(....), 'FLAG_HERE');
INSERT INTO products VALUES('messenger', sha256(....), ....);
INSERT INTO products VALUES('instagram', sha256(....), ....);
INSERT INTO products VALUES('whatsapp', sha256(....), ....);
INSERT INTO products VALUES('oculus-rift', sha256(....), ....);
*/
error_reporting(0);
require_once("config.php"); // DB config
$db = new mysqli($MYSQL_HOST, $MYSQL_USERNAME, $MYSQL_PASSWORD, $MYSQL_DBNAME);
if ($db->connect_error) {
die("Connection failed: " . $db->connect_error);
}
function check_errors($var) {
if ($var === false) {
die("Error. Please contact administrator.");
}
}
function get_top_products() {
global $db;
$statement = $db->prepare(
"SELECT name FROM products LIMIT 5"
);
check_errors($statement);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
$products = [];
while ( ($product = $res->fetch_assoc()) !== null) {
array_push($products, $product);
}
$statement->close();
return $products;
}
function get_product($name) {
global $db;
$statement = $db->prepare(
"SELECT name, description FROM products WHERE name = ?"
);
check_errors($statement);
$statement->bind_param("s", $name);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
$product = $res->fetch_assoc();
$statement->close();
return $product;
}
function insert_product($name, $secret, $description) {
global $db;
$statement = $db->prepare(
"INSERT INTO products (name, secret, description) VALUES
(?, ?, ?)"
);
check_errors($statement);
$statement->bind_param("sss", $name, $secret, $description);
check_errors($statement->execute());
$statement->close();
}
function check_name_secret($name, $secret) {
global $db;
$valid = false;
$statement = $db->prepare(
"SELECT name FROM products WHERE name = ? AND secret = ?"
);
check_errors($statement);
$statement->bind_param("ss", $name, $secret);
check_errors($statement->execute());
$res = $statement->get_result();
check_errors($res);
if ($res->fetch_assoc() !== null) {
$valid = true;
}
$statement->close();
return $valid;
}
我們可以看到flag在facebook的description裏面,看了一下,這邊都用了預處理進行查詢,所以那些union什麼的都沒有用了,查看view.php,發現也沒有xss漏洞。這個時候我陷入了沉思,怎麼也沒有想到這個題目的考點在哪裏,今天看了youtube的視頻,恍然大悟。QWQ,原來是個約束攻擊,我哭了。哎。約束攻擊可以參考下面這個鏈接。
https://www.freebuf.com/articles/web/124537.html