DiceCtf 2024 Quals Web WriteUps

dicedicegoose

F12审计源码，

简单理解一下，就是 history 数组长度要为9，也就是只能走9步（骰子往下，黑块往左

因为黑色是随机方向走，所以我们打开控制台，直接修改 history 中黑色的位置历史就行

先自己走8步

i=9;history.forEach(innerArray => {
    innerArray[1][1] = i--;
    innerArray[1][0] = 9;
});

funnylogin

const express = require('express');
const crypto = require('crypto');

const app = express();

const db = require('better-sqlite3')('db.sqlite3');
db.exec(`DROP TABLE IF EXISTS users;`);
db.exec(`CREATE TABLE users(
    id INTEGER PRIMARY KEY,
    username TEXT,
    password TEXT
);`);

const FLAG = process.env.FLAG || "dice{test_flag}";
const PORT = process.env.PORT || 3000;

const users = [...Array(100_000)].map(() => ({ user: `user-${crypto.randomUUID()}`, pass: crypto.randomBytes(8).toString("hex") }));
db.exec(`INSERT INTO users (id, username, password) VALUES ${users.map((u,i) => `(${i}, '${u.user}', '${u.pass}')`).join(", ")}`);

const isAdmin = {};
const newAdmin = users[Math.floor(Math.random() * users.length)];
isAdmin[newAdmin.user] = true;

app.use(express.urlencoded({ extended: false }));
app.use(express.static("public"));

app.post("/api/login", (req, res) => {
    const { user, pass } = req.body;

    const query = `SELECT id FROM users WHERE username = '${user}' AND password = '${pass}';`;
    try {
        const id = db.prepare(query).get()?.id;
        if (!id) {
            return res.redirect("/?message=Incorrect username or password");
        }

        if (users[id] && isAdmin[user]) {
            return res.redirect("/?flag=" + encodeURIComponent(FLAG));
        }
        return res.redirect("/?message=This system is currently only available to admins...");
    }
    catch {
        return res.redirect("/?message=Nice try...");
    }
});

app.listen(PORT, () => console.log(`web/funnylogin listening on port ${PORT}`));

很明显需要sql注入，

1' or 1=1 limit 1,1 --

比较细的点，文件开头生成的 id 是从0开始的，所以需要 limit 1,1

第二个条件需要 users[id] 和 isAdmin[user] ，没有回显，所以没办法得知具体user名

这里使用__proto__和 1' or 1=1 limit 1,1 --搭配绕过