Updates node-js/challenge-2.md

CHYbeta · CHYbeta · commit fd008016082a · 2018-04-01T08:07:30.000+08:00
Auto commit by GitBook Editor
diff --git a/SUMMARY.md b/SUMMARY.md
@@ -109,6 +109,7 @@
 
 * [Challenge 1](node-js/challenge-1.md)
 * [Challenge 2](node-js/challenge-2.md)
+* [Challenge 3](node-js/challenge-3.md)
 
 ## PERL
 
diff --git a/node-js/challenge-2.md b/node-js/challenge-2.md
@@ -1,4 +1,5 @@
 # Challenge
+
 ```js
 #!/usr/bin/node
 
@@ -90,7 +91,7 @@ app.all("/*", (req, res, next) => {
     } else {
         var sql = `SELECT ?,?,?`;
     }
-    
+
     return pool.query(sql, [ip, payload, payload], (err, rows) => {
         var sql = `SELECT * FROM blacklists WHERE ip=?`;
         return pool.query(sql, [ip], (err,rows) => {
@@ -99,7 +100,7 @@ app.all("/*", (req, res, next) => {
             } else {
                 return res.end("Shame on you");
             }
-            
+
         });
     });
 
@@ -144,4 +145,8 @@ app.listen(31337, () => {
 ```
 
 # Refference
-+ hitcon ctf 2017 SQL so Hard
+
+* hitcon ctf 2017 SQL so Hard
+
+
+
diff --git a/node-js/challenge-3.md b/node-js/challenge-3.md
@@ -0,0 +1,58 @@
+# Challenge 
+```js
+var express = require('express')
+var app = express()
+
+var bodyParser = require('body-parser')
+app.use(bodyParser.urlencoded({}));
+
+var path    = require("path");
+var moment = require('moment');
+var MongoClient = require('mongodb').MongoClient;
+var url = "mongodb://localhost:27017/";
+
+MongoClient.connect(url, function(err, db) {
+    if (err) throw err;
+    dbo = db.db("test_db");
+    var collection_name = "users";
+    var password_column = "password_"+Math.random().toString(36).slice(2)
+    var password = "XXXXXXXXXXXXXXXXXXXXXX";
+    // flag is flag{password}
+    var myobj = { "username": "admin", "last_access": moment().format('YYYY-MM-DD HH:mm:ss Z')};
+    myobj[password_column] = password;
+    dbo.collection(collection_name).remove({});
+    dbo.collection(collection_name).update(
+        { name: myobj.name },
+        myobj,
+        { upsert: true }
+    );
+
+    app.get('/', function (req, res) {
+        res.sendFile(path.join(__dirname,'index.html'));
+    })
+    app.post('/check', function (req, res) {
+        var check_function = 'if(this.username == #username# && #username# == "admin" && hex_md5(#password#) == this.'+password_column+'){\nreturn 1;\n}else{\nreturn 0;}';
+
+        for(var k in req.body){
+            var valid = ['#','(',')'].every((x)=>{return req.body[k].indexOf(x) == -1});
+            if(!valid) res.send('Nope');
+            check_function = check_function.replace(
+                new RegExp('#'+k+'#','gm')
+                ,JSON.stringify(req.body[k]))
+        }
+        var query = {"$where" : check_function};
+        var newvalue = {$set : {last_access: moment().format('YYYY-MM-DD HH:mm:ss Z')}}
+        dbo.collection(collection_name).updateOne(query,newvalue,function (e,r){
+            if(e) throw e;
+            res.send('ok');
+            // ... implementing, plz dont release this.
+        });
+    })
+    app.listen(8081)
+
+});
+```
+
+
+# Refference
++ [0ctf 2018 Loginme]
