# ZIP PK offset modifier **Repository Path**: tfrnghub/zip-pk-offset-modifier ## Basic Information - **Project Name**: ZIP PK offset modifier - **Description**: No description available - **Primary Language**: Unknown - **License**: Not specified - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 0 - **Created**: 2021-07-06 - **Last Updated**: 2021-07-06 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # ZIP PK offset modifier 引用1:[wikipedia_zip_file_format](https://en.wikipedia.org/wiki/ZIP_%28file_format%29)。 引用2:[sqrtrev 0CTF/TCTF - 1linephp](https://vuln.live/blog/14)。 引用3:[as3617](https://gist.github.com/as3617/50d598ede736d81bc57804e4d19700e5)。 `0CTF/TCTF - 1linephp`考察到的一个知识点。构造一个以特定字符串开头的zip包,需要修改`Central Directory File Header`中的`Local Header Offset`以及`End of Central Directory Record`中`Central Header Offset`。 The interesting thing about ZIP files is that, unlike most file formats, the header of the file is somewhere at the end. So the unzip is looking from the end of the file for the main header. We can also mark anything after this header as "comment" and then unzip will ignore it. Additionally the ZIP header specifies offsets (from the file start) at which the compressed data are stored. ### Local file header ``` 0 4 Local file header signature = 0x04034b50 (PK♥♦ or "PK\3\4") 4 2 Version needed to extract (minimum) 6 2 General purpose bit flag 8 2 Compression method; e.g. none = 0, DEFLATE = 8 (or "\0x08\0x00") 10 2 File last modification time 12 2 File last modification date 14 4 CRC-32 of uncompressed data 18 4 Compressed size (or 0xffffffff for ZIP64) 22 4 Uncompressed size (or 0xffffffff for ZIP64) 26 2 File name length (n) 28 2 Extra field length (m) 30 n File name 30+n m Extra field ``` ### Central directory file header ``` 0 4 Central directory file header signature = 0x02014b50 4 2 Version made by 6 2 Version needed to extract (minimum) 8 2 General purpose bit flag 10 2 Compression method 12 2 File last modification time 14 2 File last modification date 16 4 CRC-32 of uncompressed data 20 4 Compressed size (or 0xffffffff for ZIP64) 24 4 Uncompressed size (or 0xffffffff for ZIP64) 28 2 File name length (n) 30 2 Extra field length (m) 32 2 File comment length (k) 34 2 Disk number where file starts 36 2 Internal file attributes 38 4 External file attributes 42 4 Relative offset of local file header. This is the number of bytes between the start of the first disk on which the file occurs, and the start of the local file header. This allows software reading the central directory to locate the position of the file inside the ZIP file. 46 n File name 46+n m Extra field 46+n+m k File comment ``` ``` 42 4 Relative offset of local file header. This is the number of bytes between the start of the first disk on which the file occurs, and the start of the local file header. This allows software reading the central directory to locate the position of the file inside the ZIP file. ``` ### End of central directory record (EOCD) ``` 0 4 End of central directory signature = 0x06054b50 4 2 Number of this disk (or 0xffff for ZIP64) 6 2 Disk where central directory starts (or 0xffff for ZIP64) 8 2 Number of central directory records on this disk (or 0xffff for ZIP64) 10 2 Total number of central directory records (or 0xffff for ZIP64) 12 4 Size of central directory (bytes) (or 0xffffffff for ZIP64) 16 4 Offset of start of central directory, relative to start of archive (or 0xffffffff for ZIP64) 20 2 Comment length (n) 22 n Comment ``` ``` 16 4 Offset of start of central directory, relative to start of archive (or 0xffffffff for ZIP64) ``` 引用:[perfectblue](https://github.com/perfectblue/ctf-writeups/tree/master/2021/0ctf-2021-quals/onelinephp)。 最简单的方法,使用zip命令实现: ``` zip a.zip s.php echo -n "upload_progress_" > f cat f a.zip > b.zip zip -F b.zip --out c.zip ```