pwnable.kr wp mistake
作者:互联网
题目
We all make mistakes, let's move on.
(don't take this too seriously, no fancy hacking skill is required at all)
This task is based on real event
Thanks to dhmonkey
hint : operator priority
ssh mistake@pwnable.kr -p2222 (pw:guest)
题解
#include <stdio.h>
#include <fcntl.h>
#define PW_LEN 10
#define XORKEY 1
void xor(char* s, int len){
int i;
for(i=0; i<len; i++){
s[i] ^= XORKEY;
}
}
int main(int argc, char* argv[]){
int fd;
if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
printf("can't open password %d\n", fd);
return 0;
}
printf("do not bruteforce...\n");
sleep(time(0)%20);
char pw_buf[PW_LEN+1];
int len;
if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
printf("read error\n");
close(fd);
return 0;
}
char pw_buf2[PW_LEN+1];
printf("input password : ");
scanf("%10s", pw_buf2);
// xor your input
xor(pw_buf2, 10);
if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
printf("Password OK\n");
system("/bin/cat flag\n");
}
else{
printf("Wrong Password\n");
}
close(fd);
return 0;
}
这题漏洞在条件判断的优先级
以上代码等价于if(fd = 1 < 0)
, 但是<
优先级大于=
, 所以if
里相当于做了一次赋值, 赋值表达式真值为1, 所以这个条件恒成立, 然后结果是fd == 0
, 所以效果就是会从stdin读入两次数据, 那么下面的检测就可以通过了
A的binary为01000001, @的binary为01000000
所以输入AAAAAAAAAA
, 和@@@@@@@@@@
即可通过检测读取flag
标签:PW,pw,int,pwnable,LEN,kr,fd,printf,mistake 来源: https://blog.csdn.net/qq_33976344/article/details/122525931