其他分享
首页 > 其他分享> > pwnable.kr wp mistake

pwnable.kr wp mistake

作者:互联网

题目

We all make mistakes, let's move on.
(don't take this too seriously, no fancy hacking skill is required at all)

This task is based on real event
Thanks to dhmonkey

hint : operator priority

ssh mistake@pwnable.kr -p2222 (pw:guest)

题解

#include <stdio.h>
#include <fcntl.h>

#define PW_LEN 10
#define XORKEY 1

void xor(char* s, int len){
	int i;
	for(i=0; i<len; i++){
		s[i] ^= XORKEY;
	}
}

int main(int argc, char* argv[]){
	
	int fd;
	if(fd=open("/home/mistake/password",O_RDONLY,0400) < 0){
		printf("can't open password %d\n", fd);
		return 0;
	}

	printf("do not bruteforce...\n");
	sleep(time(0)%20);

	char pw_buf[PW_LEN+1];
	int len;
	if(!(len=read(fd,pw_buf,PW_LEN) > 0)){
		printf("read error\n");
		close(fd);
		return 0;		
	}

	char pw_buf2[PW_LEN+1];
	printf("input password : ");
	scanf("%10s", pw_buf2);

	// xor your input
	xor(pw_buf2, 10);

	if(!strncmp(pw_buf, pw_buf2, PW_LEN)){
		printf("Password OK\n");
		system("/bin/cat flag\n");
	}
	else{
		printf("Wrong Password\n");
	}

	close(fd);
	return 0;
}

这题漏洞在条件判断的优先级
在这里插入图片描述
以上代码等价于if(fd = 1 < 0), 但是<优先级大于=, 所以if里相当于做了一次赋值, 赋值表达式真值为1, 所以这个条件恒成立, 然后结果是fd == 0, 所以效果就是会从stdin读入两次数据, 那么下面的检测就可以通过了

A的binary为01000001, @的binary为01000000
所以输入AAAAAAAAAA, 和@@@@@@@@@@即可通过检测读取flag

标签:PW,pw,int,pwnable,LEN,kr,fd,printf,mistake
来源: https://blog.csdn.net/qq_33976344/article/details/122525931