mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
change titile
This commit is contained in:
parent
b5a3592be4
commit
058c9c5e70
@ -1,2 +1,2 @@
|
||||
# 提问的智慧
|
||||
# 1.2 提问的智慧
|
||||
https://github.com/ryanhanwu/How-To-Ask-Questions-The-Smart-Way
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Linux 基础
|
||||
# 1.3 Linux 基础
|
||||
|
||||
- [常用基础命令](#常用基础命令)
|
||||
- [根目录结构](#根目录结构)
|
||||
|
@ -1 +1 @@
|
||||
# Web 安全基础
|
||||
# 1.4 Web 安全基础
|
||||
|
@ -1,4 +1,4 @@
|
||||
# C 语言基础
|
||||
# 1.5.1 C 语言基础
|
||||
|
||||
- [从源代码到可执行文件](#从源代码到可执行文件)
|
||||
- [C 语言标准库](#c-语言标准库)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# x86/x64/ARM 汇编基础
|
||||
# 1.5.2 x86/x64/ARM 汇编基础
|
||||
|
||||
- [x86](#x86)
|
||||
- [x64](#x64)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Linux ELF
|
||||
# 1.5.3 Linux ELF
|
||||
|
||||
- [一个实例](#一个实例)
|
||||
- [elfdemo.o](#elfdemoo)
|
||||
|
@ -1 +1 @@
|
||||
# Windows PE
|
||||
# 1.5.4 Windows PE
|
||||
|
@ -1 +1 @@
|
||||
# 静态链接
|
||||
# 1.5.5 静态链接
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 动态链接
|
||||
# 1.5.6 动态链接
|
||||
|
||||
- [动态链接相关的环境变量](#动态链接相关的环境变量)
|
||||
|
||||
@ -17,7 +17,7 @@ void main() {
|
||||
scanf("%s", &str);
|
||||
if (!strcmp(passwd, str)) {
|
||||
printf("correct\n");
|
||||
return;
|
||||
return;
|
||||
}
|
||||
printf("invalid\n");
|
||||
}
|
||||
@ -33,7 +33,7 @@ int strcmp(const char *s1, const char *s2) {
|
||||
}
|
||||
$ gcc -shared -o hack.so hack.c
|
||||
$ gcc ldpreload.c
|
||||
$ ./a.out
|
||||
$ ./a.out
|
||||
asdf
|
||||
invalid
|
||||
$ LD_PRELOAD="./hack.so" ./a.out
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 内存管理
|
||||
# 1.5.7 内存管理
|
||||
|
||||
- [什么是内存](#什么是内存)
|
||||
- [栈与调用约定](#栈与调用约定)
|
||||
|
@ -1 +1 @@
|
||||
# glibc malloc
|
||||
# 1.5.8 glibc malloc
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 逆向工程基础
|
||||
# 1.5 逆向工程基础
|
||||
|
||||
- [1.5.1 C 语言基础](1.5.1_c_basic.md)
|
||||
- [1.5.2 x86/x64/ARM 汇编基础](1.5.2_x86&x64&ARM.md)
|
||||
|
@ -1 +1 @@
|
||||
# 密码学基础
|
||||
# 1.6 密码学基础
|
||||
|
@ -1 +1 @@
|
||||
# Android 安全基础
|
||||
# 1.7 Android 安全基础
|
||||
|
@ -1 +1 @@
|
||||
# binwalk
|
||||
# 2.10 binwalk
|
||||
|
@ -1 +1 @@
|
||||
# Burp Suite
|
||||
# 2.11 Burp Suite
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 虚拟机环境
|
||||
# 2.1 虚拟机环境
|
||||
|
||||
- [物理机 Manjaro 17.02](#物理机-manjaro-1702)
|
||||
- [创建一个安全的环境](#创建一个安全的环境)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 2.1 gdb 和 peda 调试器
|
||||
# 2.2 gdb 和 peda 调试器
|
||||
|
||||
- [gdb 的组成架构](#gdb-的组成架构)
|
||||
- [gdb 基本工作原理](#gdb-基本工作原理)
|
||||
|
@ -1 +1 @@
|
||||
# 2.2 OllyDbg 调试器
|
||||
# 2.3 OllyDbg 调试器
|
||||
|
@ -1 +1 @@
|
||||
# 2.3 WinDbg 调试器
|
||||
# 2.4 WinDbg 调试器
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 2.4 Radare2
|
||||
# 2.5 Radare2
|
||||
|
||||
- [简介](#简介)
|
||||
- [安装](#安装)
|
||||
@ -926,3 +926,5 @@ $ r2 -c=H [filename]
|
||||
## 更多资源
|
||||
- [The radare2 book](https://www.gitbook.com/book/radare/radare2book)
|
||||
- [Radare2 intro](https://github.com/radare/radare2/blob/master/doc/intro.md)
|
||||
- [A journey into Radare 2 – Part 1: Simple crackme](https://www.megabeets.net/a-journey-into-radare-2-part-1/)
|
||||
- [A journey into Radare 2 – Part 2: Exploitation](https://www.megabeets.net/a-journey-into-radare-2-part-2/)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 2.5 IDA Pro
|
||||
# 2.6 IDA Pro
|
||||
|
||||
- [常用插件](#常用插件)
|
||||
- [内存 dump 脚本](#内存-dump-脚本)
|
||||
|
@ -1,14 +1,17 @@
|
||||
# 2.6 Pwntools
|
||||
# 2.7 Pwntools
|
||||
|
||||
* [安装](#安装)
|
||||
* [使用pwntools](#使用pwntools)
|
||||
- [安装](#安装)
|
||||
- [模块简介](#模块简介)
|
||||
- [使用 Pwntools](#使用-pwntools)
|
||||
- [Pwntools 在 CTF 中的运用](#pwntools-在-ctf-中的运用)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid设计,旨在让使用者简单快速的编写exp脚本。包含了本地执行、远程连接读写、shellcode生成、ROP链的构建、ELF解析、符号泄露众多强大功能。
|
||||
|
||||
Pwntools 是一个 CTF 框架和漏洞利用开发库,用 Python 开发,由 rapid 设计,旨在让使用者简单快速的编写 exp 脚本。包含了本地执行、远程连接读写、shellcode 生成、ROP 链的构建、ELF 解析、符号泄露众多强大功能。
|
||||
|
||||
## 安装
|
||||
|
||||
1. 安装binutils:
|
||||
|
||||
```shell
|
||||
git clone https://github.com/Gallopsled/pwntools-binutils
|
||||
sudo apt-get install software-properties-common
|
||||
@ -16,30 +19,198 @@ pwntools是一个CTF框架和漏洞利用开发库,用Python开发,由rapid
|
||||
sudo apt-get update
|
||||
sudo apt-get install binutils-arm-linux-gnu
|
||||
```
|
||||
|
||||
2. 安装capstone:
|
||||
|
||||
```shell
|
||||
git clone https://github.com/aquynh/capstone
|
||||
cd capstone
|
||||
make
|
||||
sudo make install
|
||||
```
|
||||
|
||||
3. 安装pwntools:
|
||||
|
||||
```shell
|
||||
sudo apt-get install libssl-dev
|
||||
sudo pip install pwntools
|
||||
```
|
||||
|
||||
测试安装是否成功:
|
||||
如果你在使用 Arch Linux,则可以通过 AUR 直接安装,这个包目前是由我维护的,如果有什么问题,欢迎与我交流:
|
||||
```
|
||||
$ yaourt -S python2-pwntools
|
||||
|
||||
或者
|
||||
|
||||
$ yaourt -S python2-pwntools-git
|
||||
```
|
||||
|
||||
测试安装是否成功:
|
||||
```python
|
||||
>>> import pwn
|
||||
>>> pwn.asm("xor eax,eax")
|
||||
>>> pwn.asm("xor eax,eax")
|
||||
'1\xc0'
|
||||
```
|
||||
|
||||
## 使用pwntools
|
||||
|
||||
## 模块简介
|
||||
Pwntools 分为两个模块,一个是 `pwn`,简单地使用 `from pwn import *` 即可将所有子模块和一些常用的系统库导入到当前命名空间中,是专门针对 CTF 比赛的;而另一个模块是 `pwnlib`,它更推荐你仅仅导入需要的子模块,常用于基于 pwntools 的开发。
|
||||
|
||||
下面是 pwnlib 的一些子模块(常用模块和函数加粗显示):
|
||||
- `adb`:安卓调试桥
|
||||
- `args`:命令行魔法参数
|
||||
- **`asm`**:汇编和反汇编,支持 i386/i686/amd64/thumb 等
|
||||
- `constants`:对不同架构和操作系统的常量的快速访问
|
||||
- `config`:配置文件
|
||||
- `context`:设置运行时变量
|
||||
- **`dynelf`**:用于远程函数泄露
|
||||
- `encoders`:对 shellcode 进行编码
|
||||
- **`elf`**:用于操作 ELF 可执行文件和库
|
||||
- `flag`:提交 flag 到服务器
|
||||
- **`fmtstr`**:格式化字符串利用工具
|
||||
- **`gdb`**:与 gdb 配合使用
|
||||
- `libcdb`:libc 数据库
|
||||
- `log`:日志记录
|
||||
- **`memleak`**:用于内存泄露
|
||||
- `rop`:ROP 利用模块,包括 rop 和 srop
|
||||
- `runner`:运行 shellcode
|
||||
- **`shellcraft`**:shellcode 生成器
|
||||
- `term`:终端处理
|
||||
- `timeout`:超时处理
|
||||
- **`tubes`**:能与 sockets, processes, ssh 等进行连接
|
||||
- `ui`:与用户交互
|
||||
- `useragents`:useragent 字符串数据库
|
||||
- **`util`**:一些实用小工具
|
||||
|
||||
|
||||
## 使用 Pwntools
|
||||
下面我们对常用模块和函数做详细的介绍。
|
||||
|
||||
#### tubes
|
||||
在一次漏洞利用中,首先当然要与二进制文件或者目标服务器进行交互,这就要用到 tubes 模块。
|
||||
|
||||
主要函数在 `pwnlib.tubes.tube` 中实现,子模块只实现某管道特殊的地方。四种管道和相对应的子模块如下:
|
||||
- `pwnlib.tubes.process`:进程
|
||||
- `>>> p = process('/bin/sh')`
|
||||
- `pwnlib.tubes.serialtube`:串口
|
||||
- `pwnlib.tubes.sock`:套接字
|
||||
- `>>> r = remote('127.0.0.1', 1080)`
|
||||
- `>>> l = listen(1080)`
|
||||
- `pwnlib.tubes.ssh`:SSH
|
||||
- `>>> s = ssh(host='example.com`, user='name', password='passwd')`
|
||||
|
||||
`pwnlib.tubes.tube` 中的主要函数:
|
||||
- `interactive()`:可同时读写管道,相当于回到 shell 模式进行交互,在取得 shell 之后调用
|
||||
- `recv(numb=1096, timeout=default)`:接收指定字节数的数据
|
||||
- `recvall()`:接收数据直到 EOF
|
||||
- `recvline(keepends=True)`:接收一行,可选择是否保留行尾的 `\n`
|
||||
- `recvrepeat(timeout=default)`:接收数据直到 EOF 或 timeout
|
||||
- `recvuntil(delims, timeout=default)`:接收数据直到 delims 出现
|
||||
- `send(data)`:发送数据
|
||||
- `sendline(data)`:发送一行,默认在行尾加 `\n`
|
||||
- `close()`:关闭管道
|
||||
|
||||
下面是一个例子,先使用 listen 开启一个本地的监听端口,然后使用 remote 开启一个套接字管道与之交互:
|
||||
```
|
||||
In [1]: from pwn import *
|
||||
|
||||
In [2]: l = listen()
|
||||
[x] Trying to bind to 0.0.0.0 on port 0
|
||||
[x] Trying to bind to 0.0.0.0 on port 0: Trying 0.0.0.0
|
||||
[+] Trying to bind to 0.0.0.0 on port 0: Done
|
||||
[x] Waiting for connections on 0.0.0.0:35117
|
||||
|
||||
In [3]: r = remote('localhost', l.lport)
|
||||
[x] Opening connection to localhost on port 35117
|
||||
[x] Opening connection to localhost on port 35117: Trying ::1
|
||||
[x] Opening connection to localhost on port 35117: Trying 127.0.0.1
|
||||
[+] Opening connection to localhost on port 35117: Done
|
||||
|
||||
[+] Waiting for connections on 0.0.0.0:35117: Got connection from 127.0.0.1 on port 36966
|
||||
In [4]: c = l.wait_for_connection()
|
||||
|
||||
In [5]: r.send('hello\n')
|
||||
|
||||
In [6]: c.recv()
|
||||
Out[6]: 'hello\n'
|
||||
|
||||
In [7]: r.send('hello\n')
|
||||
|
||||
In [8]: c.recvline()
|
||||
Out[8]: 'hello\n'
|
||||
|
||||
In [9]: r.sendline('hello')
|
||||
|
||||
In [10]: c.recv()
|
||||
Out[10]: 'hello\n'
|
||||
|
||||
In [11]: r.sendline('hello')
|
||||
|
||||
In [12]: c.recvline()
|
||||
Out[12]: 'hello\n'
|
||||
|
||||
In [13]: r.sendline('hello')
|
||||
|
||||
In [14]: c.recvline(keepends=False)
|
||||
Out[14]: 'hello'
|
||||
|
||||
In [15]: r.send('hello world')
|
||||
|
||||
In [16]: c.recvuntil('hello')
|
||||
Out[16]: 'hello'
|
||||
|
||||
In [17]: c.recv()
|
||||
Out[17]: ' world'
|
||||
|
||||
In [18]: c.close()
|
||||
[*] Closed connection to 127.0.0.1 port 36966
|
||||
|
||||
In [19]: r.close()
|
||||
[*] Closed connection to localhost port 35117
|
||||
```
|
||||
|
||||
下面是一个与进程交互的例子:
|
||||
```
|
||||
In [1]: p = process('/bin/sh')
|
||||
[x] Starting local process '/bin/sh'
|
||||
[+] Starting local process '/bin/sh': pid 32165
|
||||
|
||||
In [2]: p.sendline('sleep 3; echo hello world;')
|
||||
|
||||
In [3]: p.recvline(timeout=1)
|
||||
Out[3]: 'hello world\n'
|
||||
|
||||
In [4]: p.sendline('sleep 3; echo hello world;')
|
||||
|
||||
In [5]: p.recvline(timeout=1)
|
||||
Out[5]: ''
|
||||
|
||||
In [6]: p.recvline(timeout=5)
|
||||
Out[6]: 'hello world\n'
|
||||
|
||||
In [7]: p.interactive()
|
||||
[*] Switching to interactive mode
|
||||
whoami
|
||||
firmy
|
||||
^C[*] Interrupted
|
||||
|
||||
In [8]: p.close()
|
||||
[*] Stopped process '/bin/sh' (pid 32165)
|
||||
```
|
||||
|
||||
#### asm
|
||||
|
||||
#### dynelf
|
||||
|
||||
#### elf
|
||||
|
||||
#### fmtstr
|
||||
|
||||
#### gdb
|
||||
|
||||
#### memleak
|
||||
|
||||
#### shellcraft
|
||||
|
||||
#### util
|
||||
|
||||
## Pwntools 在 CTF 中的运用
|
||||
|
||||
## 参考资料
|
||||
- [docs.pwntools.com](https://docs.pwntools.com/en/stable/index.html)
|
||||
|
@ -1 +1 @@
|
||||
# Zio
|
||||
# 2.8 Zio
|
||||
|
@ -1 +1 @@
|
||||
# MetaSploit
|
||||
# 2.9 MetaSploit
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 格式化字符串漏洞
|
||||
# 3.3.1 格式化字符串漏洞
|
||||
|
||||
- [格式化输出函数和格式字符串](#格式化输出函数和格式字符串)
|
||||
- [格式化字符串漏洞基本原理](#格式化字符串漏洞基本原理)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 整数溢出
|
||||
# 3.3.2 整数溢出
|
||||
|
||||
- [什么是整数溢出](#什么是整数溢出)
|
||||
- [整数溢出](#整数溢出)
|
||||
|
@ -1 +1 @@
|
||||
# 栈溢出
|
||||
# 3.3.3 栈溢出
|
||||
|
@ -1 +1 @@
|
||||
# 堆溢出
|
||||
# 3.3.4 堆溢出
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Linux 命令行技巧
|
||||
# 4.2 Linux 命令行技巧
|
||||
|
||||
- [重定向输入字符](#重定向输入字符)
|
||||
- [从可执行文件中提取 shellcode](#从可执行文件中提取-shellcode)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# GCC 堆栈保护技术
|
||||
# 4.3 GCC 堆栈保护技术
|
||||
|
||||
- [技术简介](#技术简介)
|
||||
- [编译参数](#编译参数)
|
||||
@ -158,7 +158,7 @@ void main() {
|
||||
$ gcc -m32 -pie random.c -o open-pie
|
||||
$ readelf -h open-pie
|
||||
ELF Header:
|
||||
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
|
||||
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
|
||||
Class: ELF32
|
||||
Data: 2's complement, little endian
|
||||
Version: 1 (current)
|
||||
@ -180,7 +180,7 @@ ELF Header:
|
||||
$ gcc -m32 -no-pie random.c -o close-pie
|
||||
$ readelf -h close-pie
|
||||
ELF Header:
|
||||
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
|
||||
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
|
||||
Class: ELF32
|
||||
Data: 2's complement, little endian
|
||||
Version: 1 (current)
|
||||
|
@ -1 +1 @@
|
||||
# 使用 DynELF 泄露函数地址
|
||||
# 4.4 使用 DynELF 泄露函数地址
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Fuzz 测试
|
||||
# 5.1 Fuzz 测试
|
||||
|
||||
- [AFL](#afl)
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
# Pin 动态二进制插桩
|
||||
# 5.2 Pin 动态二进制插桩
|
||||
|
||||
- [插桩技术](#插桩技术)
|
||||
- [Pin 简介](#pin-简介)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# angr 二进制自动化分析
|
||||
# 5.3 angr 二进制自动化分析
|
||||
|
||||
angr是一个多架构的二进制分析平台,具备对二进制文件的动态符号执行能力和多种静态分析能力。
|
||||
|
||||
@ -43,7 +43,7 @@ sudo python setup.py install
|
||||
如果你在安装angr之后,进入python环境,在import之后有这样的报错:
|
||||
|
||||
```python
|
||||
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
|
||||
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
|
||||
[GCC 5.4.0 20160609] on linux2
|
||||
Type "help", "copyright", "credits" or "license" for more information.
|
||||
>>> import angr
|
||||
@ -60,13 +60,13 @@ Traceback (most recent call last):
|
||||
File "/usr/local/lib/python2.7/dist-packages/capstone/__init__.py", line 6, in <module>
|
||||
from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
|
||||
ImportError: cannot import name arm
|
||||
>>>
|
||||
>>>
|
||||
```
|
||||
|
||||
在ipython环境中也许会有这样的报错:
|
||||
|
||||
```python
|
||||
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
|
||||
Python 2.7.12 (default, Nov 19 2016, 06:48:10)
|
||||
Type "copyright", "credits" or "license" for more information.
|
||||
|
||||
IPython 2.4.1 -- An enhanced Interactive Python.
|
||||
@ -83,7 +83,7 @@ ImportError Traceback (most recent call last)
|
||||
|
||||
/root/angr/angr/__init__.pyc in <module>()
|
||||
23 from .state_plugins.inspect import BP
|
||||
24
|
||||
24
|
||||
---> 25 from .project import *
|
||||
26 from .errors import *
|
||||
27 #from . import surveyors
|
||||
@ -104,7 +104,7 @@ ImportError Traceback (most recent call last)
|
||||
|
||||
/root/angr/angr/analyses/reassembler.py in <module>()
|
||||
7 from itertools import count
|
||||
8
|
||||
8
|
||||
----> 9 import capstone
|
||||
10 import cffi
|
||||
11 import cle
|
||||
@ -113,7 +113,7 @@ ImportError Traceback (most recent call last)
|
||||
4 if _python2:
|
||||
5 range = xrange
|
||||
----> 6 from . import arm, arm64, mips, ppc, sparc, systemz, x86, xcore
|
||||
7
|
||||
7
|
||||
8 __all__ = [
|
||||
|
||||
ImportError: cannot import name arm
|
||||
@ -161,4 +161,3 @@ def print_flag(state):
|
||||
|
||||
project.execute()
|
||||
```
|
||||
|
||||
|
@ -1 +1 @@
|
||||
# 反调试技术
|
||||
# 5.4 反调试技术
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 6.1.2 更多 Windows 工具
|
||||
# 6.2 更多 Windows 工具
|
||||
|
||||
- [010 Editor](#010-editor)
|
||||
- [DIE](#die)
|
||||
|
@ -1,4 +1,4 @@
|
||||
# 更多资源
|
||||
# 6.3 更多资源
|
||||
|
||||
- [课程](#课程)
|
||||
- [站点](#站点)
|
||||
@ -23,6 +23,7 @@
|
||||
- [Optimizing Compilers](http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15745-s14/www/index.html)
|
||||
- [Principles of Program Analysis](http://www.imm.dtu.dk/~hrni/PPA/ppasup2004.html)
|
||||
- [Static Program Analysis](https://cs.au.dk/~amoeller/spa/)
|
||||
- [CS 252r: Advanced Topics in Programming Languages](http://web-static-aws.seas.harvard.edu/courses/cs252/2011sp/)
|
||||
|
||||
|
||||
## 站点
|
||||
|
@ -1,2 +1,2 @@
|
||||
# Linux x86-64 系统调用表
|
||||
# 6.5 Linux x86-64 系统调用表
|
||||
http://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
|
||||
|
Loading…
Reference in New Issue
Block a user