exploit

问题 Today online security is a very important factor. Many businesses are completely based online, and there is tons of sensitive data available to check out only by using your web browser. Seeking knowledge to secure my own applications I've found that I'm often testing others applications for exploits and security holes, maybe just for curiosity. As my knowledge on this field has expanded by testing on own applications, reading zero day exploits and by reading the book The Web Application

问题 I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah.

问题 I'm writing a return to libc attack for my systems security class. First, the vulnerable code: //vuln.c #include <stdio.h> #include <stdlib.h> int loadconfig(void){ char buf[1024]; sprintf(buf, "%s/.config", getenv("HOME")); return 0; } int main(int argc, char **argv){ loadconfig(); return 0; } I want to use a return to libc attack. Compiling and debugging the program: $ gcc -g -fno-stack-protector -o vuln vuln.c $ gdb vuln (gdb) break loadconfig (gdb) run Reached breakpoint blah blah blah.

问题 With a bash release which has been patched for shellshock $ bash --version GNU bash, version 3.2.52(1)-release (x86_64-apple-darwin12) Copyright (C) 2007 Free Software Foundation, Inc. $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test another similar exploit still works and has been assigned CVE-2014-7169 $ env X='() { (a)=>\' bash -c "echo date"; cat echo

问题 I've been doing some shell writing and came across a recommendation for access() to check whether a file exists, can be read, etc. Seems super easy to implement and faster than stat(). When I started looking at the man page for it, I noticed that it is NOT recommended for use because it can lead to a security hole. The man page says this: Using access() to check if a user is authorized to e.g. open a file before actually doing so using open(2) creates a security hole, because the user might

问题 background: I coded a struts2 ActionSupport class with ModelDriven. It's a hibernate/spring web app, using OSIV and attached entities in the view (JSP). I received this email today from the architect 'punishing' me for putting an object that had a reference to an attached entity on the struts2 valuestack via the ModelDriven<E> interface. Is he correct or what? Obviously, this is a serious thing I am doing but I am not following what he is saying, and I really don't feel like taking up his

问题 I'm trying to exploit some web vulnerabilities in a sample website running inside a VM (it is not available on the web - only for educational purposes). I have a php file named setupreset.php which has the information about MySQL configs, setup and passwords used to setup the website. This is in the same directory as the rest of the php files (index, products, forum, etc...). This is the code of index.php, for reference: <?php include ("includes/header.php"); // Grab inputs $page = $_GET[page

问题 void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; int *ret; ret = buffer1 + 12; (*ret) += 8;//why is it 8?? } void main() { int x; x = 0; function(1,2,3); x = 1; printf("%d\n",x); } The above demo is from here: http://insecure.org/stf/smashstack.html But it's not working here: D:\test>gcc -Wall -Wextra hw.cpp && a.exe hw.cpp: In function `void function(int, int, int)': hw.cpp:6: warning: unused variable 'buffer2' hw.cpp: At global scope: hw.cpp:4: warning: unused

问题 If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements? 回答1: The links that I have posted in my comments to the question explain the problem very well. I've summarised my feelings on why the problem persists, below: Those just starting out may have no awareness of SQL injection. Some are aware of SQL injection, but think that escaping is the (only?) solution. If you do a quick Google search for php mysql query ,

问题 When writing buffer overflow exploit, I understand that I'll need to input an array of length (address_of_return_address - address_of_buffer). And the array needs to be filled with the address of the shellcode. So that when my input array overflows, it overwrites the saved return address with the address of the shellcode. I think since the shellcode will be stored above the saved return address on the stack, its address should be address_of_return_address + the distance to the beginning of