自从换了手机,不中用的自带浏览器首页总是附带着一些荤素不忌的所谓新闻,有些还真是不知所谓,比如以下这条:
中学语文教材上出现黄色网站链接。我并没有像众多网友一样忙着翻箱倒柜发掘宝藏,一边赞叹有道是“书中自有颜如玉”。反倒是马上联想到了最近在漏洞悬赏平台遍地开花的子域名劫持漏洞(Subdomain Takeover)。
先来从逻辑上来分析一下这个事情,相信出版社的叔叔阿姨们是绝对不会有意把毒草栽到祖国花朵的课本上面的,所以在教材编写、校对的过程中,网站链接的内容还是好端端的诗词大全。再根据大家对广大中学生朋友们学习习惯的了解,课文多半是强作精神才能勉强读完,至于课后无关痛痒的大段文字常年处于无人问津的境地。因此,精明的站长也不会想到在这上面动手脚。所以这次的偷天换日恐怕也是歪打正着,若不是那位热爱诗词的女同学掘地三尺,加上其手眼通天的母亲大人出手相救,那失落的链接还不知道会被浸淫在知识的海洋中多久。
You should read the source code from particular version rather then the latest one.
Recently, I read an article 如何以“正确的姿势”阅读开源软件代码 about how to read and benifit from the open source software. It suggests the following steps:
For some small project, like some handy script for pentesting, it is easy to figure out it structures and details about implementation. But for some “Big Buddy” like Mitmproxy, I have to say that I’d tried many times but it usually mess up somewhere.
曾经见到某同学手执一本《21天精通HTML+CSS》摇头晃脑,心想这俩玩意儿上手甚至都不需要三天,想必剩下那十八天都是作者在聊人生了。就算你花21天时间把书上代码认认真真敲了一通,也不能大大方方在简历上写上“精通HTML”,何况我学习时间统共都没有超过三天。
这样一来,如果我的简历上大言不惭说自己精通HTML字样,大概就会被当作Erlich老兄一样此地无银三百两了。
说起来惭愧,上大学以来只有两门课能不走神,更惭愧的是,这两门课都不是专业课。一门是令广大同学闻风丧胆的大学物理,另一门则是有为青年们躲避不及的马克思哲学原理概论。
恐怕起初是被传说中高居不下的挂科率吓怕了,加上自己知道脑子是越发地不灵光了,不动手抄抄笔记随时落下个重修的下场,说到底还是分数在作祟。而到了后来,则是真的开始对课上引申出来的问题思考。对,思考,很久不提这词反倒觉得有些别扭。
A very drawback of Ubuntu Linux is that upgrading to a new distribution could be an unexpectedly painful experience. As an old fan who first tried it out at the version 9.04, I have been using Ubuntu for about 7 years, but it seems the crashes will never disappointed me when upgrading to a new distribution, surely including the accident happened yesterday.
I enjoy the UI of Ubuntu as well as many of its easy-to-use features, while the stability could vary among different distributions. Therefore, I carefully chose the 14.04 LTS (Long time support) distribution instead of the latest one when I got my new laptop one year ago. So when I heard about the 16.04 LTS has released several months ago, though the LTS version could be a guarantee of the stability and performance, I really don’t think it necessary for me to do that upgrade at that moment. Later one of my enthusiastic classmate told me that he installed the new version very soon, but unfortunately, it can not function well on his laptop due to some subtle incompatibles issues with drivers. So he had to turned back to 14.04 after a few time-wasting attempts. My pathetic classmate’s story discouraged me from the new distribution and also reminded me of the unsatisfying experience about this.
However, my system kept popping out the upgrade notification since the beginning of this month. In addition, I believe that 3 months is long enough for the team to bring out the real reliable distribution. So I persuaded myself, did some simple backup, forgot about the painful experience and clicked that evil upgrade button with great confidence. After a lunch, I grabbed my laptop to find the heart-breaking yet expected result – a crash, or maybe worse, a fatal error. I rebooted the system and it failed to load the kernal during the booting process. It not use to very over spilled milk, reinstall the whole system seems to be the only solution.
This made me completely believe that the success rate of upgrade Ubuntu to a new distribution is so low that you should never try to do this without any backups. This accident interrupted me from the coding job on computer, and the fatal error brought me some inspiration about my life.
I have been avoiding errors in my life. Because of the influence from some seniors and ambitious peers, I started to care about somethings like cars and girls. The fear of failure and overmuch attention on unrealistic things stop me from a real upgrade. Just like our dear operating system, the desire of new experience came along with the fear of errors, which also hampered myself from the improvement. It is the fatal error, as an unavoidable consequence, as well as a catalyst to an overall upgrade.
Apart from the tedious part about recovering my applications and settings, I felt good with Ubuntu 16.04 LTS. A overall upgrade after fatal error, that is what I called Evolution.
本来这篇是想投稿到乌云知识库的,但是知识库收录了另一篇更加详尽的writeup三个白帽《来 PWN 我一下好吗 – 第二期》之pwn入门,仔细看过以后发现给出的两种解法的确十分有学习价值。
那就把自己的writeup放到这里,权当积累。
接触PWN有一段时间了,这次总算成功挑战了三个白帽上的题目。总的来说,这道题目不算很难,是很明显的格式化字符串漏洞。鉴于知识库上还没有专门讲解格式化字符串漏洞的文章,我就以此为契机,尝试借着题目把这类漏洞讲清楚。
文章前几部分主要是对格式化字符串漏洞的介绍,还有多走的一些弯路,心急的看官可以直接跳到0x05 Try2看正确题解。