5,如何找到真正cgi,绕过freebuf 溢出a2参数到ret,指令正常执行到ret需要绕过freeCtrlName(); FreeCtrlName处理了所有的POST/GET请求数据; FreeCtrlName虽然只释放了低四字节指针(unsigned int),但影响了ret布局; 6,解决: 找特别的cgi,free没影响到ret。因为FreeCtrlName遇到栈上指针(v1 + 8 * i)=0时,终止循环。 We were fortunate to discover a CGI handler that: (1) processes the query string without authentication, and (2) sets the value of a specific local variable to zero after the query string overflow occurs.This local variable resides at a stack address lower than the return address but higher than the query string buffer’s start. This effectively places a zero on the stack and breaks the deallocation chain in “FreeCtrName()”, and preserves the overwritten return address. Q:这个cgi是哪个? A:思路如下: (1)首先先将所有的 CGI 调用函数定义出来 string soho把所有cgi接口提取出来; 补充:后续发现通过IDA中字符定位,反查地址引用(alt+t)可以直接定位到一个表单,里面是cgi与cgi_hander映射表。 (2)过滤出不需要授权的 CGI 函数 burp测试status code;