此题用到的是整数溢出的漏洞,由于本人实力较弱,源码复现不出来,这里仅仅做个小记,等以后熟练掌握之后再来补充。下面我会用一段C语言代码来模拟该题目的整数溢出。
目录
main.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
int main()
{
int bill = 100;
int price = 2000, pay_ticket;
char buf[0x100];
puts("How much do you want to pay?");
fgets(buf, 0x100 - 1, stdin);
if (atoll(buf) >= price)
{
pay_ticket = atoll(buf);
if (pay_ticket <= bill && pay_ticket >= 0)
{
bill -= pay_ticket;
printf("You get the ticket, you have %d dollars left now.\n", bill);
}
else
{
puts("Sorry, you don't have enough money!");
}
}
else
{
puts("Sorry, the price you want to pay is too low!");
}
return 0;
}
分析
题目意思就是你没有那么多钱,但是又想买吃鸡门票,那你该如何取得门票呢。重点是整数溢出,当你输入4294967299(0x100000003)时,可以过price
的判断,再付钱的时候,由于发生了整数溢出,高1位被舍去,所以只需要付3块钱就行了。
运行实例
ex@Ex:~/test$ gcc main.c -o ticket
ex@Ex:~/test$ ./ticket
How much do you want to pay?
2000
Sorry, you don't have enough money!
ex@Ex:~/test$ ./ticket
How much do you want to pay?
4294967299
You get the ticket, you have 97 dollars left now.
ex@Ex:~/test$
总结
整数溢出的题目本人见到的并不多,以后还需要加强一下。
这里要感谢Sndav
、windforce17
师傅的指点。