-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.html
345 lines (255 loc) · 46.5 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
<!DOCTYPE html><html class="appearance-auto" lang="en"><head><meta charset="UTF-8"><title>Q1IQ's blog</title><meta name="description" content="Being Honest With Yourself"><meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0, user-scalable=no, initial-scale=1"><!-- Google Analytics --><!-- End Google Analytics -->
<!-- Baidu Analytics --><!-- End Baidu Analytics --><link rel="icon" href="/images/favicon.png"><link rel="stylesheet" href="/style/common/bulma.css"><link rel="stylesheet" href="/style/base.css"><link rel="stylesheet" href="/style/common/helper.css"><script src="/js/common.js"></script><link rel="stylesheet" href="/style/widget-post-list.css"><!-- hexo injector head_end start -->
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/katex.min.css">
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/[email protected]/dist/style.css">
<!-- hexo injector head_end end --><meta name="generator" content="Hexo 5.4.2"><link rel="alternate" href="/atom.xml" title="Q1IQ's blog" type="application/atom+xml">
</head><body class="is-flex is-flex-direction-column"><header class="header-widget is-flex-shrink-0 is-hidden-mobile"><div class="container is-fullhd is-flex is-justify-content-space-between is-align-items-center is-full-height"><section class="is-hidden-mobile is-flex-shrink-0"><h2><a href="/">Q1IQ's blog</a></h2></section><h3 class="is-hidden-mobile is-family-serif is-full-height is-flex is-align-items-center is-flex-shrink-0"></h3><aside class="is-flex-shrink-0"><h3 class="is-inline-block"><a href="/">Home</a></h3><h3 class="is-inline-block"><a href="/about">About</a></h3><h3 class="is-inline-block"><a href="/archives">Archives</a></h3></aside></div></header><header class="is-flex header-widget is-flex-shrink-0 is-align-items-center is-justify-content-center is-hidden-tablet"><h3 class="is-inline-block"><a href="/">Home</a></h3><h3 class="is-inline-block"><a href="/about">About</a></h3><h3 class="is-inline-block"><a href="/archives">Archives</a></h3></header><main><article class="post-container is-flex is-justify-content-center section container is-max-widescreen pt-4 px-2"><div class="columns is-variable is-1-tablet is-3-desktop-only is-2-widescreen is-full-width"><section class="column"><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/cover-nagayama-koharu.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/llvm-pass/"><img class="post-cover-img js-img-fadeIn" src="/images/cover-nagayama-koharu.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/llvm-pass/">PKU GeekGame 混淆器whatapass 出题记录及题解</a></h2><time class="has-text-grey" datetime="2022-11-27T03:22:33.000Z">2022-11-27</time><p class="is-flex-grow-2 mt-2">
我为这届北京大学信息安全综合能力竞赛(PKU GeekGame)出了一道名为混淆器whatapass的题目,题目载体是LLVM Pass。
LLVM Pass 原本用于转换和优化 LLVM IR,因为可以处理IR,所以也可以用来做插桩和混淆等。Pass类二进制题目这两年在CTF比赛里越来越常见,网上的例题和教程也越来越多,这类题目两年前还算是压轴难题,而现在已经变成了某种意义上的常规题,所以这次比赛我选择了Pass这个载体来出这道题,对于新手来说无论是Pass技术本身还是Pass类的题目在网上都有一些教程可供参考和学习。
大多数Pass类题目是这样实现的:重写 runOnFunction,处理 IR 中具有特定名称的函数,这些函数会事先预留一些漏洞,比如后门、任意地址读写、数组越界读写、整数溢出等等。
最..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/llvm-pass/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/wp6406604-splatoon.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/Defcon2022-pwn-wp/"><img class="post-cover-img js-img-fadeIn" src="/images/wp6406604-splatoon.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/Defcon2022-pwn-wp/">DEFCON-Qualifier-2022 smuggler's cove/constricted 题解</a></h2><time class="has-text-grey" datetime="2022-06-01T17:02:03.000Z">2022-06-02</time><p class="is-flex-grow-2 mt-2">
本文是对Defcon资格赛中 Pwn 方向两道题目的复现,分别是 smuggler’s cove 以及 constricted。难度相比以往的国内赛要稍高,但是同时也学习到了不少新的知识。以下为这两道题目的分析。
文章首发于先知社区,链接 https://xz.aliyun.com/t/11445
exp链接 https://github.com/Q1IQ/ctf/tree/master/defcon-qualifier-2022
</p><a class="button is-default mt-2 has-text-weight-semibold" href="/Defcon2022-pwn-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/aniya.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/v8-exploit/"><img class="post-cover-img js-img-fadeIn" src="/images/aniya.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/v8-exploit/">v8 学习记录</a></h2><time class="has-text-grey" datetime="2022-04-29T05:59:34.000Z">2022-04-29</time><p class="is-flex-grow-2 mt-2">
基础知识v8是chrome浏览器的 JavaScript 引擎,是著名的 JIT(Just In Time) 引擎。在Chromium项目中起到至关重要的作用。作为一款jit引擎,其工作模式如下图所示:
Parser是 JS 源代码的入口,接受javascript 源文件作为输入
Interpreter 负责从 Javascript AST 生成 bytecodes,同时也可以基于bytecode直接生成机器代码。在 V8 中该组件名为Ignition。
JIT Complier: Turbofan作为 V8 中的优化器,其作用是将字节码优化成为固定的机器代码。在优化过程中,V8 引入了SSA(静态单赋值)形式的中间代码简化编译器的优化算法,在其若干优化过程(PASS)中实现安全的 JIT 代码生成。..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/v8-exploit/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/nasa-whDrFMucHkc-unsplash.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/Linux-eBPF-exploit/"><img class="post-cover-img js-img-fadeIn" src="/images/nasa-whDrFMucHkc-unsplash.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/CVE"><i class="tag post-item-tag">CVE</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/Linux-eBPF-exploit/">Linux eBPF模块漏洞利用学习记录</a></h2><time class="has-text-grey" datetime="2022-03-01T02:22:15.000Z">2022-03-01</time><p class="is-flex-grow-2 mt-2">
技术分析eBPF简介linux的用户层和内核层是隔离的,想让内核执行用户的代码,正常是需要编写内核模块,当然内核模块只能root用户才能加载。而BPF则相当于是内核给用户开的一个绿色通道:BPF(Berkeley Packet Filter)提供了一个用户和内核之间代码和数据传输的桥梁。用户可以用eBPF指令字节码的形式向内核输送代码,并通过事件(如往socket写数据)来触发内核执行用户提供的代码;同时以map(key,value)的形式来和内核共享数据,用户层向map中写数据,内核层从map中取数据,反之亦然。
BPF发展经历了2个阶段,cBPF(classic BPF)和eBPF(extend BPF)(linux内核3.15以后),cBPF已退出历史舞台,后文提到的BPF默认为eBPF。
eBPF..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/Linux-eBPF-exploit/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/nasa-WKT3TE5AQu0-unsplash.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/awd-pwn-checker/"><img class="post-cover-img js-img-fadeIn" src="/images/nasa-WKT3TE5AQu0-unsplash.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/AWD"><i class="tag post-item-tag">AWD</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/awd-pwn-checker/">awd pwn checker编写记录</a></h2><time class="has-text-grey" datetime="2021-03-22T14:34:14.000Z">2021-03-22</time><p class="is-flex-grow-2 mt-2">
最近在为awd pwn题写checker,然后我写了个能检测pwn题全部功能是否可以正常使用的脚本,被反馈还需要改进下:
不可以用pwntools库
不能让选手直接nop free,要不选手体验差
项目代码已开源:https://github.com/Q1IQ/AWD-PWN-Checker
pwntools禁用对我这种fw pwn手来说,没了pwntools就是没了胳膊,干啥啥不行。不过对于checker来说,只要有网络通信功能就行,于是找到了一个平替,zio。
from zio import *
is_local = True
if is_local:
io = zio(&#39;./buggy-server&#39;) # used for local pwni..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/awd-pwn-checker/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/jonatan-pie-3l3RwQdHRHg-unsplash.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/Linux-bluetooth/"><img class="post-cover-img js-img-fadeIn" src="/images/jonatan-pie-3l3RwQdHRHg-unsplash.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/CVE"><i class="tag post-item-tag">CVE</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/Linux-bluetooth/">Linux 蓝牙漏洞学习记录</a></h2><time class="has-text-grey" datetime="2021-03-19T17:02:03.000Z">2021-03-20</time><p class="is-flex-grow-2 mt-2">
水一篇蓝牙CVE的分析文章,站在巨人的肩膀上。
漏洞分析Bleedingtooth2020年谷歌安全研究人员在Linux kernel中发现了多个蓝牙的安全漏洞,这些漏洞被称之为BleedingTooth。攻击者利用BleedingTooth 漏洞可以实现无用户交互的零点击攻击(zero-click attack)。包括CVE-2020-12351、CVE-2020-12352、CVE-2020-24490。
CVE-2020-12351位于net/bluetooth/l2cap_core.c,基于堆的类型混淆漏洞。在 l2cap_data_channel函数中,当使用的 CID 是 L2CAP_CID_A2MP 并且还没建立一个channel时 , a2mp_channel_create()..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/Linux-bluetooth/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/breno-machado-in9-n0JwgZ0-unsplash.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/awd-pwn/"><img class="post-cover-img js-img-fadeIn" src="/images/breno-machado-in9-n0JwgZ0-unsplash.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/AWD"><i class="tag post-item-tag">AWD</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/awd-pwn/">awd pwn方向技巧小结</a></h2><time class="has-text-grey" datetime="2021-01-19T17:02:03.000Z">2021-01-20</time><p class="is-flex-grow-2 mt-2">
去年参加了不少线下赛,总结一些pwn方向打awd的小技巧,当作备忘。
打Patch拿到题目的第一步是备份,然后是看题找漏洞,找到漏洞的第一步是打patch把漏洞修好,然后再写利用。
一般打patch有两种方式,一是你把打好patch的二进制交给主办方,主办方帮你替换文件,打patch的字节数有一定限制,你不能大改特改或上通防,比如国赛、强网杯线下;二是自己scp把文件传过去,比如湖湘杯、上海大学生赛,我记得去年的湖湘杯是可以大改特改,上海赛会检查选手的服务器,改的太多会警告。
Patch方法很多,一般改动小的话我就用IDA直接修改,改动大的用LIEF。打完patch运行检查一下,要不部署上去服务直接down了得不偿失。
IDA IDA patch方法可以看我这篇 https://q1iq.top/IDA-..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/awd-pwn/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/images/ashim-d-silva-WeYamle9fDM-unsplash.jpg" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/qemu-escape/"><img class="post-cover-img js-img-fadeIn" src="/images/ashim-d-silva-WeYamle9fDM-unsplash.jpg" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/qemu-escape/">Qemu逃逸学习记录</a></h2><time class="has-text-grey" datetime="2020-08-25T16:16:48.000Z">2020-08-26</time><p class="is-flex-grow-2 mt-2">
一篇学习笔记,大部分基础知识是摘抄加一点自己的理解。
PCI设备地址空间PCI设备都有一个配置空间(PCI Configuration Space),其记录了关于此设备的详细信息。大小为256字节,其中头部64字节是PCI标准规定的,当然并非所有的项都必须填充,位置是固定了,没有用到可以填充0。前16个字节的格式是一定的,包含头部的类型、设备的总类、设备的性质以及制造商等,格式如下:
比较关键的是其6个BAR(Base Address Registers),一个占4字节,共24字节,BAR记录了设备所需要的地址空间的类型,基址以及其他属性。BAR的格式如下:
设备可以申请两类地址空间,memory space和I/O space,它们用BAR的最后一位区别开来。
当BAR最后一位为0表示这是映射的me..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/qemu-escape/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200909135544961.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/GeekPwn-2020-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200909135544961.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/GeekPwn-2020-wp/">GeekPwn热身赛 2020 wp</a></h2><time class="has-text-grey" datetime="2020-07-13T02:22:15.000Z">2020-07-13</time><p class="is-flex-grow-2 mt-2">playthenew久闻Tcache Stashing Unlink Attack大名一直不会,今日就着这题学习一下。
[Glibc中堆管理的变化][https://www.freebuf.com/articles/system/234219.html]
漏洞原理[Tcache Stashing Unlink Attack原理][https://blog.csdn.net/seaaseesa/article/details/105870247]
Tcache Stashing Unlink Attack利用了calloc的分配特性,calloc不从tcache bin里取chunk,而是会遍历fastbin、small bin、large bin,如果在tcache bin里,对应的size的bin不为空,..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/GeekPwn-2020-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="/img/image-20220512025701778.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/D-Link-CVE-2019-7298/"><img class="post-cover-img js-img-fadeIn" src="/img/image-20220512025701778.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/CVE"><i class="tag post-item-tag">CVE</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/D-Link-CVE-2019-7298/">D-Link CVE-2019-7298学习记录</a></h2><time class="has-text-grey" datetime="2020-06-29T02:22:15.000Z">2020-06-29</time><p class="is-flex-grow-2 mt-2">漏洞分析使用binwalk提取固件。
可以看出文件系统是 squashfs 。
内核启动之后将启动init进程,init进程启动时根据/etc/inittab这个文件来在不同运行级别启动相应的进程或执行相应的操作。其中sysinit代表系统的初始化,只有系统开机或重新启动的时候,后面对应的process才会执行。
::sysinit:/etc/init.d/rcS
在rcS中,先执行一系列mkdir和设置,接着执行goahead。
goahead 是一个开源的 web 服务器,用户的定制性非常强。可以通过一些 goahead 的 api定义 url处理函数和可供 asp 文件中调用的函数,具体可以看看官方的代码示例和网上的一些教程。
goahead的websUrlHandlerDefine函数允许用户..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/D-Link-CVE-2019-7298/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200614205046176.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/DefenitCTF-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200614205046176.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/DefenitCTF-wp/">DefenitCTF 2020 wp</a></h2><time class="has-text-grey" datetime="2020-06-25T02:22:15.000Z">2020-06-25</time><p class="is-flex-grow-2 mt-2">PWNerrorProgram漏洞分析这道题目的堆操作给了MALLOC、FREE、EDIT、VIEW,MALLOC只能分配[0x777,0x77777]的块,也就是只能操纵large bin,FREE和EDIT都可以随意UAF,VIEW没有限制。
题目给了假的栈溢出漏洞,程序会检查是否溢出并在溢出时exit退出。
给了假的格式化字符串漏洞,因为输入的字符串中不能出现%和$。
利用这道题目可以用今年四月份hatena提出的利用方式 house of husk,能够在有large bin UAF漏洞的情况下getshell。
https://ptr-yudai.hatenablog.com/entry/2020/04/02/111507
贴上学长大佬写的学习笔记:https://www.anquanke...</p><a class="button is-default mt-2 has-text-weight-semibold" href="/DefenitCTF-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200601105534328.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/RCTF-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/image-20200601105534328.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/RCTF-wp/">RCTF 2020 wp</a></h2><time class="has-text-grey" datetime="2020-06-02T02:22:15.000Z">2020-06-02</time><p class="is-flex-grow-2 mt-2">bf1 程序分析题目是一个brainfuck的解释器,给的libc是2.27。brainfuck是一种简单的、可以用最小的编译器来实现的、符合图灵完全思想的编程语言。这种语言由八种运算符构成,除了指令还包括:一个以字节为单位、被初始化为零的数组、一个指向该数组的指针(初始时指向数组的第一个字节)、以及用于输入输出的两个字节流。
字符
含义
&gt;
指针加一
&lt;
指针减一
+
指针指向的字节的值加一
-
指针指向的字节的值减一
.
输出指针指向的单元内容(ASCII码)
,
输入内容到指针指向的单元(ASCII码)
[
如果指针指向的单元值为零,向后跳转到对应的]指令的次一指令处
]
如果指针指向的单元值不为零,向前跳转到对应的[指令的次一指令处
题目逻辑是..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/RCTF-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20211207230537.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/Linux-kernel/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20211207230537.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/Linux-kernel/">Linux kernel学习记录</a></h2><time class="has-text-grey" datetime="2020-04-05T11:31:04.000Z">2020-04-05</time><p class="is-flex-grow-2 mt-2">本文是kernel调试的一点心得和总结。
kernel保护模式MMAP_MIN_ADDR : 不允许申请NULL地址 mmap(0,….)
kptr_restrict: 查看内核函数地址
commit_creds和prepare_kernel_cred函数的地址都可以在 /proc/kallsyms 中查看(较老的内核版本中是 /proc/ksyms)。
一般情况下,/proc/kallsyms 的内容需要 root 权限才能查看
head -n 10 /proc/kallsyms
grep commit_creds /proc/kallsyms
grep prepare_kernel_cred /proc/kallsyms
echo 0 &gt; /proc/sys/kernel/k..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/Linux-kernel/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200318020601.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/rr/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200318020601.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/TOOL"><i class="tag post-item-tag">TOOL</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/rr/">调试工具rr</a></h2><time class="has-text-grey" datetime="2020-02-29T16:16:48.000Z">2020-03-01</time><p class="is-flex-grow-2 mt-2">收获新工具 rr,功能差不多就是在gdb上加一个倒放功能,网上一搜居然没有中文资料,所以记录一下。github地址:https://github.com/mozilla/rr
以下安装配置基于Ubuntu16.04,其余环境可以参考官方文档。
安装配置安装依赖环境:
sudo apt-get install ccache cmake make g++-multilib gdb \
pkg-config coreutils python3-pexpect manpages-dev git \
ninja-build capnproto libcapnp-dev
下载rr编译:
git clone https://github.com/mozilla/rr.git
mkdir obj &amp;&amp..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/rr/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20190817171647.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/IOFILE/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20190817171647.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/IOFILE/">IOFILE题目小结</a></h2><time class="has-text-grey" datetime="2020-02-19T03:58:15.000Z">2020-02-19</time><p class="is-flex-grow-2 mt-2">源码调试要下载源码得先把sources.list的deb-src开头的注释去掉,更新一下
sudo apt-get update
sudo apt-get upgrade
下载源码
sudo apt-get source libc6-dev
会报这么一个错,但是不影响用,暂且不管。
W: Can&#39;t drop privileges for downloading as file &#39;glibc_2.23-0ubuntu11.dsc&#39; couldn&#39;t be accessed by user &#39;_apt&#39;. - pkgAcquire::Run (13: Permission denied)
在gdb里运行:
directory ~/glibc/glibc-2...</p><a class="button is-default mt-2 has-text-weight-semibold" href="/IOFILE/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200203015656.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/vmPwn/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200203015656.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/vmPwn/">vm Pwn题目小结</a></h2><time class="has-text-grey" datetime="2020-01-29T05:59:34.000Z">2020-01-29</time><p class="is-flex-grow-2 mt-2">ez_op题目分析首先根据入口点找到main函数,一般入口点就是IDA里Export窗口的start函数。
可以看到上面main函数的逻辑是:
使用mallocinfo函数为操作数分配空间,为操作码分配空间。
读入操作码至buf中,并将其转换成整数形式保存在opcode中;操作数同理保存在oprand中
进入大循环loop函数,就是本题的虚拟机,后面详细讲解。
使用freeinfo函数释放分配的空间
loop函数就是虚拟机,主要逻辑是一个大循环,每次循环完成一个操作码对应的功能。那么怎么知道每个操作码对应什么功能呢,我觉得对我来说只能慢慢逆向+猜吧。这个题目的功能有save、load、push、pop、加减乘除,最后逆出来的效果就是下面这样:
漏洞点在于load和save都没有检查是否越界..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/vmPwn/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200126204738.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/anxun-MIPS-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20200126204738.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/anxun-MIPS-wp/">安洵杯 MIPS wp</a></h2><time class="has-text-grey" datetime="2020-01-17T09:33:44.000Z">2020-01-17</time><p class="is-flex-grow-2 mt-2">题目题目链接 https://github.com/Q1IQ/ctf/blob/master/mips/pwn2
题目名字就叫做mips,肯定是mips架构的了。
$ file pwn2
pwn2: ELF 32-bit LSB executable, MIPS, MIPS32 version 1 (SYSV), dynamically linked, interpreter /lib/ld-, not stripped
直接运行程序会显示下面的信息。
所以首先是搭建环境,搭建环境的目标是:
能运行题目程序
能用python脚本和题目程序进行交互
能够调试题目程序
mips
mip汇编知识: https://ray-cp.github.io/archivers/MIPS_Debug_Envir..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/anxun-MIPS-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20191110235209.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/huxiang-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20191110235209.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/huxiang-wp/">湖湘杯 wp</a></h2><time class="has-text-grey" datetime="2019-11-10T15:15:36.000Z">2019-11-10</time><p class="is-flex-grow-2 mt-2">历时12h,两道pwn。比赛如何不评价,默默做题。
HackNote题目有add、delete、edit
啥保护也没开,有问题
edit里平白无故多算一次size,很有问题,可以构造off by 好几个
此外这题的难点还在于这题是静态编译的,shellcode不知道往哪写,我一开始找了几个静态的地方,等我想调用它的时候吧,内容就变了。反正后来就随便找到一40的size位就用上了,是IOFILE前面的地方。
from pwn import *
context.log_level = &#39;debug&#39;
context(arch = &#39;amd64&#39;, os = &#39;linux&#39;)
shellcode=asm(shellcraft.sh())
debug=1
if d..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/huxiang-wp/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9xaWlxLTEyNTg4ODc2MjUuY29zLmFwLWNoZW5nZHUubXlxY2xvdWQuY29tLzIwMTkwODE1MTYxMzUxLnBuZw?x-oss-process=image/format,png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/how2heap/"><img class="post-cover-img js-img-fadeIn" src="https://imgconvert.csdnimg.cn/aHR0cHM6Ly9xaWlxLTEyNTg4ODc2MjUuY29zLmFwLWNoZW5nZHUubXlxY2xvdWQuY29tLzIwMTkwODE1MTYxMzUxLnBuZw?x-oss-process=image/format,png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/how2heap/">how2heap学习小结</a></h2><time class="has-text-grey" datetime="2019-10-29T07:16:48.000Z">2019-10-29</time><p class="is-flex-grow-2 mt-2">本文是自己的一点心得,没有特别地总结整理。
编译找了半天编译的方法,结果突然发现文件夹里有个Makefile,一键make就全编译了,我觉得我就是个憨憨。
first_fitchar* a = malloc(512); 经过对齐后 chunk size 为 0x210
free(a); 后块a被放到 unsorted_bins 中
执行 c = malloc(500); (500+8)经过16字节对齐后 chunk size 为 0x200 ,此时small bins是空的,就从unsorted bins中找,找到了大小为0x210的块a。而0x210 的块切割后剩下的块大小为0x10,小于MINSIZE(0x20),所以不切直接分配。
然后自己测试了一下
c = malloc(512-0x20+8)..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/how2heap/">Read more</a></section></article><article class="post-item-card"><header class="is-relative is-flex"><div class="post-cover-backdrop is-hidden"><img src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20191030004923.png" alt="loading.."></div><a class="post-cover-link has-text-centered skeleton" href="/dfjk-ichunqiu-wp/"><img class="post-cover-img js-img-fadeIn" src="https://qiiq-1258887625.cos.ap-chengdu.myqcloud.com/20191030004923.png" alt="loading.." data-backdrop="true"></a></header><section class="content post-card-content p-4 pb-5"><header><a href="/tags/PWN"><i class="tag post-item-tag">PWN</i></a></header><h2 class="mt-4 mb-0 is-family-serif"><a href="/dfjk-ichunqiu-wp/">巅峰极客 ichunqiu wp</a></h2><time class="has-text-grey" datetime="2019-10-28T14:17:22.000Z">2019-10-28</time><p class="is-flex-grow-2 mt-2">记录一下巅峰极客的两道pwn,比赛只出了第一道,第二道PWN是赛后复现的,感觉很值得一学,对理解IOFILE很有帮助。
Pwn题目分析保护全开,乍看add、delete、show、change全有
然而仔细一看这个change往块里读的是stream的内容
而stream是fopen(&quot;/dev/urandom&quot;, &quot;r&quot;);得到的fd
delete存在UAF
add要求块数量&lt;=0xF,大小&gt;0x7F,块的地址必须在[heapbase,heapbase+0x600]
show,没什么特别的
利用
泄露libc和heap base
构造overlap改top的size,利用house_of_force在堆基地址分配块,改stream的内容
改st..</p><a class="button is-default mt-2 has-text-weight-semibold" href="/dfjk-ichunqiu-wp/">Read more</a></section></article><section class="paginator is-flex is-justify-content-flex-end is-flex-wrap-wrap mt-5"><span class="page-number current">1</span><a class="page-number" href="/page/2/">2</a><a class="extend next" rel="next" href="/page/2/"><i class="iconfont icon-next has-text-grey"></i></a></section></section><aside class="column is-hidden-mobile is-4-tablet is-3-widescreen"><style>.search-widget .search-input {
border: none;
outline: none;
background: transparent;
color: var(--second-text-color);
}
.search-widget .search-content {
position: absolute;
left: 0;
top: calc(100% - 3px);
z-index: 2;
width: 100%;
height: 0;
max-height: 550px;
overflow: auto;
box-sizing: border-box;
background: var(--top-bar-bg-color);
backdrop-filter: blur(var(--backdropFilter));
-webkit-backdrop-filter: blur(var(--backdropFilter));
border-bottom-left-radius: var(--borderRadius);
border-bottom-right-radius: var(--borderRadius);
box-shadow: 0 12px 15px rgba(0, 0, 0, 0.08);
}
.search-widget .search-content a:hover h5 {
color: #3273dc!important;
}
</style><main class="aside-card-container search-widget is-relative"><label for="searchInput"><div class="is-flex px-4" id="searchButton"><i class="iconfont icon--search1 mr-1"></i><input class="search-input is-flex-grow-1" id="searchInput" placeholder="Search everything.."></div></label><section class="search-content content" id="searchContent"></section></main><script>var searchDatabase = []
var searchInputEl = document.getElementById('searchInput')
var searchButtonEl = document.getElementById('searchButton')
var searchResultEl = document.getElementById('searchContent')
searchInputEl.oninput = function (evt) {
var searchValue = evt.srcElement.value
var haveSearchValue = Boolean(searchValue.trim())
if (!haveSearchValue) {
searchResultEl.style.height = 0
searchResultEl.innerHTML = null
return
}
var searchResults = searching(searchValue)
if (searchResults.length > 0) {
renderSearchResults(searchResults)
}
}
function renderSearchResults(results) {
searchResultEl.innerHTML = null
var fragment = document.createDocumentFragment()
results.forEach(function (item) {
var link = document.createElement('a')
var title = document.createElement('h5')
var content = document.createElement('p')
title.className = 'mb-1'
title.innerText = item.title
content.innerText = item.content
link.href = item.link
link.appendChild(title)
link.appendChild(content)
link.className = 'p-4 is-block'
fragment.appendChild(link)
})
searchResultEl.appendChild(fragment)
searchResultEl.style.height = 'auto'
}
function searching(inputText) {
var inputTexts = inputText.split(' ')
var searchResults = []
inputTexts.forEach(function (searchKey) {
var haveSearchValue = Boolean(searchKey.trim())
if (!haveSearchValue) return
var key = searchKey.toLowerCase()
for (var entry of searchDatabase) {
var title = entry.getElementsByTagName('title')[0].textContent
var link = entry.getElementsByTagName('link')[0].getAttribute('href')
var contentWithTags = entry.getElementsByTagName('content')[0].textContent
var rawContent = contentWithTags.trim().replace(/<[^>]+>/g, '').toLowerCase()
var LENGTH = 80
var finalContent = ''
var contentLength = rawContent.length
var searchResultIdx = rawContent.indexOf(key)
var startIdx = searchResultIdx - 20,
endIdx = startIdx + LENGTH
if (startIdx < 0) {
startIdx = 0
endIdx = 100
}
endIdx > contentLength && (endIdx = contentLength)
finalContent = rawContent.substring(startIdx, endIdx)
if (title.indexOf(key) > -1 || searchResultIdx > -1) {
searchResults.push({
link: link,
title: title,
content: finalContent
})
}
}
})
return searchResults
}
searchButtonEl.onclick = function () {
if (searchDatabase.length > 0) return;
fetch(window.location.href + '/search.xml').then(res => res.text()).then(res => {
var domparser = new DOMParser
var doc = domparser.parseFromString(res, 'application/xml')
searchDatabase = doc.getElementsByTagName('search')[0].children
})
}</script><main class="aside-card-container profile-widget"><!-- todo: 使用取色工具动态阴影--><section class="is-flex is-flex-direction-column is-justify-content-center is-align-items-center"><section class="is-flex is-justify-content-center avatar is-clipped skeleton"><!-- debug images "https://api.ixiaowai.cn/gqapi/gqapi.php"--><img class="js-img-fadeIn" src="/images/avatar.png" alt="user avatar"></section><h3 class="user-name">Q1IQ</h3><blockquote class="has-text-centered is-relative"><span style="margin-bottom: 5px;">Being Honest With Yourself</span></blockquote><address class="has-text-centered has-text-grey"><i class="iconfont icon-location" style="margin-right: 5px;"></i><span class="has-text-grey">On Mars</span></address></section><section class="sns-container is-flex is-justify-content-center is-align-items-center"><a title="twitter" target="_blank" rel="noopener nofollow" href="//twitter.com/Q1iqF"><i class="iconfont icon-twitter"></i></a><!-- Github--><a title="github" target="_blank" rel="noopener nofollow" href="//github.com/Q1IQ"><i class="iconfont icon-github"></i></a><!-- Ins--><!-- RSS--><a title="rss" target="_blank" rel="noopener nofollow" href="/atom.xml"><i class="iconfont icon-rss"></i></a><!-- 知乎--><!-- 领英--><!-- 脸书--></section></main><main class="aside-card-container recent-widget"><h3>Recent</h3><ul><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/cover-nagayama-koharu.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/llvm-pass/">PKU GeekGame 混淆器whatapass 出题记录及题解</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2022-11-27T03:22:33.000Z">2022-11-27</time></section></li><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/wp6406604-splatoon.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/Defcon2022-pwn-wp/">DEFCON-Qualifier-2022 smuggler's cove/constricted 题解</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2022-06-01T17:02:03.000Z">2022-06-02</time></section></li><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/aniya.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/v8-exploit/">v8 学习记录</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2022-04-29T05:59:34.000Z">2022-04-29</time></section></li><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/nasa-whDrFMucHkc-unsplash.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/Linux-eBPF-exploit/">Linux eBPF模块漏洞利用学习记录</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2022-03-01T02:22:15.000Z">2022-03-01</time></section></li><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/nasa-WKT3TE5AQu0-unsplash.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/awd-pwn-checker/">awd pwn checker编写记录</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2021-03-22T14:34:14.000Z">2021-03-22</time></section></li><li class="is-flex"><!-- change to element replace image placeholder--><img class="js-img-fadeIn" src="/images/jonatan-pie-3l3RwQdHRHg-unsplash.jpg" alt="cover"><!--else--><!-- div.post-img-placeholder--><section class="is-flex-grow-2"><p class="has-text-weight-semibold" style="line-height: 20px; font-size: 14px"><a href="/Linux-bluetooth/">Linux 蓝牙漏洞学习记录</a></p><time class="has-text-weight-semibold has-text-grey" datetime="2021-03-19T17:02:03.000Z">2021-03-20</time></section></li></ul></main><main class="aside-card-container archives-widget"><h3>Archives</h3><section><ul class="archive-list"><li class="archive-list-item"><a class="archive-list-link" href="/archives/2022/11/">November 2022</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2022/06/">June 2022</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2022/04/">April 2022</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2022/03/">March 2022</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2021/03/">March 2021</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2021/01/">January 2021</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/08/">August 2020</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/07/">July 2020</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/06/">June 2020</a><span class="archive-list-count">3</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/04/">April 2020</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/03/">March 2020</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/02/">February 2020</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2020/01/">January 2020</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/11/">November 2019</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/10/">October 2019</a><span class="archive-list-count">4</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/09/">September 2019</a><span class="archive-list-count">2</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/08/">August 2019</a><span class="archive-list-count">1</span></li><li class="archive-list-item"><a class="archive-list-link" href="/archives/2019/06/">June 2019</a><span class="archive-list-count">1</span></li></ul></section></main><main class="aside-card-container tag-widget"><h3>Tags</h3><section><a href="/tags/CVE"><span class="tag post-item-tag" style="margin-bottom: 5px;">CVE</span></a><a href="/tags/PWN"><span class="tag post-item-tag" style="margin-bottom: 5px;">PWN</span></a><a href="/tags/TOOL"><span class="tag post-item-tag" style="margin-bottom: 5px;">TOOL</span></a><a href="/tags/AWD"><span class="tag post-item-tag" style="margin-bottom: 5px;">AWD</span></a></section></main></aside></div></article><script>$claudia.fadeInImage(null, $claudia.blurBackdropImg)
window.addEventListener('resize', $claudia.throttle(function () {
var images = document.querySelectorAll('.js-img-fadeIn')
images.forEach($claudia.blurBackdropImg)
}, 150))</script></main><footer class="is-flex is-flex-direction-column is-align-items-center is-flex-shrink-0 is-family-serif"><section class="sns-container"><a title="twitter" target="_blank" rel="noopener nofollow" href="//twitter.com/Q1iqF"><i class="iconfont icon-twitter"></i></a><!-- Github--><a title="github" target="_blank" rel="noopener nofollow" href="//github.com/Q1IQ"><i class="iconfont icon-github"></i></a><!-- Ins--><!-- RSS--><a title="rss" target="_blank" rel="noopener nofollow" href="/atom.xml"><i class="iconfont icon-rss"></i></a><!-- 知乎--><!-- 领英--><!-- 脸书--></section><p><span>Copyright ©</span><span> Q1IQ 2023</span></p><div class="is-flex is-justify-content-center is-flex-wrap-wrap"><p>Powered by Hexo | </p><p class="is-flex is-justify-content-center"><a title="Hexo theme author" target="_blank" rel="noopener" href="//github.com/haojen">Theme by Haojen </a></p><div style="margin-top: 2px"><a class="github-button" title="github-button" target="_blank" rel="noopener" href="https://github.com/haojen/hexo-theme-Claudia" data-color-scheme="no-preference: light; light: light; dark: dark;" data-show-count="true"></a></div></div><div><span></span></div></footer><script async defer src="https://buttons.github.io/buttons.js"></script><script>$claudia.fadeInImage(null, $claudia.blurBackdropImg)
window.addEventListener('resize', $claudia.throttle(function () {
var images = document.querySelectorAll('.js-img-fadeIn')
images.forEach($claudia.blurBackdropImg)
}, 150))</script></body></html>