{"id":519,"date":"2026-01-12T16:15:15","date_gmt":"2026-01-12T16:15:15","guid":{"rendered":"http:\/\/101.42.175.115\/wordpress\/?p=519"},"modified":"2026-01-12T16:15:16","modified_gmt":"2026-01-12T16:15:16","slug":"c-%e6%89%a9%e5%b1%95%e6%a8%a1%e5%9d%97%e8%a6%86%e7%9b%96","status":"publish","type":"post","link":"http:\/\/101.42.175.115\/wordpress\/?p=519","title":{"rendered":"c \u6269\u5c55\u6a21\u5757\u8986\u76d6"},"content":{"rendered":"\n

c \u6269\u5c55\u6a21\u5757<\/h2>\n\n\n\n

Python \u4e2d\u7684\u4e00\u4e9b\u5e93\u5b58\u5728 C \u6269\u5c55\u6a21\u5757\uff0c\u7528\u4e8e\u63d0\u5347\u6027\u80fd\u3002Linux \u4e2d\u7684 C \u6269\u5c55\u6a21\u5757\u662f .so \u6587\u4ef6\uff0c\u4f8b\u5982\uff1a_speedups.cpython-312-x86_64-linux-gnu.so\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

\u5ef6\u8fdf\u52a0\u8f7d\u4e0e\u6309\u9875\u8bfb\u53d6<\/h2>\n\n\n\n

\u9875\uff08Page\uff09\uff1a\u5185\u5b58\u7ba1\u7406\u7684\u6700\u5c0f\u5355\u4f4d\uff0c\u901a\u5e38 4KB\u3002<\/p>\n\n\n\n

.so \u6587\u4ef6\u901a\u8fc7 mmap \u6620\u5c04\u5230\u8fdb\u7a0b\u5730\u5740\u7a7a\u95f4\uff0c\u4f46\u4e0d\u4f1a\u7acb\u5373\u8bfb\u53d6\u3002\u53ea\u6709\u5f53 python \u8fdb\u7a0b\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d cpu \u8bbf\u95ee\u67d0\u4e2a\u5730\u5740\u65f6\uff0c\u89e6\u53d1\u7f3a\u9875\u5f02\u5e38\uff0c\u624d\u4f1a\u5c06\u8be5\u5730\u5740\u6240\u5728\u7684\u9875\u4ece\u78c1\u76d8\u4e0a\u7684 so \u6587\u4ef6\u8bfb\u5165\u5185\u5b58\u3002<\/p>\n\n\n\n

<\/div>\n\n\n\n

c \u6269\u5c55\u6a21\u5757\u8986\u76d6\u7684\u5b9e\u73b0<\/h2>\n\n\n\n

\u4ee5 MarkupSafe \u5e93\u4e2d escape_unicode()\u4e3a\u4f8b\u3002Flask \u7684 render_template_string()\u4f1a\u8c03\u7528 escape()\u51fd\u6570\uff0cescape()\u5185\u90e8\u8c03\u7528 escape_unicode() \u8fdb\u884c HTML \u8f6c\u4e49\u3002<\/p>\n\n\n\n

\u653b\u51fb\u8005\u901a\u8fc7\u8986\u76d6\u78c1\u76d8\u4e0a\u7684 .so \u6587\u4ef6\uff0c\u6709\u4e24\u79cd\u53ef\u80fd\u5b9e\u73b0\u653b\u51fb\u7684\u65b9\u5f0f\uff1a<\/p>\n\n\n\n

    \n
  • \u7528 shellcode \u66ff\u6362 escape_unicode()\u7684\u51fd\u6570\u4f53<\/li>\n\n\n\n
  • \u6216\u4fee\u6539 escape_unicode()\u5185\u90e8\u8c03\u7528\u7684 libc \u51fd\u6570\uff08\u5982 strlen\uff09\u7684 GOT \u8868\u9879\uff0c\u6307\u5411 shellcode \u5f53 Python \u8fdb\u7a0b\u4e0b\u6b21\u8fdb\u884c HTML \u8f6c\u4e49\u65f6\uff0c\u5982\u679c\u88ab\u4fee\u6539\u7684\u9875\u9762\u5c1a\u672a\u52a0\u8f7d\u5230\u5185\u5b58\uff0c\u5c31\u4f1a\u4ece\u4fee\u6539\u540e\u7684\u6587\u4ef6\u8bfb\u53d6\uff0c\u89e6\u53d1 shellcode \u6267\u884c\u3002<\/li>\n<\/ul>\n\n\n\n

    \u4ee5 UoftCTF2026 \u4e3a\u4f8b\uff0c\u8fd9\u9053\u9898\u76ee\u5728\u6743\u9650\u8303\u56f4\u5185\u53ef\u4ee5\u5b9e\u73b0\u4efb\u610f\u6587\u4ef6\u8bfb\u548c\u4efb\u610f\u6587\u4ef6\u5199\uff0c\u5c06 python \u89e3\u91ca\u5668\u73af\u5883\u8bbe\u5b9a\u5728\u4e86\u53ef\u5199\u5165\u7684 \/tmp \u76ee\u5f55\u4e0b\u7684\u865a\u62df\u73af\u5883\u4e2d\uff0cweb \u5e94\u7528\u4e2d\u5b58\u5728 render_template_string()\u5e76\u4e14\u4f1a\u8fdb\u884c HTML \u8f6c\u4e49\uff0c\u4e5f\u5c31\u662f\u8981\u8c03\u7528\u5230 escape_unicode() \u51fd\u6570\u3002<\/p>\n\n\n\n

    \u4f1a\u89e6\u53d1\u653b\u51fb\u7684\u5b9e\u73b0\u811a\u672c\uff1a<\/p>\n\n\n\n

    Python<\/span>