运行 来自 Python 子进程的 C 程序与 Bash 中的不同结果
Different results when running C program from Python Subprocess vs in Bash
我有一个 string/argument 想传递给 C 程序。这是一个字符串格式漏洞。
'\xb2\x33\x08%13x%2$n'
但是,如果我通过 Python 从 Python 调用 C 程序,似乎会表现出不同的行为
subprocess.Popen(["env", "-i", "./practice", '\xb2\x33\x08%13x%2$n'])
对比
./practice '\xb2\x33\x08%13x%2$n'
区别在于字符串漏洞利用攻击在通过子进程调用脚本时按预期工作,但在我通过 CLI 调用它时却没有。
可能是什么原因?谢谢。
Bash 手册页说:
Words of the form $'string' are treated specially. The word expands to
string, with backslash-escaped characters replaced as specified by the
ANSI C standard. Backslash escape sequences, if present, are decoded
as follows: [snipped]
\xHH the eight-bit character whose value is the hexadecimal
value HH (one or two hex digits)
那你试试看:
./practice $'\xb2\x33\x08%13x%2$n'
我有一个 string/argument 想传递给 C 程序。这是一个字符串格式漏洞。
'\xb2\x33\x08%13x%2$n'
但是,如果我通过 Python 从 Python 调用 C 程序,似乎会表现出不同的行为
subprocess.Popen(["env", "-i", "./practice", '\xb2\x33\x08%13x%2$n'])
对比
./practice '\xb2\x33\x08%13x%2$n'
区别在于字符串漏洞利用攻击在通过子进程调用脚本时按预期工作,但在我通过 CLI 调用它时却没有。
可能是什么原因?谢谢。
Bash 手册页说:
Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard. Backslash escape sequences, if present, are decoded as follows: [snipped]
\xHH the eight-bit character whose value is the hexadecimal value HH (one or two hex digits)
那你试试看:
./practice $'\xb2\x33\x08%13x%2$n'