Web Evaluation Check
Application at-a-glance
Application is a card game that allows user to flip 8 cards.
When HP bar is depleted game is ended.
Source Code Review
Most interesting file is routes.py
as this file store all logic used by application.
First interesting thing is that this application uses compile
and exec
function.
Let's analyze the given source code.
This piece of code parse POST
request body and get current_health
, attack_power
and operator
parameters.
Next step is checking if all three variables are set, this ensures that all three parameters are passed in request.
This part is most interesting because of use exec
function.
But before exec
call, user input is directly passed to compile
function and then to exec
, current_health
and attack_power
are casted to int. Result
variable is returned to the user in reponse
Vulnerability
As there is no sanitization of user input there is possible RCE (Remote Code Execution) via exec
function!
Testing
As I'm not familliar with compile()/exec()
function combo I copied relevant part of code to new python script for testing.
After executing this script number 112
is printed.
exec
function is capable of executing python code. User controles all three parameters but only operator
is passed directly to compile
rest parameters are converted to int
One modyfication for testing script is required, because in this state when something is wrong printing Something Went Wrong!
To get full traceback try/except
block can be removed.
So the first try was to set operator
variable to something easy like print(1)
and if everything goes well it should print 1
Unfortunately after executing, script returns SyntaxError: Invalid Syntax
and result is equal to result = 12 print(1) 100
so 12 is current_health
and 100 is attack_power
Python is capable of running inline code when next instruction are separated with semicolon ;
Executing this yeild great success! Script printing additianal 1
in terminal window.
Exploitation
With proper code execution now we can read the flag.
After sending this malicious request to application, server returns flag.
Payload explanation
semicolons are here for valid python code execution - without
;
signs interpreter throwsinvalid syntax
errorresult =
this overwrites variable that is returned in response to the user__import__
is function called by regular import statement this allows to import modules directly so__import__('os')
means the same asimport os
but can be done inline and can call functions directly by referencing them asobjects
popen('cat /flag.txt
) this function spawns shell process and executes commandcat /flag.txt
read()
reads output of a process from popen
Last updated