blob: 62efda4548c5e9021b6129bf75b82056eda24157 (
plain) (
tree)
|
|
The Problem
-----------
given a hint about format strings
a python script using the new python3 "function-like" format strings
in particular,
inp = input("> ")
inp.format(a=stonkgenerator())
this allows us to use "{}" in the inp string to substitute for arguments passed into format(). In this case, we only have a single, named argument we can substitute for ("{a}"). Any instance of "{a}" will be substituted with whatever a= in format().
Normally, you need some kind of object that is printable. In this case, they are instantiating a class "stonkgenerator" which has a __str__() conversion. The fact that an object is used here (and that we control the format string) is the exploitable bit.
The Attack
----------
When you use these types of format strings to get an object, you can actually reference properties of that object in the format string as well. For instance "{a.__str__()}" would actually work. Python is notoriously bad about data encapsulation, so we now have access to pretty much the whole program's memory.
There is a variable "flag" at the top of the program which reads the flag in from some file. We want to print this out. It is as easy as
{a.__init__.__globals__[flag]}
|
