Home 刷题笔记

# PyCalX_1

image-20250302152416371

进来就是计算器的页面:有源码

#!/usr/bin/env python3
import cgi;
import sys
from html import escape
FLAG = open('/var/www/flag','r').read()
OK_200 = """Content-type: text/html
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css">
<center>
<title>PyCalx</title>
<h1>PyCalx</h1>
<form>
<input class="form-control col-md-4" type=text name=value1 placeholder='Value 1 (Example: 1  abc)' autofocus/>
<input class="form-control col-md-4" type=text name=op placeholder='Operator (Example: + - * ** / // == != )' />
<input class="form-control col-md-4" type=text name=value2 placeholder='Value 2 (Example: 1  abc)' />
<input class="form-control col-md-4 btn btn-success" type=submit value=EVAL />
</form>
<a href='?source=1'>Source</a>
</center>
"""
print(OK_200)
arguments = cgi.FieldStorage()
if 'source' in arguments:
    source = arguments['source'].value
else:
    source = 0
if source == '1':
    print('<pre>'+escape(str(open(__file__,'r').read()))+'</pre>')
if 'value1' in arguments and 'value2' in arguments and 'op' in arguments:
    def get_value(val):
        val = str(val)[:64]
        if str(val).isdigit(): return int(val)
        blacklist = ['(',')','[',']','\'','"'] # I don't like tuple, list and dict.
        if val == '' or [c for c in blacklist if c in val] != []:
            print('<center>Invalid value</center>')
            sys.exit(0)
        return val
    def get_op(val):
        val = str(val)[:2]
        list_ops = ['+','-','/','*','=','!']
        if val == '' or val[0] not in list_ops:
            print('<center>Invalid op</center>')
            sys.exit(0)
        return val
    op = get_op(arguments['op'].value)
    value1 = get_value(arguments['value1'].value)
    value2 = get_value(arguments['value2'].value)
    if str(value1).isdigit() ^ str(value2).isdigit():
        print('<center>Types of the values don\'t match</center>')
        sys.exit(0)
    calc_eval = str(repr(value1)) + str(op) + str(repr(value2))
    print('<div class=container><div class=row><div class=col-md-2></div><div class="col-md-8"><pre>')
    print('>>>> print('+escape(calc_eval)+')')
    try:
        result = str(eval(calc_eval))
        if result.isdigit() or result == 'True' or result == 'False':
            print(result)
        else:
            print("Invalid") # Sorry we don't support output as a string due to security issue.
    except:
        print("Invalid")
    print('>>> </pre></div></div></div>')
核心就是它是怎么处理这几个数据的


calc_eval = str(repr(value1)) + str(op) + str(repr(value2))
repo 这个函数是用来干嘛的呢:


基本上就是如果这个参数是数字就加单引号,字符串就是加双引号



\>>> s = 'RUNOOB'
\>>> repr(s)
"'RUNOOB'"
\>>> dict = {'runoob': 'runoob.com', 'google': 'google.com'};
\>>> repr(dict)
"{'google': 'google.com', 'runoob': 'runoob.com'}"
\>>>



又因为在


if result.isdigit() or result == 'True' or result == 'False':
            print(result)
中有这个判断,就是说可以是 bool 数,我就可以知道这可以盲注了


print('1'+''and source in FLAG#')
输出true就是因为source在FLAG里面找得到返回了true,和前面的‘1’永真式进行和运算,他对就对,他错就错



我们就可以进行盲注了


      

          
          
      

  


   


    

  
    
      
    
    Edited on
    
  



      


  
  
Give me a cup of [coffee]~( ̄▽ ̄)~*

  

      
      

        odiws WeChat Pay
        
WeChat Pay

      

      
      

        odiws Alipay
        
Alipay

      

      
      

        odiws PayPal
        
PayPal