Tags: web
Rating:
It is simple web app on python with single route /execute:
It is a form with one parameter code.
If our payload in code parameter passes the regular expression it will execute python code.
Lets break down regular expression to execute our code.
.* : This part of the pattern matches any character (except a newline) 0 or more times.[\x20-\x7E] : This is a character set that matches any character in the range from \x20 to \x7E. This range includes all printable ASCII characters.+ : This means one or more of the preceding element. In this case, it refers to one or more of any character in the range \x20 to \x7E..* : Again, this part of the pattern matches any character (except a newline) 0 or more times.So, the entire regular expression ".*[\x20-\x7E]+.*" will match any string that has one or more printable ASCII characters anywhere, except first and last character.
According to this information we can crate our payload.
Solution script:
import requests
# url = "https://uoftctf-no-code.chals.io/execute"
url = "http://localhost:1337/execute"
r = requests.post(url, data={'code': b'\nopen("flag.txt", "r").read()\n'})
print(r.text)
Our payload passes the regex beacause first and last charracters are new line characters \n.
And boom we get the flag.
