table of Contents
Brush title record: [DDCTF 2019] homebrew event loop
Recurring topic links: https://buuoj.cn/challenges
Reference Links: DDCTF2019-writeup
Knowledge Point
1, logical loopholes
def trigger_event(event):
session['log'].append(event)
if len(session['log']) > 5:
session['log'] = session['log'][-5:]
if type(event) == type([]):
request.event_queue += event
else:
request.event_queue.append(event)
First routed asynchronous processing requests using a queue
def buy_handler(args):
num_items = int(args[0])
if num_items <= 0:
return 'invalid number({}) of diamonds to buy<br />'.format(args[0])
session['num_items'] += num_items
trigger_event(['func:consume_point;{}'.format(num_items), 'action:view;index'])
The main problem here is to change the balance of the purchase function and then determine the legality, that is to say when you call buy_handler passing in get_flag, order processing queue is 余额+n -> get_flag -> 判断不合法
, then we have successfully put a flag written into the session.
2, flask session decryption
to sum up
Buy class of problems is likely to be logical or overflow vulnerability