Brush title record: [DDCTF 2019] homebrew event loop

Others 2019-10-15 23:43:18 views: null

table of Contents

Brush title record: [DDCTF 2019] homebrew event loop
- Knowledge Point
  - 1, logical loopholes
  - 2, flask session decryption
- to sum up

Brush title record: [DDCTF 2019] homebrew event loop

Recurring topic links: https://buuoj.cn/challenges
Reference Links: DDCTF2019-writeup

Knowledge Point

1, logical loopholes

def trigger_event(event):
    session['log'].append(event)
    if len(session['log']) > 5:
        session['log'] = session['log'][-5:]
    if type(event) == type([]):
        request.event_queue += event
    else:
        request.event_queue.append(event)

First routed asynchronous processing requests using a queue

def buy_handler(args):
    num_items = int(args[0])
    if num_items <= 0:
        return 'invalid number({}) of diamonds to buy<br />'.format(args[0])
    session['num_items'] += num_items
    trigger_event(['func:consume_point;{}'.format(num_items), 'action:view;index'])

The main problem here is to change the balance of the purchase function and then determine the legality, that is to say when you call buy_handler passing in get_flag, order processing queue is 余额+n -> get_flag -> 判断不合法, then we have successfully put a flag written into the session.

2, flask session decryption

flask-session-cookie-manager

to sum up

Buy class of problems is likely to be logical or overflow vulnerability

Guess you like

Origin www.cnblogs.com/20175211lyz/p/11681737.html

Brush title record: [DDCTF 2019] homebrew event loop

Brush title record: [SUCTF 2019] Pythonginx

Brush title record: [SUCTF 2019] CheckIn

Brush title record: [SUCTF 2019] EasySQL (less)

Brush title record: [SUCTF 2019] EasyWeb (EasyPHP)

js- brush prove safety record title (and recursive loop)

Brush title record: [XCTF 2019 Final] LFI2019

codeforces brush title record

poj brush title record

leecode brush title record

NOIP brush title record

Brush greedy record title

$ 2019 $ Summer brush title record $ 2 $ (basic arithmetic topics)

Brush title record: [De1CTF 2019] SSRF Me

Brush title record: [FBCTF2019] Products Manager

Brush title record: [CISCN 2019 preliminary] Love Math

Brush title record: [strong network Cup 2019] Upload

Brush title record: [watevrCTF-2019] Pickle Store

Event Loop Learning Record

Inverse correlation brush title record

Mobius inversion brush title record

Segment tree brush title record

2019.7.31CodeChef brush title record

Brush title record: [network tripod cup] Fakebook

Brush title record: 2018HCTF & admin

Brush title record: [LCTF] bestphp's revenge

CSP-S brush training record title

Suffix array Hunzi brush title record

Tree hash / hash tree brush title record

csp-s brush exam record title

Recommended

NetBSD bans submission of code generated by AI

Ranking

Talk dubbo of LRUCache

Chapter 1 Learning Summary

Introduction to Virtualization

pytorch 调用lstm

Six modules

[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array

mybatis mapper mapping file $ # {} {} understanding and

C language input and output buffer

c language floating-point input and output

andorid P version compatible, refer to Huawei

Daily

More

2024-05-18(31)

2024-05-17(6)

2024-05-16(23)

2024-05-15(5)

2024-05-14(9)

2024-05-13(8)

2024-05-12(28)

2024-05-11(32)

2024-05-10(34)

2024-05-09(32)