拖了好长时间,总结一下这一段时间做的几道值得记录一下的题目,有的没做出来,但是学习到了新的东西
1.homebrew event loop
ddctf的一道题目,学到了python eval函数的用法,首先分析题目:
#-*- encoding: utf-8 -*-#written in python 2.7
__author__ = 'garzon'
from flask importFlask, session, request, Responseimporturllib
app= Flask(__name__)
app.secret_key= '*********************' #censored
url_prefix = '/d5af31f99147e857'
defFLAG():return 'FLAG_is_here_but_i_wont_show_you' #censored
deftrigger_event(event):
session['log'].append(event)if len(session['log']) > 5: session['log'] = session['log'][-5:]if type(event) ==type([]):
request.event_queue+=eventelse:
request.event_queue.append(event)def get_mid_str(haystack, prefix, postfix=None):
haystack= haystack[haystack.find(prefix) +len(prefix):]if postfix is notNone:
haystack=haystack[:haystack.find(postfix)]returnhaystackclass RollBackException: pass
defexecute_event_loop():
valid_event_chars= set('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_0123456789:;#')
resp=Nonewhile len(request.event_queue) >0:
event= request.event_queue[0] #`event` is something like "action:ACTION;ARGS0#ARGS1#ARGS2......"
request.event_queue = request.event_queue[1:]if not event.startswith(('action:', 'func:')): continue
for c inevent:if c not in valid_event_chars: break
else:
is_action= event[0] == 'a'action= get_mid_str(event, ':', ';') #index
args = get_mid_str(event, action + ';').split('#') #True#True
try:
event_handler= eval(action + ('_handler' if is_action else '_function'))
ret_val=event_handler(args)exceptRollBackException:if resp is None: resp = ''resp+= 'ERROR! All transactions have been cancelled.
'resp+= 'Go back to index.html
'session['num_items'] = request.prev_session['num_items']
session['points'] = request.prev_session['points']break
exceptException, e:if resp is None: resp = ''
#resp += str(e) # only for debugging
continue
if ret_val is notNone:if resp isNone:
resp=ret_valelse:
resp+=ret_valif resp is None or resp == '': resp = ('404 NOT FOUND', 404)
session.modified=Truereturnresp
@app.route(url_prefix+ '/')defentry_point():
querystring=urllib.unquote(request.query_string)
request.event_queue=[]if querystring == '' or (not querystring.startswith('action:')) or len(query