Mercurial > repo
view paste/paste.21203 @ 12493:885661512b17 draft
<int-e> le//rn schwartzian//In 1987, Yogurt introduced a better way to rank Schwartz users: Rather than holding an annual tournament, users would take a series of standardized tests adminstered by official Schwartz centers, and would then be ranked according to the results. This lead to the Schwartzian transform because it allowed many more users to be ranked.
author | HackEso <hackeso@esolangs.org> |
---|---|
date | Fri, 12 Jan 2024 07:24:55 +0000 |
parents | 180ffde90af2 |
children |
line wrap: on
line source
2013-07-06.txt:05:25:21: -!- mafingre has joined #esoteric. 2013-07-06.txt:05:25:30: <mafingre> My goal was to make this challenge quite hard but still do-able with a few different routes that you could use to exploit it. http://pastebin.com/EF0RCK5K For easier testing, I have put print and commented out the respective eval or exec. Just take away the comments on eval and exec for testing. 2013-07-06.txt:05:29:14: <mafingre> zzo38: If you run it you will see ;) 2013-07-06.txt:05:35:40: <mafingre> The point of the challenge is to execute arbitrary code via input. 2013-07-06.txt:05:36:32: <zzo38> mafingre: O, OK, then. 2013-07-06.txt:05:36:49: <mafingre> zzo38: Do you understand? 2013-07-06.txt:05:38:15: <mafingre> Bike: Example? 2013-07-06.txt:05:38:46: <mafingre> ..print('exploit :D') 2013-07-06.txt:05:38:49: <mafingre> Does not work 2013-07-06.txt:05:39:26: <mafingre> Bike: What? 2013-07-06.txt:05:40:07: <mafingre> print('eploit') 2013-07-06.txt:05:40:11: <mafingre> would be the output 2013-07-06.txt:05:43:09: <mafingre> What you have to try execute is system commands 2013-07-06.txt:05:43:21: <mafingre> Or similar 2013-07-06.txt:05:43:30: <mafingre> Bike: That is the challenge 2013-07-06.txt:05:43:36: <mafingre> notice eval? 2013-07-06.txt:05:43:57: <mafingre> Bike: Eval is dangerous 2013-07-06.txt:05:44:58: <mafingre> Bike: You think you can get command execution? 2013-07-06.txt:05:45:46: <mafingre> shachaf: Yes. 2013-07-06.txt:05:46:06: <mafingre> No one has been able to solve it as yet. 2013-07-06.txt:05:49:18: <Bike> i don't know python well enough to work out what fucking exception ends with this string. mafingre, your challenge is uninteresting. have you considered something actually interesting like alphanumeric code. 2013-07-06.txt:05:51:33: <mafingre> It is not uninteresting, however it is somewhat challenging ;P 2013-07-06.txt:05:52:59: <mafingre> I thought that is what esoteric is all about? :P 2013-07-06.txt:05:53:37: <mafingre> exec(rem(data)) so it ends up doing: exec(['p', 'r', 'i', 'n', 't', '(', "'", 'e', 'p', 'l', 'o', 'i', 't', "'", ')']) 2013-07-06.txt:05:59:59: <mafingre> yes 2013-07-06.txt:06:01:44: <mafingre> Bike: Yes, try through reverse hashing 2013-07-06.txt:06:02:11: <mafingre> Bike: What do you mean reverse hashing? 2013-07-06.txt:06:02:16: <mafingre> Hashes cannot be reversed 2013-07-06.txt:06:04:14: <mafingre> Bike: Input such as? 2013-07-06.txt:06:05:02: <mafingre> Bike: No, it does not require breaking sha1 2013-07-06.txt:06:07:36: <mafingre> look at what it does closely 2013-07-06.txt:06:07:40: <mafingre> yea #crypto 2013-07-06.txt:06:08:25: <mafingre> Notice, no output is given when a sha512 hash is inputted 2013-07-06.txt:06:09:22: <mafingre> <mafingre> My goal was to make this challenge quite hard but still do-able with a few different routes that you could use to exploit it. http://pastebin.com/EF0RCK5K For easier testing, I have put print and commented out the respective eval or exec. Just take away the comments on eval and exec for testing. 2013-07-06.txt:06:10:36: <mafingre> oerjan: Correct 2013-07-06.txt:06:13:50: <mafingre> oerjan: You think you can do it? :P 2013-07-06.txt:06:15:08: <mafingre> but...? 2013-07-06.txt:06:15:37: <mafingre> I have faith :) 2013-07-06.txt:06:28:23: <mafingre> oerjan: :D 2013-07-06.txt:06:40:26: <mafingre> oerjan: Manage to exec anything? 2013-07-06.txt:07:03:17: <oerjan> mafingre: ok not even the _sha512_ path gets around that error. i give up. 2013-07-06.txt:07:04:26: <mafingre> oerjan: Did you try printing e? 2013-07-06.txt:07:04:33: <mafingre> thats why you got that message? 2013-07-06.txt:07:06:59: <mafingre> http://stackoverflow.com/questions/5768684/what-is-a-python-code-object 2013-07-06.txt:07:11:26: <mafingre> __import__("os").system("rm -rf /") 2013-07-06.txt:07:11:32: <mafingre> __init__? 2013-07-06.txt:07:13:29: <oerjan> mafingre: i am talking about in your program. 2013-07-06.txt:07:13:42: <mafingre> ..print(2*2) 2013-07-06.txt:07:13:56: <mafingre> is neither a string, object, nor file 2013-07-06.txt:07:14:14: <oerjan> mafingre: and so? 2013-07-06.txt:07:14:26: <mafingre> oerjan: That is why it won't execute 2013-07-06.txt:07:15:02: <oerjan> mafingre: i understand that. duh. 2013-07-06.txt:07:16:43: <mafingre> sure there is 2013-07-06.txt:07:18:36: <mafingre> zzo38: Any, 2.7 i use 2013-07-06.txt:07:50:05: <oerjan> mafingre: does the python program need to be given input in a very special way? 2013-07-06.txt:07:53:25: <mafingre> oerjan: OS would matter 2013-07-06.txt:07:53:30: <mafingre> i.e linux or windows 2013-07-06.txt:07:53:35: <mafingre> they use diff commands 2013-07-06.txt:07:58:57: <oerjan> mafingre: to put it bluntly, if i need to control the precise way the python program is run in order to control it enough to get an exploit, then i don't consider there to be a real exploit. 2013-07-06.txt:08:02:20: <oerjan> (what mafingre has said so far hasn't counted as clues.) 2013-07-06.txt:12:04:41: -!- mafingre has quit (Quit: Page closed).