view paste/paste.21203 @ 12493:885661512b17 draft

<int-e> le//rn schwartzian//In 1987, Yogurt introduced a better way to rank Schwartz users: Rather than holding an annual tournament, users would take a series of standardized tests adminstered by official Schwartz centers, and would then be ranked according to the results. This lead to the Schwartzian transform because it allowed many more users to be ranked.
author HackEso <hackeso@esolangs.org>
date Fri, 12 Jan 2024 07:24:55 +0000
parents 180ffde90af2
children
line wrap: on
line source

2013-07-06.txt:05:25:21: -!- mafingre has joined #esoteric.
2013-07-06.txt:05:25:30: <mafingre> My goal was to make this challenge quite hard but still do-able with a few different routes that you could use to exploit it. http://pastebin.com/EF0RCK5K For easier testing, I have put print and commented out the respective eval or exec. Just take away the comments on eval and exec for testing.
2013-07-06.txt:05:29:14: <mafingre> zzo38: If you run it you will see ;)
2013-07-06.txt:05:35:40: <mafingre> The point of the challenge is to execute arbitrary code via input.
2013-07-06.txt:05:36:32: <zzo38> mafingre: O, OK, then.
2013-07-06.txt:05:36:49: <mafingre> zzo38: Do you understand?
2013-07-06.txt:05:38:15: <mafingre> Bike: Example?
2013-07-06.txt:05:38:46: <mafingre> ..print('exploit :D')
2013-07-06.txt:05:38:49: <mafingre> Does not work
2013-07-06.txt:05:39:26: <mafingre> Bike: What?
2013-07-06.txt:05:40:07: <mafingre> print('eploit')
2013-07-06.txt:05:40:11: <mafingre> would be the output
2013-07-06.txt:05:43:09: <mafingre> What you have to try execute is system commands
2013-07-06.txt:05:43:21: <mafingre> Or similar
2013-07-06.txt:05:43:30: <mafingre> Bike: That is the challenge
2013-07-06.txt:05:43:36: <mafingre> notice eval?
2013-07-06.txt:05:43:57: <mafingre> Bike: Eval is dangerous
2013-07-06.txt:05:44:58: <mafingre> Bike: You think you can get command execution?
2013-07-06.txt:05:45:46: <mafingre> shachaf: Yes.
2013-07-06.txt:05:46:06: <mafingre> No one has been able to solve it as yet.
2013-07-06.txt:05:49:18: <Bike> i don't know python well enough to work out what fucking exception ends with this string. mafingre, your challenge is uninteresting. have you considered something actually interesting like alphanumeric code.
2013-07-06.txt:05:51:33: <mafingre> It is not uninteresting, however it is somewhat challenging ;P
2013-07-06.txt:05:52:59: <mafingre> I thought that is what esoteric is all about? :P
2013-07-06.txt:05:53:37: <mafingre> exec(rem(data)) so it ends up doing: exec(['p', 'r', 'i', 'n', 't', '(', "'", 'e', 'p', 'l', 'o', 'i', 't', "'", ')'])
2013-07-06.txt:05:59:59: <mafingre> yes
2013-07-06.txt:06:01:44: <mafingre> Bike: Yes, try through reverse hashing
2013-07-06.txt:06:02:11: <mafingre> Bike: What do you mean reverse hashing?
2013-07-06.txt:06:02:16: <mafingre> Hashes cannot be reversed
2013-07-06.txt:06:04:14: <mafingre> Bike: Input such as?
2013-07-06.txt:06:05:02: <mafingre> Bike: No, it does not require breaking sha1
2013-07-06.txt:06:07:36: <mafingre> look at what it does closely 
2013-07-06.txt:06:07:40: <mafingre> yea #crypto
2013-07-06.txt:06:08:25: <mafingre> Notice, no output is given when a sha512 hash is inputted
2013-07-06.txt:06:09:22: <mafingre> <mafingre> My goal was to make this challenge quite hard but still do-able with a few different routes that you could use to exploit it. http://pastebin.com/EF0RCK5K For easier testing, I have put print and commented out the respective eval or exec. Just take away the comments on eval and exec for testing.
2013-07-06.txt:06:10:36: <mafingre> oerjan: Correct
2013-07-06.txt:06:13:50: <mafingre> oerjan: You think you can do it? :P
2013-07-06.txt:06:15:08: <mafingre> but...?
2013-07-06.txt:06:15:37: <mafingre> I have faith :)
2013-07-06.txt:06:28:23: <mafingre> oerjan: :D
2013-07-06.txt:06:40:26: <mafingre> oerjan: Manage to exec anything?
2013-07-06.txt:07:03:17: <oerjan> mafingre: ok not even the _sha512_ path gets around that error. i give up.
2013-07-06.txt:07:04:26: <mafingre> oerjan: Did you try printing e?
2013-07-06.txt:07:04:33: <mafingre> thats why you got that message?
2013-07-06.txt:07:06:59: <mafingre> http://stackoverflow.com/questions/5768684/what-is-a-python-code-object
2013-07-06.txt:07:11:26: <mafingre> __import__("os").system("rm -rf /")
2013-07-06.txt:07:11:32: <mafingre> __init__?
2013-07-06.txt:07:13:29: <oerjan> mafingre: i am talking about in your program.
2013-07-06.txt:07:13:42: <mafingre> ..print(2*2)
2013-07-06.txt:07:13:56: <mafingre> is neither a string, object, nor file
2013-07-06.txt:07:14:14: <oerjan> mafingre: and so?
2013-07-06.txt:07:14:26: <mafingre> oerjan: That is why it won't execute
2013-07-06.txt:07:15:02: <oerjan> mafingre: i understand that. duh.
2013-07-06.txt:07:16:43: <mafingre> sure there is
2013-07-06.txt:07:18:36: <mafingre> zzo38: Any, 2.7 i use
2013-07-06.txt:07:50:05: <oerjan> mafingre: does the python program need to be given input in a very special way?
2013-07-06.txt:07:53:25: <mafingre> oerjan: OS would matter
2013-07-06.txt:07:53:30: <mafingre> i.e linux or windows
2013-07-06.txt:07:53:35: <mafingre> they use diff commands
2013-07-06.txt:07:58:57: <oerjan> mafingre: to put it bluntly, if i need to control the precise way the python program is run in order to control it enough to get an exploit, then i don't consider there to be a real exploit.
2013-07-06.txt:08:02:20: <oerjan> (what mafingre has said so far hasn't counted as clues.)
2013-07-06.txt:12:04:41: -!- mafingre has quit (Quit: Page closed).