search

Postfix Calculator

hashtag
Description

Postfix Calculator | 75 points | By Parth

Mr. Wang left some tricks behind in his Intro to CS labs before leaving BCA. Can you use the Postfix lab to get the flag?

Netcat Links:nc challs.bcactf.com 30096 Static resources: PostfixCalculator.pyarrow-up-right

hashtag
Analysis

While the code is simple, its awfully not verbose and unclear what's happening.

I added print statements so we can see what we are doing.

### Take inputs for required 2 nums and 1 operator ###
num = input("[-] Num 1: ")
num2 = input("[-] Num 2: ")
op = input("[-] Operator: ")

### Check if op is a valid operator ###
### If no, then raise error ###
if not op in ['+', '-', '*', '/', '^']:
    raise SyntaxError('Read token %s, expected operator' % op)
### Else, calculate new answer ###
print(f'\neval={num}{op}{num2}')
answer = eval(f'{num}{op}{num2}')
print(f"{answer=}\n")

num = input("[*] Num: ")
### Take inputs for more nums and operators ###
while num != '=':
    op = input("[*] Operator: ")
### If not '=' or invalid, then calculate new answer ###
    if not op in ['+', '-', '*', '/', '^']:
        raise SyntaxError('Read token %s, expected operator' % op)
    print(f"{answer} {op} {float(num)}")
    answer = eval(f'{answer} {op} {float(num)}')
    num = input("[*] Num: ")

### Output final answer ###
print(answer)

Okay, first part takes in num1, num2 and operator. The first eval is not exploitable since it concatinates everything without spaces, but we can use that functionality to craft payload.

Second eval is where exploit will happen since our answer payload will get evaluated (notice spaces) and rest will get added.

I mention concatinate/add and by that I mean that I'll be using + as operator, since other operators can't benefit us in python. Maybe * can but I'll stick to +

hashtag
Solution

PreviousNot TodayNextRESTful swap

Last updated