Derek's Blog

Code is a beauty.


  • Home

  • About

  • Archives

  • Categories

  • Tags

  • resume

fluid

Posted on 2019-05-15 | In Simulation

Fluid simulation in 2D

Introduction

Water has taken up about 71% of the earth surface, and it plays an important role in people’s lives: we use ships to travel, to catch fishes, to transport goods, etc. However, how can we know that the ship we build would move smoothly in the water and it will be safe for us to stay when encountering a storm on the sea. Now, we need to use a method called fluid simulation to help us.

Fluid simulation is a kind of technique, which uses computer to generate realistic animations of fluids such as water or smoke. It is widely applied in 3D computer games and scientific movies.

Read more »

VAE

Posted on 2019-04-10 | In Deep_Learning

Variational Autoencoders

Generative models in deep learning become popular since 2014, when GAN (Generative Adversial Nets) was introduced by Ian Goodfellow. Another model that is widely used for generating data is VAE (Variational Autoencoders) and its derivation CVAE (Conditional Variational Autoencoders).

In this post, we will have a brief introduction to VAE and how it works.

Read more »

iterative_deepening

Posted on 2019-03-24 | In Algorithm

Iterative Deepening DFS

The iterative deepening depth-first search is a state space search algorithm, which combines the goodness of BFS and DFS.

  • Time complexity: O(b^d), where b is the branching factor and d is the depth of the goal.
  • Space complexity: O(d), where d is the depth of the goal.
Read more »

david_putnam

Posted on 2019-03-24 | In Algorithm

David Putnam algorithm

The David Putnam algorithm is aimed to check the validity of a first-order logic formula, which solves the SAT (boolean satisfiability problem). It is a recursion function, and it contains a while loop checks following things:

  • It contains some clauses and it is not an empty set.
  • There is no empty clause in the set.
  • If there is a singleton clause in the set, set it to be true and propagate.
  • If there is a pure literal (which means that the negation of it is not in the set), set it to be true and propagate.
Read more »

CTF

Posted on 2019-03-14 | In CTF

TAMUctf Writeup

Team member: Dingsu Wang, Owen England, Wenhe Li

Web

Science

This website takes to arguments as input and gives back a gif. And this web indicates it is a flask app which is important in the solution!!

Originally, I thought it is about SQL injection or blind injection. While I tried commands like:

1
' OR 1=1; -- !

It does not give feedback but return the input directly. And we noticed the result page will print our input without any modified. We found a potential chance to do Xss. While doing such Xss will only work on client side which seems to be not helpful of finding flag.

After a while, we finally noticed that it is a flask app and using some HTML template which means we can inject python code using special template syntax. The next thing is determine which template engine it is using, so we input:

1
{{ 7 * '7' }}

If the output is 49 it is using Twig, if its output is 7777777 then it uses jinja.

After we got the template engine is jinja, we firstly wanted to direct inject python commands like:

1
2
3
open('flag.txt', 'r').read()
os.system('ls')
subprocess

While none of the above works, it’s probably due to a limit on namespace. Then we found out by calling config.items()[4][1].__class__.__mro__[2].__subclasses__(), we can get all the modules loaded in the currently namespace.

And we can think it as a list contains all the object, we just need to find one that can read/write or call command-line. So we tried subprocess.Popen to run command-line, while we found it is not possible to get the output unless we have subprocess.PIPEP in the environment. Since we can not get the direct output from command, we also tried curl, rsync or wget to send flag file to our personal server. While it turns out that none of the commands are in the environment. So we looked back to the modules they had, we found the had a module called click that can run commands and read file. So finally, by calling:

1
lazyFile('flag.txt').open().read()

We can get the flag.

Read more »
12

Derek Wang

This is about me and another me.

6 posts
4 categories
5 tags
GitHub E-Mail Twitter
© 2020 Derek Wang
Powered by Hexo
|
Theme — NexT.Muse v5.1.4