I decided to browse Codeforce submission for a question that I completed and I saw this. I doubt this guy will do much harm but I still find it quite funny.
# | User | Rating |
---|---|---|
1 | tourist | 3985 |
2 | jiangly | 3814 |
3 | jqdai0815 | 3682 |
4 | Benq | 3529 |
5 | orzdevinwang | 3526 |
6 | ksun48 | 3517 |
7 | Radewoosh | 3410 |
8 | hos.lyric | 3399 |
9 | ecnerwala | 3392 |
9 | Um_nik | 3392 |
# | User | Contrib. |
---|---|---|
1 | cry | 169 |
2 | maomao90 | 162 |
2 | Um_nik | 162 |
4 | atcoder_official | 161 |
5 | djm03178 | 158 |
6 | -is-this-fft- | 157 |
7 | adamant | 155 |
8 | awoo | 154 |
8 | Dominater069 | 154 |
10 | luogu_official | 150 |
I decided to browse Codeforce submission for a question that I completed and I saw this. I doubt this guy will do much harm but I still find it quite funny.
Name |
---|
Auto comment: topic has been updated by HatedFate (previous revision, new revision, compare).
Auto comment: topic has been updated by HatedFate (previous revision, new revision, compare).
Lol. seems like someone is trying to practice "Command Injection" on codeforces xD
ctf... cf might get hacked like this
Possibly tell him that hacking sites without permission is illegal before he gets in trouble.
Edit: nvm this was all 3 months ago. It looks like he ended up sending messages from cf servers using python's socket library. I wonder why the admins haven't disabled such libraries.
The way to address this is not to disable the libraries, the way to address this is to block network access (relevant syscalls or similar), preferably by using a proper sandbox.
I didn't believe this would actually make a request but it does. I tried this: 265945617 and sure enough, it actually made a request, there is a log event of that on my server.
EDIT: and it can receive too! 265946029 I think this might actually turn out to be a serious vulnerability.
Damn, did I uncover something crazy or is it known for a while now?
my man just printed 69 on his private server. man of culture indeed
So theoretically you could send over test data to a private server that could run embarrassingly parallel code on a cluster (let's say, running $$$O(n!)$$$ when the intended is $$$O(\textsf{poly}(n) 2^n)$$$) and print the result to CF stdout?
Seems like an even more cursed way of solving Watermelon!
theoretically speaking, you can basically write a script to do so, for a non-interactive problem at least, so basically someone can get the full systests, if he just tries so many directories to finally find the systest folder...