Werkzeug / Flask Debug
Last updated
Last updated
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu
Pata na ripoti mapungufu makubwa, yanayoweza kutumiwa ambayo yana athari halisi za kibiashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya moja kwa moja kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.
Ikiwa debug imewashwa unaweza kujaribu kufikia /console
na kupata RCE.
Kuna pia exploits kadhaa mtandaoni kama hii au moja katika metasploit.
Katika baadhi ya matukio, /console
endpoint itakuwa imehifadhiwa kwa pin. Ikiwa una file traversal vulnerability, unaweza kuvuja taarifa zote muhimu za kuunda pin hiyo.
Lazimisha ukurasa wa kosa la debug katika programu ili kuona hii:
A message regarding the "console locked" scenario is encountered when attempting to access Werkzeug's debug interface, indicating a requirement for a PIN to unlock the console. The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py
). The PIN generation mechanism can be studied from the Werkzeug source code repository, though it is advised to procure the actual server code via a file traversal vulnerability due to potential version discrepancies.
To exploit the console PIN, two sets of variables, probably_public_bits
and private_bits
, are needed:
probably_public_bits
username
: Inahusu mtumiaji aliyeanzisha kikao cha Flask.
modname
: Kawaida inaitwa flask.app
.
getattr(app, '__name__', getattr(app.__class__, '__name__'))
: Kawaida inapata Flask.
getattr(mod, '__file__', None)
: Inawakilisha njia kamili ya app.py
ndani ya saraka ya Flask (mfano, /usr/local/lib/python3.5/dist-packages/flask/app.py
). Ikiwa app.py
haihusiki, jaribu app.pyc
.
private_bits
uuid.getnode()
: Inapata anwani ya MAC ya mashine ya sasa, huku str(uuid.getnode())
ikitafsiriwa kuwa katika muundo wa desimali.
Ili kubaini anwani ya MAC ya seva, mtu lazima atambue kiunganishi cha mtandao kinachotumika na app (mfano, ens3
). Katika hali za kutokuwa na uhakika, vuja /proc/net/arp
ili kupata kitambulisho cha kifaa, kisha toa anwani ya MAC kutoka /sys/class/net/<device id>/address
.
Kubadilisha anwani ya MAC ya hexadecimal kuwa desimali kunaweza kufanywa kama inavyoonyeshwa hapa chini:
get_machine_id()
: Inachanganya data kutoka /etc/machine-id
au /proc/sys/kernel/random/boot_id
na mstari wa kwanza wa /proc/self/cgroup
baada ya slash ya mwisho (/
).
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)