Werkzeug / Flask Debug
Mipangilio inayopatikana mara moja kwa ajili ya tathmini ya udhaifu & upimaji wa pen. Endesha pentest kamili kutoka mahali popote na zana 20+ & vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi wapimaji wa pentest - tunatengeneza zana maalum, moduli za kugundua & kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.
Console RCE
Ikiwa debug imewashwa unaweza kujaribu kufikia /console
na kupata RCE.
Kuna pia exploits kadhaa mtandaoni kama hii au moja katika metasploit.
Pin Protected - Path Traversal
Katika baadhi ya matukio, /console
endpoint itakuwa imehifadhiwa kwa pin. Ikiwa una file traversal vulnerability, unaweza kuvuja taarifa zote muhimu za kuunda pin hiyo.
Werkzeug Console PIN Exploit
Lazimisha ukurasa wa kosa la debug katika programu ili kuona hii:
A message regarding the "console locked" scenario is encountered when attempting to access Werkzeug's debug interface, indicating a requirement for a PIN to unlock the console. The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py
). The PIN generation mechanism can be studied from the Werkzeug source code repository, though it is advised to procure the actual server code via a file traversal vulnerability due to potential version discrepancies.
To exploit the console PIN, two sets of variables, probably_public_bits
and private_bits
, are needed:
probably_public_bits
probably_public_bits
username
: Inahusu mtumiaji aliyeanzisha kikao cha Flask.modname
: Kawaida hupewa jinaflask.app
.getattr(app, '__name__', getattr(app.__class__, '__name__'))
: Kawaida inatatua kuwa Flask.getattr(mod, '__file__', None)
: Inawakilisha njia kamili yaapp.py
ndani ya directory ya Flask (mfano,/usr/local/lib/python3.5/dist-packages/flask/app.py
). Ikiwaapp.py
haihusiki, jaribuapp.pyc
.
private_bits
private_bits
uuid.getnode()
: Inapata anwani ya MAC ya mashine ya sasa, hukustr(uuid.getnode())
ikitafsiri kuwa muundo wa desimali.Ili kubaini anwani ya MAC ya server, mtu lazima atambue interface ya mtandao inayotumika na app (mfano,
ens3
). Katika hali za kutokuwa na uhakika, vuja/proc/net/arp
ili kupata kitambulisho cha kifaa, kisha toa anwani ya MAC kutoka/sys/class/net/<device id>/address
.Mabadiliko ya anwani ya MAC ya hexadecimal kuwa desimali yanaweza kufanywa kama inavyoonyeshwa hapa chini:
get_machine_id()
: Inachanganya data kutoka/etc/machine-id
au/proc/sys/kernel/random/boot_id
na mstari wa kwanza wa/proc/self/cgroup
baada ya slash ya mwisho (/
).
Last updated