# Python Internal Read Gadgets

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

## Basic Information

Different vulnerabilities such as [**Python Format Strings**](bypass-python-sandboxes/#python-format-string) or [**Class Pollution**](class-pollution-pythons-prototype-pollution.md) might allow you to **read python internal data but won't allow you to execute code**. Therefore, a pentester will need to make the most of these read permissions to **obtain sensitive privileges and escalate the vulnerability**.

### Flask - Read secret key

The main page of a Flask application will probably have the **`app`** global object where this **secret is configured**.
```python
app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
```
**ghItlh** vItlhutlh **'ejwI'** **ghItlh** **[Bypass Python sandboxes page](bypass-python-sandboxes/)** **gadget** **'e'** **access** **'e'** **object** **'e'**.

**'ejwI'** **vulnerability** **'e'** **python file** **'e'** **vItlhutlh** **gadget** **'e'** **files** **'e'** **traverse** **'e'** **main** **'e'** **'ej** **'e'** **global object `app.secret_key`** **'e'** **access** **'e'** **Flask secret key** **'ej** **'e'** **[escalate privileges](../../network-services-pentesting/pentesting-web/flask.md#flask-unsign)** **'e'**.

**payload** **'e'** **'ej** **[writeup** **'e'** **'e'** **(https://ctftime.org/writeup/36082)]**:

{% code overflow="wrap" %}
```python
__init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.secret_key
```
{% endcode %}

**app.secret_key** (app-ghItlh) **ghItlh** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **app.secret_key** (app-ghItlh) **
```python
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug].uuid._node}
```
{% hint style="warning" %}
Qapla'! Qa'vIn **`app.py`** **server local path** **ghItlh** **web page** **error** **ghItlh** **path**.
{% endhint %}

**vulnerability** **python file** **vIlegh** **Flask trick** **previous** **access** **objects**.

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

**HackTricks** **support** **ways**:

* **company advertised** **HackTricks** **download HackTricks** **PDF** [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop) **Check**!
* **official PEASS & HackTricks swag** [**Get**](https://peass.creator-spring.com)
* **The PEASS Family** [**Discover**](https://opensea.io/collection/the-peass-family) **exclusive NFTs** [**collection**](https://opensea.io/collection/the-peass-family) **our** **Check**
* **Join** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) **telegram group** [**follow**](https://t.me/peass) **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Share** **hacking tricks** **submitting PRs** [**HackTricks**](https://github.com/carlospolop/hacktricks) **HackTricks Cloud** [**github repos**](https://github.com/carlospolop/hacktricks-cloud).

</details>