# Flask

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一个**网络安全公司**工作吗？你想在HackTricks中看到你的**公司广告**吗？或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>

<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>

使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks)可以轻松构建和**自动化工作流程**，使用世界上**最先进的**社区工具。\
立即获取访问权限：

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

**如果你在玩CTF，Flask应用程序可能与**[**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**相关。**

## Cookies

默认的cookie会话名称是**`session`**。

### 解码器

在线Flask cookie解码器：[https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)

#### 手动

获取cookie的第一部分，直到第一个点，并对其进行Base64解码>
```bash
echo "ImhlbGxvIg" | base64 -d
```
cookie也使用密码进行签名

### **Flask-Unsign**

命令行工具，通过猜测秘钥来获取、解码、暴力破解和构造Flask应用程序的会话cookie。

{% embed url="https://pypi.org/project/flask-unsign/" %}
```bash
pip3 install flask-unsign
```
#### **解码 Cookie**

To decode a cookie, you can use various tools and techniques. One common method is to use a base64 decoder to decode the cookie value. Base64 encoding is commonly used to encode binary data into ASCII characters, and decoding it reverses the process.

Here is an example of how you can decode a cookie using Python and the Flask framework:

```python
import base64

from flask import Flask, request

app = Flask(__name__)

@app.route('/')
def index():
    cookie_value = request.cookies.get('cookie_name')
    decoded_value = base64.b64decode(cookie_value).decode('utf-8')
    return f'Decoded cookie value: {decoded_value}'

if __name__ == '__main__':
    app.run()
```

In this example, we import the `base64` module and the `Flask` class from the Flask framework. We define a route for the root URL ("/") and retrieve the value of the cookie named "cookie_name" using `request.cookies.get()`. We then decode the cookie value using `base64.b64decode()` and convert it to a UTF-8 string using `.decode('utf-8')`. Finally, we return the decoded cookie value as the response.

Keep in mind that decoding a cookie may not always reveal sensitive information. It depends on how the cookie is encoded and what data it contains. Always exercise caution and ensure you have proper authorization before attempting to decode or manipulate cookies.
```bash
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
```
#### **暴力破解**

Brute force（暴力破解）是一种常见的网络攻击技术，用于尝试所有可能的密码组合来获取未经授权的访问权限。在Web应用程序中，暴力破解通常用于尝试破解用户账户的密码。

暴力破解攻击可以通过多种方式进行，包括使用字典文件、使用常见密码列表或使用自动生成的密码组合。攻击者可以使用自动化工具来加快暴力破解的速度，并尝试大量的密码组合。

为了防止暴力破解攻击，Web应用程序可以采取一些安全措施，例如实施密码策略（如强制使用复杂密码、限制登录尝试次数）、使用多因素身份验证、实施帐户锁定机制等。

作为渗透测试人员，我们可以使用暴力破解技术来测试Web应用程序的密码安全性，并向开发人员提供改进建议，以确保用户账户的安全性。
```bash
flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval
```
#### **签名**

Signing is a process used to verify the authenticity and integrity of data. In the context of web applications, signing is often used to ensure that data sent between the client and the server has not been tampered with.

签名是一种用于验证数据的真实性和完整性的过程。在Web应用程序的上下文中，签名通常用于确保在客户端和服务器之间发送的数据没有被篡改。

When a client sends a request to the server, the server can generate a signature for the request data using a secret key. This signature is then sent along with the request. Upon receiving the request, the server can verify the signature by recalculating it using the same secret key and comparing it to the received signature. If the calculated signature matches the received signature, it means that the data has not been tampered with.

当客户端向服务器发送请求时，服务器可以使用一个秘密密钥为请求数据生成一个签名。然后将此签名与请求一起发送。在接收到请求后，服务器可以通过使用相同的秘密密钥重新计算签名并将其与接收到的签名进行比较来验证签名。如果计算得到的签名与接收到的签名匹配，则表示数据没有被篡改。

Signing can be used to prevent tampering with data, as well as to verify the authenticity of the sender. It is commonly used in scenarios where data integrity and security are crucial, such as authentication tokens, API requests, and session cookies.

签名可用于防止数据篡改，以及验证发送方的真实性。它通常用于数据完整性和安全性至关重要的场景，例如身份验证令牌、API请求和会话Cookie。

To implement signing in a web application, a cryptographic algorithm such as HMAC (Hash-based Message Authentication Code) can be used. HMAC uses a secret key and a hash function to generate the signature. The same secret key and hash function must be used for both signing and verifying the signature.

要在Web应用程序中实现签名，可以使用HMAC（基于哈希的消息认证码）等加密算法。HMAC使用一个秘密密钥和一个哈希函数来生成签名。签名和验证签名必须使用相同的秘密密钥和哈希函数。

It is important to keep the secret key used for signing secure and confidential. If an attacker gains access to the secret key, they can generate valid signatures and tamper with the data.

保持用于签名的秘密密钥安全和保密非常重要。如果攻击者获得秘密密钥，他们可以生成有效的签名并篡改数据。
```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
```
#### 使用传统方式进行签名（旧版本）

In older versions of Flask, the `signing` module was used to sign cookies and other data. This module provided a way to ensure the integrity and authenticity of the data being transmitted.

在旧版本的Flask中，使用`signing`模块对cookie和其他数据进行签名。该模块提供了一种确保传输数据的完整性和真实性的方式。

To sign data using the legacy method, you can import the `signing` module and use the `sign` function. This function takes the data to be signed and a secret key as parameters.

要使用传统方法对数据进行签名，可以导入`signing`模块并使用`sign`函数。该函数接受要签名的数据和一个密钥作为参数。

```python
from flask import signing

data = "Hello, world!"
secret_key = "my_secret_key"

signed_data = signing.sign(data, secret_key)
```

The `sign` function returns a signed string that can be transmitted along with the data. To verify the signature, you can use the `unsign` function.

`sign`函数返回一个已签名的字符串，可以与数据一起传输。要验证签名，可以使用`unsign`函数。

```python
verified_data = signing.unsign(signed_data, secret_key)
```

The `unsign` function will raise a `BadSignature` exception if the signature is invalid or if the data has been tampered with.

如果签名无效或数据被篡改，`unsign`函数将引发`BadSignature`异常。

It is important to note that the legacy signing method is not as secure as the current method provided by Flask. It is recommended to upgrade to the latest version of Flask and use the new signing method for improved security.

需要注意的是，传统的签名方法不如Flask提供的当前方法安全。建议升级到最新版本的Flask，并使用新的签名方法以提高安全性。
```bash
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
```
### **RIPsession**

命令行工具，使用使用flask-unsign生成的cookie对网站进行暴力破解。

{% embed url="https://github.com/Tagvi/ripsession" %}
```bash
ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
```
### 在Flask会话cookie中使用SQLmap进行SQLi攻击

[**这个例子**](../../pentesting-web/sql-injection/sqlmap/#eval) 使用sqlmap的`eval`选项来使用已知的密钥自动签名flask的sqlmap负载。

<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>

使用[**Trickest**](https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks)轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。\
立即获取访问权限：

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？想要在HackTricks中看到你的**公司广告**吗？或者你想要**获取PEASS的最新版本或下载PDF格式的HackTricks**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**

</details>