hacktricks/generic-methodologies-and-resources/python/python-internal-read-gadgets.md

Python Internal Read Gadgets

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

Different vulnerabilities such as Python Format Strings or Class Pollution might allow you to read python internal data but won't allow you to execute code. Therefore, a pentester will need to make the most of these read permissions to obtain sensitive privileges and escalate the vulnerability.

Flask - Read secret key

The main page of a Flask application will probably have the app global object where this secret is configured.

app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'

In this case it's possible to access this object just using any gadget to access global objects from the Bypass Python sandboxes page.

In the case where the vulnerability is in a different python file, you need a gadget to traverse files to get to the main one to access the global object app.secret_key to change the Flask secret key and be able to escalate privileges knowing this key.

A payload like this one from this writeup:

{% code overflow="wrap" %}

__init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.secret_key

{% endcode %}

Use this payload to change app.secret_key (the name in your app might be different) to be able to sign new and more privileges flask cookies.

Werkzeug - machine_id and node uuid

Using these payload from this writeup you will be able to access the machine_id and the uuid node, which are the main secrets you need to generate the Werkzeug pin you can use to access the python console in /console if the debug mode is enabled:

{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug].uuid._node}

{% hint style="warning" %} Note that you can get the servers local path to the app.py generating some error in the web page which will give you the path. {% endhint %}

If the vulnerability is in a different python file, check the previous Flask trick to access the objects from the main python file.

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

• Check the subscription plans!
• Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
• Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}