4.6 KiB
Python Internal Read Gadgets
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
Different vulnerabilities such as Python Format Strings or Class Pollution might allow you to read python internal data but won't allow you to execute code. Therefore, a pentester will need to make the most of these read permissions to obtain sensitive privileges and escalate the vulnerability.
Flask - Read secret key
The main page of a Flask application will probably have the app
global object where this secret is configured.
app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
In this case it's possible to access this object just using any gadget to access global objects from the Bypass Python sandboxes page.
In the case where the vulnerability is in a different python file, you need a gadget to traverse files to get to the main one to access the global object app.secret_key
to change the Flask secret key and be able to escalate privileges knowing this key.
A payload like this one from this writeup:
{% code overflow="wrap" %}
__init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.secret_key
{% endcode %}
Use this payload to change app.secret_key
(the name in your app might be different) to be able to sign new and more privileges flask cookies.
Werkzeug - machine_id and node uuid
Using these payload from this writeup you will be able to access the machine_id and the uuid node, which are the main secrets you need to generate the Werkzeug pin you can use to access the python console in /console
if the debug mode is enabled:
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug].uuid._node}
{% hint style="warning" %}
Note that you can get the servers local path to the app.py
generating some error in the web page which will give you the path.
{% endhint %}
If the vulnerability is in a different python file, check the previous Flask trick to access the objects from the main python file.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.