Search K
Appearance
Appearance
Other ways to support HackTricks:
Different vulnerabilities such as Python Format Strings or Class Pollution might allow you to read python internal data but won't allow you to execute code. Therefore, a pentester will need to make the most of these read permissions to obtain sensitive privileges and escalate the vulnerability.
The main page of a Flask application will probably have the app
global object where this secret is configured.
app = Flask(__name__, template_folder='templates')
app.secret_key = '(:secret:)'
In this case it's possible to access this object just using any gadget to access global objects from the Bypass Python sandboxes page.
In the case where the vulnerability is in a different python file, you need a gadget to traverse files to get to the main one to access the global object app.secret_key
to change the Flask secret key and be able to escalate privileges knowing this key.
A payload like this one from this writeup:
__init__.__globals__.__loader__.__init__.__globals__.sys.modules.__main__.app.secret_key
Use this payload to change app.secret_key
(the name in your app might be different) to be able to sign new and more privileges flask cookies.
Using these payload from this writeup you will be able to access the machine_id and the uuid node, which are the main secrets you need to generate the Werkzeug pin you can use to access the python console in /console
if the debug mode is enabled:
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug]._machine_id}
{ua.__class__.__init__.__globals__[t].sys.modules[werkzeug.debug].uuid._node}
โ ๏ธ
Note that you can get the servers local path to the app.py
generating some error in the web page which will give you the path.
If the vulnerability is in a different python file, check the previous Flask trick to access the objects from the main python file.
Other ways to support HackTricks: