0

I have found an arbitrary file upload vulnerability on a flask application that I was playing with that essentially allows me to append to any file (and create new ones) in the file system. The code that causes the vulnerability boils down to:

with open(user_controlled, "a+") as f:
        f.write(also_user_controlled)

I was trying to turn that into remote code execution but I haven't been able to do it since the usual technique of uploading of a PHP shell does not work for this case (as I'm dealing with flask). Can anyone think of a way?

Possibly important details:

  • the server is running on linux;
  • nginx is being used to serve the application.
Improve this question
6
  • As Flask is a Python application, you need to send a Python webshell. Commented May 7, 2023 at 23:44
  • That would work but I have no way of restarting the flask server. So any shell I upload will not be loaded (I have already tried). Commented May 7, 2023 at 23:46
  • 1
    So overwrite an existing Python file that the server already can reliably be triggered to invoke code in? Or just drop your own SSH key in some user's .ssh/authorized_keys file and SSH in, if the SSH server is internet-exposed (many are). Commented May 8, 2023 at 5:50
  • Can you write anywhere on the file system? Commented May 8, 2023 at 8:38
  • It's a CTF like challenge on a VM, so the code for the web app is very small (only a couple files). Since the flask webapp is not reloaded there are no python files that I can modify and then invoke. Commented May 8, 2023 at 10:22

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.