目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2023-30861 PoC — Flask 安全漏洞

来源
https://github.com/JawadPy/CVE-2023-30861-Exploit
关联漏洞
标题:Flask 安全漏洞 (CVE-2023-30861)
Description:Pallets Project Flask是Pallets项目的一款轻量级的WSGI(Web服务器网关接口)应用程序框架。 Flask存在安全漏洞,该漏洞源于用于一个客户端的数据响应可能会被缓存并随后由代理发送给其他客户端。
Description
Explaining how to exploit CVE-2023-30861
介绍
# Intro
This bug happens because Flask doesn't tell the caching server (proxy) to be careful with sensitive information like cookies.

To use this attack you have to check your checklist
- **User** must use a proxy and accesses the flask webapp
- **Proxy** must be caching proxy (caching server).
- **Flask** version of the targeted flask website that user uses must be before `2.2.5`
- **Attacker** must have access to the caching proxy of the proxy that **User** uses 

**Why the proxy?**

A caching proxy is like a helper that stores copies of web pages to make them load faster when you visit them again.
- Chat-GPT

Using this type of proxies to access any website runs on `Flask < 2.2.5` makes the proxy server stores your cockies for fast load, because the proxy doesn't know it's a sensitve data, because `Flask` didn't tell the proxy server it's a sensitve data.


**The imapct of this attack**

This attack could allow the attacker to steal sensitive information like user session cookies.


# PoC
First I want you to host this code to anywhere you like:

```python
from flask import Flask, session

app = Flask(__name__)
app.config['SESSION_PERMANENT'] = True
#app.config['SESSION_REFRESH_EACH_REQUEST'] = True

@app.route('/')
def index():
    session['user_id'] = 1
    return 'CVE-2023-30861!'

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

```

This code is a simple `Flask` website, remember the version must be `< 2.2.5`.
Now access this website with via caching proxy that you have access to and wait for another user to access same website with the same proxy.
after that you will get that user session from cache.


# Support
If you would like to support me with donation, I recommend you to give it to someone who really need it please. If you do so then consider that i earned your support.

<a href="https://www.buymeacoffee.com/jawadpy" target="_blank"><img src="https://cdn.buymeacoffee.com/buttons/v2/default-green.png" alt="Buy Me A Coffee" style="height: 60px !important;width: 217px !important;" ></a>
文件快照

 [4.0K]  /data/pocs/be53b9b0935ca53cf326044817cd027a3e1cfdb9
└── [2.0K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。