Black Hat Bash - Bash Scripting for Hackers and Pentesters (Early Access) (Dolev Farhi, Nick Aleks)

--snip--

@app.route('/uploads/<path:file_name>', methods=['GET'])

--snip--

Listing 5-2

Flask web server source code

The interesting parts here are the endpoints that are exposed

using @app.route(). You can see that the application exposes

endpoints such as /, /files, /upload, and /uploads.

Remember that when we scanned our target IP address range

using dirsearch and Nikto, we saw two endpoint named /upload and

/uploads on 172.16.10.10:8081. Because this Python file also has

these endpoints, it's very likely that the source code belongs to the

application that is running on the server!

You may be asking yourself why we didn’t find the /files

endpoint in our scans. Well, web scanners often rely on response

status codes returned by web servers to determine if certain

endpoints exist or not. If you run the following cURL command

using the -I (HEAD request) option, you’ll see that the /files

endpoint returns an HTTP error of 404 Not Found:

$ curl -I http://172.16.10.10:8081/files

HTTP/1.1 404 NOT FOUND

--snip--

Web scanners will interpret these 404 errors as indicating that an

endpoint doesn’t exist. The reason we get 404 errors here is that on

its own, /files doesn’t serve any requests when called directly.

Instead, it will serve requests for any web paths appended to /files,

such as /files/abc.jpg or /files/salary.docx.

Using Nuclei

Nuclei is one of the most impressive open source vulnerability

scanners released in recent years. Its advantage over other tools

stems from its community-powered templating system, which

reduces false positives by matching known patterns against

responses it receives from network services and files. You can also

easily extend it to do custom security checks.