SKF write-ups
Search…
Python - Race Condition File-Write

Running the app Python3

First, make sure python3 and pip are installed on your host machine. After installation, we go to the folder of the lab we want to practise "i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands:
1
$ pip3 install -r requirements.txt
Copied!
1
$ python3 <labname>
Copied!
Now that the app is running let's go hacking!

Reconnaissance

Step1

We can download a file from the server by doing a GET request to the server.
Let's try:
Once we download the file we can see whatever we add to the URL is being written in a file called shared-file.

Step 2

As the application suggests, there is a Race condition vulnerability in this app, let's try to find it.
If we look at the code we see that the application gets the query parameter, writes to a file called shared-file.txt, then opens the file and send it back as a response.
1
@app.route("/<string:value>", methods=['GET'])
2
def home(value):
3
# Create a Python file object using open() and the with statement
4
with open("shared-file.txt", 'w') as f:
5
f.write(value)
6
f.closed
7
f.closed
8
file = open("shared-file.txt", "r")
9
response = make_response(send_file("shared-file.txt", attachment_filename="shared-file.txt"))
10
response.headers.set("Content-Type", "text/html; charset=utf-8")
11
response.headers.set("Content-Disposition", "attachment; filename=shared-file.txt")
12
return response
Copied!

Step 3

How can we exploit this?
We have a very small window between the writing of the file:
1
with open("shared-file.txt", 'w') as f:
2
f.write(value)
3
f.closed
4
f.closed
Copied!
and the response:
1
file = open("shared-file.txt", "r")
2
response = make_response(send_file("shared-file.txt", attachment_filename="shared-file.txt"))
3
response.headers.set("Content-Type", "text/html; charset=utf-8")
4
response.headers.set("Content-Disposition", "attachment; filename=shared-file.txt")
5
return response
Copied!
Maybe if we have multiple users on this application at the same time we might be able to intercept someone else's query.

Exploitation

In order to do that we must send requests with high frequency.
Doing it manually is practically impossible, so we create a script that does that for us:
1
#!/bin/bash
2
3
while true; do
4
5
curl -i -s -k -X #x27;GET' -H #x27;Host: localhost:5000' #x27;http://localhost:5000/111' | grep "111"
6
7
done
Copied!
and in the meantime we will send a couple requests from Burp:
If we look in the logs we will see:

Additional sources

https://wiki.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)