Module: Msf::Exploit::Remote::HTTP::FlaskUnsign::Session

Defined in:

lib/msf/core/exploit/remote/http/flask_unsign.rb

Overview

This emulates the default cookie-based session storage used by the latest version of Flask as of the time of this writing (2023-09-07). See: github.com/pallets/flask/blob/8037487165a196015a646de25cbce6d0351c8fc4/src/flask/sessions.py#L276

Constant Summary

DEFAULT_SALT =

'cookie-session'

Class Method Summary

• .decode(value) ⇒ Object
• .parse(value) ⇒ Object
• .sign(value, secret, salt: DEFAULT_SALT) ⇒ Object
• .valid?(value, secret, salt: DEFAULT_SALT) ⇒ Boolean

Class Method Details

.decode(value) ⇒ Object

# File 'lib/msf/core/exploit/remote/http/flask_unsign.rb', line 70

def self.decode(value)
  parse(value)[:deserialized]
end

.parse(value) ⇒ Object

# File 'lib/msf/core/exploit/remote/http/flask_unsign.rb', line 74

def self.parse(value)
  compressed = value.start_with?('.')
  value = value[1..] if compressed

  serialized, signature = value.split('.', 3)
  value = Base64.urlsafe_decode64(serialized)
  value = Zlib::Inflate.inflate(value) if compressed
  { compressed: compressed, signature: signature, deserialized: JSON.parse(value), serialized: serialized }
end

.sign(value, secret, salt: DEFAULT_SALT) ⇒ Object

# File 'lib/msf/core/exploit/remote/http/flask_unsign.rb', line 84

def self.sign(value, secret, salt: DEFAULT_SALT)
  json = JSON.dump(value)
  signer = URLSafeTimedSigner.new(secret, salt)
  signer.sign(FlaskUnsign.base64_encode(json).strip)
end

.valid?(value, secret, salt: DEFAULT_SALT) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/msf/core/exploit/remote/http/flask_unsign.rb', line 90

def self.valid?(value, secret, salt: DEFAULT_SALT)
  signer = URLSafeTimedSigner.new(secret, salt)
  signer.valid?(value)
end