Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys.
Home Page: https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce
License: MIT License
I was solving this ctf challenge and needed to unsign a flask cookie. The readme tells me to provide the cookie from a file, but I thought it should work if provided from the command line as well. True, and not, it turns out.
e:\projects\ctf\pico\177> flask-unsign.exe --unsign --wordlist cookies.txt --cookie "eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.YXUkwA.CPnoJzyGOo9iP1rwkLrzMr306eU"
[*] Session decodes to: {'very_auth': 'blank'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 28 attemptscadamia
'gingersnap'
e:\projects\ctf\pico\177> flask-unsign.exe --unsign --wordlist cookies.txt --cookie 'eyJ
2ZXJ5X2F1dGgiOiJibGFuayJ9.YXUkwA.CPnoJzyGOo9iP1rwkLrzMr306eU'
[*] Session decodes to: {'very_auth': 'blank'}
[*] Starting brute-forcer with 8 threads..
[!] Failed to find secret key after 28 attempts.Providing the cookie from the command line only works if I wrap it with double quotes. If I use single quotes, flask-unsign doesn't find the secret key. It's not a big deal, but thought you should know this and the readme should note this.
Did the program crash? Did it not crack the password (which you're 100% sure is right)? Does it freeze? Describe what you expected to happen and actually happened instead.
flask-unsign --decode --server http://example.com
Bad example:
ModuleNotFoundError: No module named 'flask.json.tag'; 'flask.json' is not a package
$ pip3 freeze | grep -i flask-unsign
> flask-unsign==1.2.0
$ flask-unsign --version
> ModuleNotFoundError: No module named 'flask.json.tag'; 'flask.json' is not a package
$ file $(which flask-unsign)
...
$ python3 --version
python 3.9.9
$ uname -a
mac os montrey 12.2.1
...
$ cat /etc/issue
...
A picture tells a thousand words, feel free to add one here if you have it
Got any other info I should know about? Have a monkeypatch or proposed fix?
Feel like ranting about something? Feel free to do it here. Compliments are also welcome ✨
I try secret_key into all.txt , but use flask-unsign is failed, parm --secret use 5201314 is wrong,tips int?
Fix:
session.verify(self.session, secret, legacy=self.legacy, salt=self.salt)
session.verify(self.session, str(secret), legacy=self.legacy, salt=self.salt)
flask-unsign.exe -u -c "eyJ1c2VyIjoiaW1uZG0ifQ.YyVJCQ.UT6PNjMlkYujqXzF2pfbnQgbpBk" --wordlist .\Desktop\dict.txt
[] Session decodes to: {'user': 'imndm'}
[] Starting brute-forcer with 8 threads..
[!] Unhandled exception in cracker thread. Please report this issue on the official bug tracker: "https://github.com/Paradoxis/Flask-Unsign/issues" and don't forget to include the following traceback:
FlaskUnsignException: Secret must be a string-type (bytes, str) and received 'int'. To fix this, either add quotes to the secret 1111 or use the --no-literal-eval argument.
File "E:\TOOLS\py3.9.9\lib\multiprocessing\pool.py", line 125, in worker
result = (True, func(*args, **kwds))
File "E:\TOOLS\py3.9.9\lib\site-packages\flask_unsign\cracker.py", line 69, in unsign
if session.verify(self.session, secret, legacy=self.legacy, salt=self.salt):
File "E:\TOOLS\py3.9.9\lib\site-packages\flask_unsign\session.py", line 29, in verify
raise FlaskUnsignException(
Hey,
would it be possible to add brute-force option at all?
I use flask-unsign for apache airflow bruteforce and have found how they generate the key for the cookie.
they use b64encode(os.urandom(16)).decode('utf-8') and then decode it.
I'm basing this off the following commit.
Regards,
Robbie
Hey,
Would it be possible to add an addition where if a key is successfully cracked the output is written to file.
I've noticed using flask-unsign -k -u --server http://localhost:5000 | tee file.txt is not great
Regards,
Robbie
I kind of feel like a dunce, I'm not sure what I'm missing.
I'm currently in kali linux, trying to run flask-unsign. I run the command
"pip3 install flask-unsign[rockyou.txt]"
and everything appears to install with no error messages
in the same directory, immediately after the install finishes I run
"flask-unsign -h" just to see some of the options and I get the error message
"flask-unsign: comand not found".
I think I probably have to add something to my $PATH variable, but I've never really used a python package outside the context of a python script/project, so I'm not really sure where the install location would be found.
I'm currently release version 2023.1 of kali linux, and when I type "python --version" I found I'm running python 3.11.2
I think there's probably just something dumb I need to consider when using a pip3 package from the terminal window, but I'm just not following! Any help would be great!
Thanks!
I am using macOS The result of commands that I ran are as follows.
`
pip install flask-unsign[wordlist]
zsh: no matches found: flask-unsign[wordlist]
pip install flask-unsign
Collecting flask-unsign
Could not find a version that satisfies the requirement flask-unsign (from versions: )
No matching distribution found for flask-unsign
`
Hey,
Would it be possible to add in something to ignore bad SSL certs.
Example when you fire flask-unsign -u --server http://8.8.8.8 and the cert is only for the url you get errors.
adding the below to any file that uses requests and adding verify=False to any request should sort the issue out.
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
Keep up the good work!!
I ran flask-unsign with rockyou.txt wordlist to brute force secret, but I got UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 866: invalid continuation byte
If you got a stack trace, please paste it here:
...
Please add the following files / info:
eyJlbmQiOiIyMDIwLTA3LTEzIDE2OjU5OjU5KzAwMDAifQ.XwxvHw.Nue9ROjhihVeTl5AwVhixO3vf5MTimePlease add the output of the following commands:
$ pip3 freeze | grep -i flask-unsign
flask-unsign==0.0.3
flask-unsign-wordlist==0.0.3
$ flask-unsign --version
0.0.3
$ file $(which flask-unsign)
/usr/local/bin/flask-unsign: a /usr/local/opt/python/bin/python3.7 script text executable, ASCII text
$ python3 --version
Python 3.7.7
$ uname -a
Darwin Allens-MacBook-Pro.local 19.5.0 Darwin Kernel Version 19.5.0: Tue May 26 20:41:44 PDT 2020; root:xnu-6153.121.2~2/RELEASE_X86_64 x86_64
$ cat /etc/issue
...
A picture tells a thousand words, feel free to add one here if you have it
Got any other info I should know about? Have a monkeypatch or proposed fix?
Feel like ranting about something? Feel free to do it here. Compliments are also welcome ✨
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.