classSigner(object): # ... defsign(self, value): """Signs the given string.""" return value + want_bytes(self.sep) + self.get_signature(value)
defget_signature(self, value): """Returns the signature for the given value""" value = want_bytes(value) key = self.derive_key() sig = self.algorithm.get_signature(key, value) return base64_encode(sig)
classSerializer(object): default_serializer = json default_signer = Signer # .... defdumps(self, obj, salt=None): """Returns a signed string serialized with the internal serializer. The return value can be either a byte or unicode string depending on the format of the internal serializer. """ payload = want_bytes(self.dump_payload(obj)) rv = self.make_signer(salt).sign(payload) if self.is_text_serializer: rv = rv.decode('utf-8') return rv
defdump_payload(self, obj): """Dumps the encoded object. The return value is always a bytestring. If the internal serializer is text based the value will automatically be encoded to utf-8. """ return want_bytes(self.serializer.dumps(obj))
classURLSafeSerializerMixin(object): """Mixed in with a regular serializer it will attempt to zlib compress the string to make it shorter if necessary. It will also base64 encode the string so that it can safely be placed in a URL. """ defload_payload(self, payload): decompress = False if payload.startswith(b'.'): payload = payload[1:] decompress = True try: json = base64_decode(payload) except Exception as e: raise BadPayload('Could not base64 decode the payload because of ' 'an exception', original_error=e) if decompress: try: json = zlib.decompress(json) except Exception as e: raise BadPayload('Could not zlib decompress the payload before ' 'decoding the payload', original_error=e) return super(URLSafeSerializerMixin, self).load_payload(json)
classURLSafeTimedSerializer(URLSafeSerializerMixin, TimedSerializer): """Works like :class:`TimedSerializer` but dumps and loads into a URL safe string consisting of the upper and lowercase character of the alphabet as well as ``'_'``, ``'-'`` and ``'.'``. """ default_serializer = compact_json
try: payload = base64_decode(payload) except Exception as e: raise Exception('Could not base64 decode the payload because of ' 'an exception')
if decompress: try: payload = zlib.decompress(payload) except Exception as e: raise Exception('Could not zlib decompress the payload before ' 'decoding the payload')
return session_json_serializer.loads(payload)
if __name__ == '__main__': s="eyJ1c2VybmFtZSI6InllMXMifQ.XxU53w.L7_pVjkrwxpqtG1r8_RwZvMMWK0"#替换为你的session字符串 print(decryption(s.encode()))
#!/usr/bin/python3.6 import os import pickle from base64 import b64decode from flask import Flask, request, render_template, session app = Flask(__name__) # add secret key to enable session # and this is a fake secret key, just an example app.config['SECRET_KEY'] = 'ADD_YOUR_SECRET_KEY_HERE'
@app.route('/', methods=('GET',)) def index_handler(): if not session.get('u'): u = pickle.dumps(User()) session['u'] = u return render_template('in.html')
@app.route('/file', methods=('GET',)) def file_handler(): path = request.args.get('file') path = os.path.join('static', path) if not os.path.exists(path) or os.path.isdir(path) \ or '.py' in path or '.sh' in path or '..' in path: return 'disallowed' with open(path, 'r') as fp: content = fp.read() return content
@app.route('/admin', methods=('GET',)) def admin_handler(): try: u = session.get('u') if isinstance(u, dict): u = b64decode(u.get('b')) u = pickle.loads(u) if u.is_admin == 1: return 'welcome, admin' else: return 'who are you?' except Exception: return 'uhh?' if __name__ == '__main__': app.run('0.0.0.0', port=8008, debug=False)
评论