DISCUZ all versions of COOKIE hijacking method+DEMO-vulnerability warning-the black bar safety net

ID MYHACK58:62200924047
Type myhack58
Reporter 佚名
Modified 2009-07-27T00:00:00


DISCUZ and many forums are unable to perform session hijacking, because the session and IP binding, DISCUZ main session authentication mechanism is as follows:

/inlude/common.inc.php //Section 1 3 6 verify the session important period is from the sessions table in the query the SID, which is an important condition is that$onlineip, if$onlineip and sessions table in the IP information can not correspond, it can not continue to build a sessions table to save the session.

Code: if($sid) { if($discuz_uid) { $query = $db->query("SELECT s. sid, s. styleid, s. groupid='6' AS ipbanned, s. pageviews AS spageviews, s. lastolupdate, s. seccode, $membertablefields FROM {$tablepre}sessions s, {$tablepre}members m WHERE m. uid=s. uid AND s. sid='$sid' AND CONCAT_WS('.', s. ip1,s. ip2,s. ip3,s. ip4)='$onlineip' AND m. uid='$discuz_uid' AND m. password='$discuz_pw' AND m. secques='$discuz_secques'");

//7 line 9 $onlineip first taken from the HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR these two HTTP header ------------------------------------------------------------------------------ if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { $onlineip = getenv('HTTP_CLIENT_IP'); } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { $onlineip = getenv('HTTP_X_FORWARDED_FOR'); } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { $onlineip = getenv('REMOTE_ADDR'); } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], ‘unknown’)) { $onlineip = $_SERVER['REMOTE_ADDR']; }

So if we forged HTTP_CLIENT_IP and HTTP_X_FORWARDED_FOR these two HTTP headers you can bypass IP binding.