session file spoofing vulnerability(marginalia non-cross-directory ideas)-vulnerability warning-the black bar safety net

ID MYHACK58:62201340463
Type myhack58
Reporter 佚名
Modified 2013-09-08T00:00:00


Herein, the theoretical significance may be greater than the practical significance, only there is no way the time to provide ideas.

0x00 session description 0x01 Use Conditions 0x02 use ideas 0x03 vulnerability proof 0x04 prevention methods

0x00 session description

Generally the web authentication mode is via a cookie or session. As is well known, a cookie is stored locally, the client can feel free to modify; and the session is a text file stored on the server side, so the client cannot modify the Session content. In fact in the server side Session file, PHP automatically modifies the session file permissions, keep only the system read and write permissions, and not via ftp modify, so much safer. On the server the permissions of the division is based on a per-user basis, so the session file ownership is also based on a per-user basis. In General, it relates to sensitive permissions, use the session to perform permissions verification, such as a site's background. Session with client interaction is the way session_id。 Such as PHP, the cookie has a PHPSESSID, the session_id with the service end of the session the record file correspondence, is equivalent to the Token. So it seems with the session-related information with a client can be modified session_id, take advantage of this nature we can achieve session spoofing and hijacking.

In PHP, for example, we first look at the session related to several functions. session_save_path (): defines the service end of the session the file storage path. Parameter is empty then display the current path, the parameter is not empty then define the path. The default in php. ini for sessions. save_path configuration. Under Windows the default path: C:\Windows\Temp that under linux the default path is/tmp. The two path's permissions more permissive. In practice, we may also need to call the function session_save_path('PATH')modified.

session_id (): defines the current session unique identifier, session_id。 Parameter is empty then display the current session_id parameter is not empty then defined session_id。 Because of the permission restrictions, PHP can only get to the current site(actually is the current site in the service terminal corresponding to the user, if the user has a plurality of stations, the plurality of stations between the session can be accessed directly)to generate the session_id of the corresponding session.

Wordy so much, we Mr. to a session, look at the file what will be the content.

  1. <? phpsession_start();if(! session_is_registered('deleter')) $SESSION['admin']='deleter';echo session_save_path().'\\ sess'. session_id();?& gt;

Copy the code

Run the result is: C:\Windows\Temp\sess_hadodem9d65kblem793sr9u3g7 File content as

  1. admin|s:7:"deleter";

Copy the code

We can see that the session content is stored in plain text. And sometimes the Server Permissions didn't set a good case where the session file is that you can directly see the content.

Session file deception is the principle of the attackers in to obtain some of the Server Permissions, in the session_save_path to find a validated session file or upload a bogus session file, and then in the client to modify cookie session_id, thereby deceiving the server to get some kind of higher authority.

Based something introduced over, next look at the Use Conditions.

0x01 use and conditions

[1] [2] [3] next