Session_register(); session exploit
ik zat een challenge te doen, naja ik moet met session exploits werken.
nou ik zal niet de hele source geven, maar alleen de fouten dingen die er in zit.
register:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<?
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
zoals je ziet zie je op het laatst session_register staan.
nou heb ik op php.net gezien dat nieuwere versies dit niet meer ondersteunt. waarom staat er niet bij .. :S
link: http://nl2.php.net/function.session-register
verder in de code word dit aangegeven:
checken
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
2
3
4
5
6
7
8
9
10
11
12
13
14
<?
$username = addslashes($username);
$password = addslashes($password);
$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
$Data = mysql_fetch_array($checkinfo);
if($Data['id'] == '') {
die('Wrong password!');
} else {
session_register('Data');
header('Location: index.php');
}
?>
$username = addslashes($username);
$password = addslashes($password);
$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
$Data = mysql_fetch_array($checkinfo);
if($Data['id'] == '') {
die('Wrong password!');
} else {
session_register('Data');
header('Location: index.php');
}
?>
en de index pagina:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<?
$sesname = $_SESSION['Data']['username'];
$sespass = $_SESSION['Data']['password'];
$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
$checkit = mysql_fetch_array($checkinfo);
if($checkit['id'] == '') {
die('Wrong password!');
} else {
if($Data['level'] == '') {
$Data['level'] = '0';
}
echo '<p>Welcome to our protected website!</p>';
echo '<ul>';
echo '<li>Username: '.$Data['username'].'</li>';
echo '<li>Admin Level: '.$Data['level'].'</li>';
echo '<li><a href="index.php?action=logout">Logout.</a></li>';
echo '</ul>';
if($Data['level'] == '8') {
echo 'Well done! The solution is: [...]';
}
}
?>
$sesname = $_SESSION['Data']['username'];
$sespass = $_SESSION['Data']['password'];
$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
$checkit = mysql_fetch_array($checkinfo);
if($checkit['id'] == '') {
die('Wrong password!');
} else {
if($Data['level'] == '') {
$Data['level'] = '0';
}
echo '<p>Welcome to our protected website!</p>';
echo '<ul>';
echo '<li>Username: '.$Data['username'].'</li>';
echo '<li>Admin Level: '.$Data['level'].'</li>';
echo '<li><a href="index.php?action=logout">Logout.</a></li>';
echo '</ul>';
if($Data['level'] == '8') {
echo 'Well done! The solution is: [...]';
}
}
?>
mvg,
peter
edit: ik zie dat ip adres helemaal geen decodeering heeft. XD dus dat kan makkelijk gebruikt worden.
Gewijzigd op 01/01/1970 01:00:00 door Kumkwat Trender
Wat wil je nu nog weten?
php.net:
Warning
This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
This function has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 6.0.0. Relying on this feature is highly discouraged.
Verder staan er bij de notes een aantal warnings die indirect al aangeven waarom het gebruik van sessions niet goed is.
Aangezien voor session_register register_globals aan moeten staan zitten er wel mogelijkheden in.
Code (php)
1
2
3
4
5
6
2
3
4
5
6
<?php
session_start();
$_SESSION['data'] = array('x' => 1, 'y' => 2);
echo 'x: '.$_SESSION['data']['x'].'<br />'.PHP_EOL;
echo 'y: '.$_SESSION['data']['y'].'<br />'.PHP_EOL;
?>
session_start();
$_SESSION['data'] = array('x' => 1, 'y' => 2);
echo 'x: '.$_SESSION['data']['x'].'<br />'.PHP_EOL;
echo 'y: '.$_SESSION['data']['y'].'<br />'.PHP_EOL;
?>
je ziet dat username en password in html codes worden gezet. Maar dat ze daarna worden toegevoegd in de database zonder dat het door de functie mysql_real_escape_sting heen gaat.
maar.. dan word een quote toch ook in html code gezet waardoor mijn sql exploit niet meer werkt.. ten minste dat denk ik erover.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<?
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
@tvjb en lode, ik wou zeg maar weten of er door middel van de functie session_register een attack kon worden gemaakt. Want aangezien het functie verwijderd is voor de nieuwere versies van php.
edit:
hier voor jou een Kleurfoto:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<?
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
Gewijzigd op 01/01/1970 01:00:00 door Kumkwat Trender
Allemaal heel leuk, maar alles is gewoon zwart. En bij alleen zwarte code kan ik niet veel uit op maken. Kun je wat kleur in je code brengen a.u.b.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
2
3
4
5
6
7
8
9
10
11
<?php
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
?>
@dennis, ik heb het opgefleurt met wat kleurtjes :)
Peter schreef op 05.01.2009 16:08:
Dankje, dat leest echt 10000x fijner.@dennis, ik heb het opgefleurt met wat kleurtjes :)
PS: Ik lees het nu, daar was ik nog geen eens aan begonnen :)
$var buiten quotes houden.
$_SERVER[REMOTE_ADDR] => $_SERVER['REMOTE_ADDR']
session_register => antiek, niet meer gebruiken
@santhe, je zegt dat session_register antiek is. mag ik misschien een redenen waarom het niet meer gebruikt word? en waarom het verwijderd is van nieuwere php versies?
en hoe kan ik in deze database komen en de 'id' omzeilen?
Peter schreef op 05.01.2009 16:32:
hoe kan ik in deze database komen en de 'id' omzeilen?
Huh? Connectie maken. Database selecteren.
is een challenge en moet het juist kraken niet de fouten dichten..
Ik doe niet aan kraken.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
Kijk naar je query; is het de bedoeling hier de db om zeep the helpen? dan heb je meer niet nodig dan een paar ' ...
nou dit is de hele code die gegeven word:
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
<?php
session_start();
if(!$db = @mysql_connect('localhost', '', '')) {
die('Connection error');
}
if(!@mysql_select_db('db', $db)) {
die('Can\'t locate database');
}
if(isset($send) && $send == 'reg' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
echo 'You are added to our database! Click <a href="index.php"><b>here</b></a> to proceed!<br /><br />';
}
} else if(isset($submit) && $submit == 'Login' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = addslashes($username);
$password = addslashes($password);
$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
$Data = mysql_fetch_array($checkinfo);
if($Data['id'] == '') {
die('Wrong password!');
} else {
session_register('Data');
header('Location: index.php');
}
}
} else if(isset($action) && $action == 'register') {
?>
session_start();
if(!$db = @mysql_connect('localhost', '', '')) {
die('Connection error');
}
if(!@mysql_select_db('db', $db)) {
die('Can\'t locate database');
}
if(isset($send) && $send == 'reg' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = htmlspecialchars($username);
$password = htmlspecialchars($password);
mysql_query("INSERT INTO challenge_406 (id, username, password, ip) VALUES (NULL, '$username', '$password','$_SERVER[REMOTE_ADDR]')") or die('Error!');
$Data['username'] = $username;
$Data['password'] = $password;
session_register('Data');
echo 'You are added to our database! Click <a href="index.php"><b>here</b></a> to proceed!<br /><br />';
}
} else if(isset($submit) && $submit == 'Login' && !isset($_SESSION['Data'])) {
if(isset($username) && isset($password)) {
$username = addslashes($username);
$password = addslashes($password);
$checkinfo = mysql_query("SELECT * FROM challenge_406 WHERE username='$username' AND password='$password'") or die('Error!');
$Data = mysql_fetch_array($checkinfo);
if($Data['id'] == '') {
die('Wrong password!');
} else {
session_register('Data');
header('Location: index.php');
}
}
} else if(isset($action) && $action == 'register') {
?>
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<html>
<head>
<title>Register</title>
</head>
<body>
<h3>Register now!</h3>
<form action="index.php" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg">
<input type="submit" value="Register">
</p>
</form>
</body>
</html>
<head>
<title>Register</title>
</head>
<body>
<h3>Register now!</h3>
<form action="index.php" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg">
<input type="submit" value="Register">
</p>
</form>
</body>
</html>
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
<?php
} else if(isset($action) && $action == 'logout') {
session_destroy();
header('location: index.php');
} else if(isset($_SESSION['Data'])) {
$sesname = $_SESSION['Data']['username'];
$sespass = $_SESSION['Data']['password'];
$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
$checkit = mysql_fetch_array($checkinfo);
if($checkit['id'] == '') {
die('Wrong password!');
} else {
if($Data['level'] == '') {
$Data['level'] = '0';
}
echo '<p>Welcome to our protected website!</p>';
echo '<ul>';
echo '<li>Username: '.$Data['username'].'</li>';
echo '<li>Admin Level: '.$Data['level'].'</li>';
echo '<li><a href="index.php?action=logout">Logout.</a></li>';
echo '</ul>';
if($Data['level'] == '8') {
echo 'Well done! The solution is: [...]';
}
}
} else {
?>
} else if(isset($action) && $action == 'logout') {
session_destroy();
header('location: index.php');
} else if(isset($_SESSION['Data'])) {
$sesname = $_SESSION['Data']['username'];
$sespass = $_SESSION['Data']['password'];
$checkinfo = mysql_query("SELECT id FROM challenge_406 WHERE username='$sesname' AND password='$sespass'") or die('Error!');
$checkit = mysql_fetch_array($checkinfo);
if($checkit['id'] == '') {
die('Wrong password!');
} else {
if($Data['level'] == '') {
$Data['level'] = '0';
}
echo '<p>Welcome to our protected website!</p>';
echo '<ul>';
echo '<li>Username: '.$Data['username'].'</li>';
echo '<li>Admin Level: '.$Data['level'].'</li>';
echo '<li><a href="index.php?action=logout">Logout.</a></li>';
echo '</ul>';
if($Data['level'] == '8') {
echo 'Well done! The solution is: [...]';
}
}
} else {
?>
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<html>
<head>
<title>Login</title>
</head>
<body>
<h3>Login!</h3>
<p>
Not yet a member? <a href="index.php?action=register">Register a new account.</a><br />
</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="submit" name="submit" value="Login">
</p>
</form>
</body>
</html>
<head>
<title>Login</title>
</head>
<body>
<h3>Login!</h3>
<p>
Not yet a member? <a href="index.php?action=register">Register a new account.</a><br />
</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<p>
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="submit" name="submit" value="Login">
</p>
</form>
</body>
</html>
Uit pure interesse: Waar staat die ergens online? Die challenge dus?
Okay, ben er doorheen :-) Zeg het maar als je de methode en/of de oplossing wilt horen ;-)
Lijkt me wel XD Anders had ie deze post niet gemaakt. Btw, zou je 't mij kunnen PM'en? Ik zit al langere tijd bij Net-Force en die ene lukt me niet.
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
<form action="http://www.net-force.nl/challenge/level406/login/index.php" method="post">
Level:<br />
<input type="text" name="Data[level]" value="8" /><br />
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg" />
<input type="submit" value="Register" />
</form>
Level:<br />
<input type="text" name="Data[level]" value="8" /><br />
Username:<br />
<input type="text" name="username" size="25" maxlength="12"><br />
Password:<br />
<input type="text" name="password" size="25" maxlength="12"><br />
<input type="hidden" name="send" value="reg" />
<input type="submit" value="Register" />
</form>
Gewoon 'uitvoeren', iets leuks invullen bij username en password ('registreert' dat account gewoon op de challenge-pagina), en je bent binnen :-)
Gewijzigd op 01/01/1970 01:00:00 door Douwe