Shulou(Shulou.com)05/31 Report--

How to use Session in PHP, I believe that many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface of 0x00

Recently, I have encountered several problems related to session in php code audit, which have not been systematically summarized before, so I would like to make up the pot here.

Basic knowledge of 0x01 Session

Here we mainly talk about "server-side Session" in the traditional PHP. As for what is server-side Session and what is client-side Session, you can take a look at the security problems caused by P God's * * client-side session https://www.leavesongs.com/PENETRATION/client-session-security.html

Session concept: in computers, especially in network applications, it is called "session control". The Session object stores the properties and configuration information required for a specific user session. In this way, when the user jumps between the Web pages of the application, the variables stored in the Session object will not be lost, but will persist throughout the user session. When a user requests a Web page from an application, the Web server automatically creates a Session object if the user does not already have a session. When a session expires or is abandoned, the server terminates the session.

Session mechanism: session content is generally stored in the server as a file, and the local browser stores a cookie value corresponding to the session file in the server. Cookie stores a Seeion_ id value with a key value of "PHPSESSID". When a user accesses a web application, each time a http request occurs, the cookie value of the stored session_id is automatically sent, so all pages of the web application can get this SESSION_ ID value. You can also obtain the session value stored in the server through session_id. When the user closes the browser, the session_id stored in cookie is automatically cleared, and the session files stored in the server are also automatically cleared after 30 minutes.

For example, in the wamp environment, the index.php is as follows:

First, understand session_start ().

When the session starts automatically or manually through session_start (), the PHP internally obtains the existing corresponding session data (that is, the session file) based on the PHPSESSID from the client, and PHP automatically deserializes the contents of the session file and populates it into the $_ SESSION super global variable. If no corresponding session data exists, a file named sess_PHPSES SID (from the client) is created. If the client does not send a PHPSESSID, a 32-letter PHPSESSID is created and set-cookie is returned.

You can see the corresponding PHPSESSID:ifrvi9r7ui81r0fjq569b06862 in the request

On the server side, under / wamp/tmp, we can find a generated file that records the Session, because no session information is recorded, so the file is an empty file.

Add a description of the configuration related to php-Session

There are many configurations for Session in php.ini, and here we illustrate several important points through phpinfo.

The explanation is as follows:

Session.save_path= ""-- set the storage path of session session.save_handler= "--set the user-defined storage function. If you want to use something other than the built-in session storage mechanism of PHP, you can use this function (database, etc.) The default files stores session.auto_start boolen as a file-- specifies whether the session module starts a session at the start of the request, and defaults to 0-- does not start session.serialize_handler string-- defines how to serialize /

Common php-session storage location

/ var/lib/php5/sess_PHPSESSID

/ var/lib/php7/sess_PHPSESSID

/ var/lib/php/sess_PHPSESSID

/ tmp/sess_PHPSESSID

/ tmp/sessions/sess_PHPSESSED

Possible attack surface caused by 0x02 Session

Session serialization attack

The Session file contains

Session falsifies user login

Session logic vulnerabilities

0x03 Session serialization attack

Serialize_handler

To understand Session serialization attacks, first take a look at how serialization is handled in the Session mechanism.

There are three serialization processing engines in php

Session.serialize_handler corresponds to the storage format php key name + vertical bar + the length of the value php_binary key name serialized by the serialize () function corresponds to the ASCII character + key name + the value php_serialize serialized by the serialize () function (php > = 5.5.4) the array serialized by the serialize () function

The local tests are as follows:

The content of the Session file corresponds to the result of

| test | tests:7 7: "CoCo1er"; tests:7: "CoCo1er"; ARV 1: {SRAV 4: "test"; SVR 7: "CoCo1er";}

Principle of attack and utilization

Tens of thousands of payloads, the first principle.

It is added here that there is no problem with the implementation of Session in PHP, and the harm is mainly caused by the improper use of Session by programmers. As follows)

Use different engines to process session files

If PHP uses a different engine to deserialize stored $_ SESSION data than serialization uses, it will cause the data to not be deserialized correctly. With carefully constructed packets, you can bypass program verification or execute some systematic methods. For example:

In such a case:

If we serialize the data storage when using the php_serialize engine, we can get the content

$_ SESSION ['key'] =' Boby';a:1: {SJV 3: "key"; SJV 4: "Boby";}

At this point, we use another engine for parsing: php.

Think about what happens at this time. (in the php engine, keys and values are separated by vertical bars)

If you change it like our payload above, the input content and the resulting storage content are as follows:

$_ SESSION ['key'] =' | User 4: "User": 0: {}'; ARV 1: {SRAR3: "key"; SARV 16: "| OV4:" User ": 0: {}";}

At this time, aRV 1: {SRV 3: "key"; SRV 16: "is regarded as key.

The subsequent ORV 4: "User": 0: {} ";} is deserialized as value. One might ask here, why is it deserialized?

Look at the official documents.

Someone might ask here? That string of value does not conform to the "normal" deserialized string rules. Don't worry about this, there is a feature of unserialize mentioned here, which has been encountered before. When executing unserialize, subsequent irregular characters will be ignored if the string meets the rule that can be deserialized in front of it.

If it's not easy to understand, take a look at an online test case:

To sum up, when php generates session in the php_serialize engine, but parses it in the php engine, it is possible to trigger a deserialization vulnerability by passing a payload in the form of $_ SESSION ['name'] = | serialized content. Of course, it only mentions the points where deserialization can be found, but whether it can actually trigger deserialization vulnerabilities needs to be combined with the current environment and whether there are available points in some magic functions. This involves the knowledge point of exploiting php deserialization vulnerabilities, so I won't go into details here. For more information about the complex use of Session deserialization attacks, you can refer to bestphp's revenge in 2018LCTF.

No $_ SESSION variable assignment

From the above situation, we can find that our assignment to session is controllable. What if there is no assignment to the $_ SESSION variable in the code? Let's take a look at the next point.

Php also has a upload_process mechanism that automatically creates a key-value pair in $_ SESSION, where there happens to be a user-controllable part of the value.

The main way to write is to use Session Upload Progress in PHP to set, specifically, when uploading a file, if you POST a variable named PHP_SESSION_UPLOAD_PROGRESS, you can assign the value of filename to session.

/ / the upload form meets the session controllable condition since the filename field can be written into session, and the subsequent utilization conditions are consistent with the scenario described above. Two different engines have successively caused malicious serialized strings to be parsed.

The 0x04 Session file contains

This is also a relatively old knowledge point, in fact, not only the Session file contains, think about it, in theory, as long as you can write php code in the file, and then be included in include can not achieve getshell? It's just that here our controllable point is the Session file, and if we can write php code into it, we can also achieve file inclusion vulnerability exploitation.

The use contained in the file will not be shown here, and the basic information about this on the Internet has long been bad.

It is worth mentioning that often the current CTF questions will not be limited to the file contains this point to the topic, but the use of forms such as session+lfi to get the source code and so on. And it is possible to add open_basedir to restrict the path, so you need to be familiar with the mechanism of session and use the function to change the save path. This idea is the test point in the bestphp question that appears in XCTF Final. Interested students can go to find the environment to reproduce a wave.

0x05 Session falsifies user login

A few days ago, 3CTF happened to have a test site. Here is a question to explain how to make use of it. As there is no reproduction environment, it can only be "on paper" here. I hope you can understand the principle of utilization. )

* * prerequisites for utilization: * * session is controllable; know the session storage format.

The questions here are a combination of multiple attack surfaces. The index.php prompts you to log in as admin.

Sql blind can run sqlmap to get the executive shell.

Sql root users have file permissions, but writing shell directly to the site cannot succeed. (guess that the site root directory is limited, but you can guess / tmp writable.

Scan the background to find test.php. Access discovery echoes session's data structure Array ([username] = > test), and knows the format of session. Key is username, but which serialization engine is used? Test all three and you'll be done.

Two prerequisites for utilization are met here. Write files to / tmp via sqlmap-shell to forge admin

Payload:select 'username | payload:select 5: "admin"; "into outfile" / tmp/sess_PHPSESSID'

Finally, modify it to the corresponding design PHPSESSID to fake admin login to get flag.

0x06 Session logic vulnerabilities

It is a pity that there is no environment that can be repeated at this point. (official buyout.) this is a web test site that appeared in unctf in the last two weeks. This logic loophole lies in the reset password. The process is roughly as follows.

Password reset is divided into three steps.

Fill in the user name that needs to be reset

The verification code is received in the mailbox bound by the user name.

Fill in the verification code, go to the reset password page, fill in the new password and complete the reset.

The logic loophole here lies in filling in the user name on the first page and guessing that session is set in the background. Similar to:

$_ SESSION ['name'] = $_ POST [' name']

How to use it: reset admin password.

Go to the last step of the complete process of opening a normal page, fill in the verification code and pass, fill in the new password, and do not submit at this time.

Open another page to complete the first step, reset the user to fill in admin, at this time Session is no longer our own user, but becomes admin.

The submission of the previous page is completed at this time. Successfully reset the admin password.

The reason for the logic loophole here is that the relevant user binding is not recorded after filling in the verification code, and the function is performed directly without checking the reliability of the Session when the password is reset in the last step. We all know that Session is stored on the server side, so we can open one more page to modify the contents of a single session file (guaranteed under the same PHPSEEID).

Here is only a record of my own study related to the session mechanism of PHP, citing the points I have recently come into contact with in the CTF question, but how can there be only these points about the use of session? Make up your study when you encounter it. Limited to the space, there is no expansion and utilization, but to put it bluntly, expansion and utilization is the synthesis of many complex knowledge points. I think it is possible to understand complex combinatorial attacks only by figuring out the rationale. In addition, if there are any misunderstandings and expressions in the article, I hope the masters will correct them.

After reading the above, have you mastered how to use Session in PHP? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.