PHP Vulnerability Full Solution (vii)-session hijacking

This article mainly introduces the session hijacking for PHP website. Session hijacking is a more complex attack method. Most computers on the internet are at risk of being attacked. This is a method of hijacking the TCP protocol, so almost all local area networks, there is the possibility of hijacking.

Communication is communicated between the server and the client through a session. When the client's browser is connected to the server, the server establishes a session for that user. Each user's session is independent and maintained by the server. Each user's session is identified by a unique string that becomes the session ID. When a user makes a request, the HTTP header that is sent contains the value of the session ID. The server uses the session ID in the HTTP header to identify which user submitted the request.

The session saves each user's personal data, and the general Web application uses the session to save the authenticated user account and password. When converting different Web pages, if you need to authenticate users, you can compare them with the accounts and passwords stored in the session. The session's life cycle begins when the user connects to the server, and ends when the user Session_destroy the session data when the users close the browser or log off. If the user does not use the computer for 20 minutes, the session will end automatically.

Application Architecture for PHP processing session

Session Hijacking

Session hijacking refers to the attacker using various means to obtain the target user's session ID. Once the session ID is obtained, the attacker can use the identity of the target user to log on to the Web site and get the permissions of the target user.

How the attacker obtains the target user session ID:

1) Brute force: Try various session IDs until they are cracked.

2) Calculation: If the session ID is generated in a non-random way, then it is possible to calculate

3) Stealing: Using network interception, XSS attacks and other methods to obtain

Attack steps for session hijacking

Instance

2. login.php
6. Session_Start ();
8. if (Isset ($_post["Login"]))
10. {
12. $link = mysql_connect ("localhost", "root", "root")
14. Or Die ("could not establish MySQL database connection:". Mysql_error ());
16. mysql_select_db ("CMS") or Die ("Unable to select MySQL database");
18. if (!GET_MAGIC_QUOTES_GPC ())
20. {
22. $query = "SELECT * from member where Username= '". addslashes ($_post["username"]).
24. "' and password= '". addslashes ($_post["password"]). "'";
26. }
28. Else
30. {
32. $query = "SELECT * from member where Username= '". $_post["username"].
34. "' and password= '". $_post["password"]. "'";
36. }
38. $result = mysql_query ($query)
40. Or Die ("execute MySQL query statement failed:". Mysql_error ());
42. $match _count = mysql_num_rows ($result);
44. if ($match _count)
46. {
48. $_session["username"] = $_post["username"];
50. $_session["password"] = $_post["password"];
52. $_session["book"] = 1;
54. Mysql_free_result ($result);
56. Mysql_close ($link);
58. Header ("location:http://localhost/index.php?user=".
60. $_post["username"]);
62. }

.....

2. index.php
6. Open session
8. Session_Start ();
12. The visitor's Session ID is: Echo session_id ();?>
18. Visitors: Echo htmlspecialchars ($_get["user"], ent_quotes);?>
24. Number of book Items: Echo htmlspecialchars ($_session["book"], ent_quotes);?>
26. If the login is successful, use the
28. $_session["username"] Save account
30. $_session["password"] Save password
32. #_SESSION ["book"] Save the number of items purchased

Display after Login

Start attacking

1. //ATTACK.PHP 
2. php  
3. //  open session 
4. session_start ();  
5. echo " the target user's session id is: " . session_id ()  . " <br /> "&NBSP;
6. echo " The username of the target user is: "  . $_session["username"] .  "<br  /> "&NBSP;
7. echo  "target user's password is:"  . $_session["password"] .  " <br /> "&NBSP;
8. //  Set the number of book to 2000 ,
9. $_session["book"]&NBSP;=&NBSP;2000;&NBSP;

Submit Http://localhost/attack.php?PHPSESSID=5a6kqe7cufhstuhcmhgr9nsg45 This ID is the client session ID to get to, refresh the customer page later

The product that the customer buys becomes 2000

Session fixed attack

Hackers can use the way the session ID is sent to the user to complete the attack

http://localhost/index.php?user=dodo&PHPSESSID=1234 send this link to dodo this user shows

After the attacker then accesses http://localhost/attack.php?PHPSESSID=1234, the customer page refreshes and discovers

The number of goods has become 2000

Precautionary approach

1) Change session ID periodically

function bool session_regenerate_id ([bool delete_old_session])

Delete_old_session is true, the old session file is deleted; False, the old session is preserved, the default is false, optional

At the beginning of index.php, add

Session_Start ();

SESSION_REGENERATE_ID (TRUE);

......

This will result in a new session ID every time you reload

2) Change the name of the session

The default name of the session is PHPSESSID, which will be stored in the cookie, if the hacker does not grab packet analysis, it can not guess the name, blocking the partial attack

Session_Start ();

Session_name ("Mysessionid");

......

3) Close the transparent session ID

Transparent session ID refers to the Sessioin ID used to pass a link when the HTTP request in the browser does not use cookies to create the session ID; open PHP.ini, edit

Session.use_trans_sid = 0

In your code

Int_set ("Session.use_trans_sid", 0);

Session_Start ();

......

4) Only check session ID from cookie

Session.use_cookies = 1 means using cookies to store session ID

Session.use_only_cookies = 1 means that only cookies are used to store session IDs, which avoids fixed session attacks

In your code

Int_set ("Session.use_cookies", 1);

Int_set ("Session.use_only_cookies", 1); P>

5) using URL to pass hidden parameters

Session_Start ();

$seid = MD5 (Uniqid (rand ()), TRUE));

$_session["Seid"] = $seid;

Although the attacker can get the session data, but cannot know the value of the $seid, as long as the value of Seid check, you can confirm whether the current page is called by the Web program itself.