Directory
- Session pinning attack
- e.g.
- YXCMS Session Fixed attack
- Analysis
- Learn More
Session pinning attack
Session fixation attack (conversational fixed attack) uses the server's session-invariant mechanism to obtain authentication and authorization from someone else's hand and impersonate someone else.
Session fixed vulnerability is the core of the fact that the program uses the session as the authentication method, but also released the session_id settings, and set session_id after Session_starts () execution, session_id to key/ The form of value specifies which session the backend uses.
1.Attacker first open a website http://www.baidu.com, then the server will reply him a session ID. Like SID=ABCDEFG. Attacker this ID down.
2.Attacker sends an email to UserA, he pretends to be what sells what, induces UserA click link Http://unsafe/?SID=abcdefg,SID behind is attacker own session ID.
3.UserA was attracted, clicked on the HTTP://UNSAFE/?SID=ABCDEFG, as usual, entered their own account and password to log in to the bank website.
4. Because the session ID of the server does not change, now attacker Click HTTP://UNSAFE/?SID=ABCDEFG, he has the identity of Alice. Can do whatever it pleases.
E.G.YXCMS Session Fixed attack
Use Chrome new registered user as attack user, get PHPSESSID = qhi5f1rj7tu07dfkq53ngfqim2
The simulation victim uses the Firefox login management backstage, at this time the normal administrator phpsessid= Ib9pf18oh90ngm13q9m3utjp26, the backstage address is http://192.168.27.136/yxcms/index.php?r= Admin/index/index
Attacker induces victim to visit malicious link: http://192.168.27.136/yxcms/index.php?r=admin/index/index&sessionid= Qhi5f1rj7tu07dfkq53ngfqim2
Attacker using chrome to access back-end Links: http://192.168.27.136/yxcms/index.php?r=admin/index/index, account changed to admin
Analysis
The vulnerability code is in: yxcms/protected/include/lib/common.function.php:
640 function session($name=‘‘,$value = ‘‘) {641 if(empty($name)){642 return $_SESSION;643 }644 $sessionId = request(‘request.sessionid‘);645 if(!empty($sessionId)){646 session_id($sessionId);647 }648 if(!isset($_SESSION)){649 session_starts();650 }651 if($value === ‘‘){652 $session = $_SESSION[$name];653 }else if($value==null){654 unset($_SESSION[$name]);655 }else{656 $session = $_SESSION[$name] = $value;657 }658 return $session;659 }
644 rows can see that if session_id exists, it is set to the ID of the current session using the Session_id method. And session_id can be obtained by requests method. That's a problem.
Follow the request method:
660 function request ($STR, $default = null, $function = null) {661 $str = trim ($str); 662 list ($method, $name) = exp Lode ('. ', $str, 2); 663 $method = Strtoupper ($method); 664 switch ($method) {665 case ' POST ': 666 $ Type = $_post;667 break;668 case ' SESSION ': 669 $type = $_session;670 break;671 Case ' REQUEST ': 672 $type = $_request;673 break;674 case ' COOKIE ': 675 $type = $_cookie;676 break;677 case ' GET ': 678 default:679 $type = $_get;680 break;681}682 if (empty ($name)) {683 $request = filter_string ($type); 684}else{685 if ($me Thod = = ' GET ') {686 $request = UrlDecode ($type [$name]); 687}else{688 $request = $type [$name ];689}690 $request = filter_string ($request); 691//Set default value 692 if ($default) {693 if (empty ($request)) {694 $request = $default; 695}696}697//Set handler function 698 if ($function) {699 $request = Call_user_func ($function, $request);}701}702 return $request; 703}
Learn More
https://xz.aliyun.com/t/2025
Http://www.freebuf.com/column/162886.html
Session fixed Attack-yxcms session Fix vulnerability