解密和读取 Suhosin 会话数据

发布于 2024-11-05 14:04:44 字数 1835 浏览 5 评论 0原文

我刚刚注意到我的主机开始使用 Suhosin Hardening,我对此不太熟悉,并且我的应用程序遇到了重大问题,主要是在会话中。

会话现在以以下格式存储:

_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...

我不介意,但它也破坏了我的应用程序,我需要一种方法来解码加密,因为它不允许我登录到我的应用程序。

我有一个函数来反序列化会话数据,不确定我在哪里获取的,但它是:

public function unserialize_session_data($data)
{
    $variables = array();

    $a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );

    for( $i = 0; $i < count( $a ); $i = $i+2 )
    {
        $variables[$a[$i]] = unserialize( $a[$i+1] );
    }

    return($variables);
}

它给出了该函数的偏移错误,因为会话数据不是它期望的格式,这就是为什么我想知道是否有人知道有一种方法可以解密/解码上述丑陋的 suhosin 数据以以其原始格式呈现它吗?

-- 编辑 --

发布使用上述反序列化函数的函数

 /***********************************************************************
 #  Get Session Data of a certain session id
 #  --------------------------------------
 #  This function will retrieve all session information related to a certain session id from
 #  the database, after that it unserializes the data and returns an array of data.
 #
 #  @return array  (Containing Session Data)
 ***********************************************************************/
    public function get_session_data($session_id)
    {
        if (isset($session_id) && $session_id != "")
        {
            $sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");

            if (mysql_num_rows($sql) > 0)
            {
                $res = mysql_fetch_assoc($sql);
                $res = $this->unserialize_session_data($res['ses_value']);
                        return $res;
            }
        }
    }

提前致谢!

I just noticed that my host started using Suhosin Hardening, i'm not quite familiar with this and am having major issues with my application, mainly in sessions.

The session is nowing being stored in the following format:

_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...

I don't mind that but its also breaking my application, i need a way to decode the encryption because its not letting me login to my app because of this.

I have a function to unserialize the session data, not sure where i picked up but here it is:

public function unserialize_session_data($data)
{
    $variables = array();

    $a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );

    for( $i = 0; $i < count( $a ); $i = $i+2 )
    {
        $variables[$a[$i]] = unserialize( $a[$i+1] );
    }

    return($variables);
}

It's giving offset errors with that function, because the session data is not in the format it is expecting and thats why i was wondering if anyone knows of a method to decrypt / decode the above ugly suhosin data to present it in its original format?

-- EDIT --

Posting the function which uses the above unserialize function

 /***********************************************************************
 #  Get Session Data of a certain session id
 #  --------------------------------------
 #  This function will retrieve all session information related to a certain session id from
 #  the database, after that it unserializes the data and returns an array of data.
 #
 #  @return array  (Containing Session Data)
 ***********************************************************************/
    public function get_session_data($session_id)
    {
        if (isset($session_id) && $session_id != "")
        {
            $sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");

            if (mysql_num_rows($sql) > 0)
            {
                $res = mysql_fetch_assoc($sql);
                $res = $this->unserialize_session_data($res['ses_value']);
                        return $res;
            }
        }
    }

Thanks in advance!

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

缪败 2024-11-12 14:04:44

我以为Suhosin的解密和加密是透明的?

Parameter       Description
Encrypt         Turns on the transparent encryption

无论如何,生成加密密钥的方式是:

cryptkey + user agent + document root + IP octets

所以:

12345Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2/var/www127.0.0.1

变量连接在一起,没有分隔符。
如果由于某种原因加密密钥字符串为 NULL,则 Suhosin 将默认值为“D3F4UL7”。
构建后,将使用 SHA256 对字符串进行哈希处理,结果用于生成 256 位 rijndael 加密密钥。

I thought Suhosin's decryption and encryption was transparent?

Parameter       Description
Encrypt         Turns on the transparent encryption

Anyway, the way the encryption key is generated is:

cryptkey + user agent + document root + IP octets

So:

12345Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2/var/www127.0.0.1

The variables are concatenated without a separator.
If for some reason the cryptkey string is NULL then Suhosin will default to a value of “D3F4UL7”.
Once built the string is hashed using SHA256 and the result used to generate a 256bit rijndael encryption key.

屋顶上的小猫咪 2024-11-12 14:04:44

如果您需要恢复会话中存储的数据,您可以使用此处提供的工具:

http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

PHP 中没有本地解密 Suhosin 数据的方法 - 最简单的方法是只需在 php.ini 文件中使用 session.encrypt = 0 关闭加密即可。

If you need to recover data thats been stored within the Session you could use the tool avaliable here:

http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

There is no native way to decrypt Suhosin data within PHP - the simplest way is to just turn the encryption off using session.encrypt = 0 within the php.ini file.

荭秂 2024-11-12 14:04:44

您可以使用 ini_set() 关闭它正在使用的加密吗?

您需要指定要用于加密会话数据的确切密钥(该页面表明可以通过 ini_set() 完成),以便对其进行解密。完成后,用密钥解密它应该成为可能(我不确定它使用的是什么加密系统)。

Can you just use ini_set() to turn off the encryption it's using?

You'll need to specify the exact key that you want to be used for encrypting session data (which the page indicates is possible to do through ini_set()) in order to decrypt it. That done, decrypting it should become possible with the key (I'm not sure what encryption system it is using).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文