解密和读取 Suhosin 会话数据
我刚刚注意到我的主机开始使用 Suhosin Hardening,我对此不太熟悉,并且我的应用程序遇到了重大问题,主要是在会话中。
会话现在以以下格式存储:
_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...
我不介意,但它也破坏了我的应用程序,我需要一种方法来解码加密,因为它不允许我登录到我的应用程序。
我有一个函数来反序列化会话数据,不确定我在哪里获取的,但它是:
public function unserialize_session_data($data)
{
$variables = array();
$a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
for( $i = 0; $i < count( $a ); $i = $i+2 )
{
$variables[$a[$i]] = unserialize( $a[$i+1] );
}
return($variables);
}
它给出了该函数的偏移错误,因为会话数据不是它期望的格式,这就是为什么我想知道是否有人知道有一种方法可以解密/解码上述丑陋的 suhosin 数据以以其原始格式呈现它吗?
-- 编辑 --
发布使用上述反序列化函数的函数
/***********************************************************************
# Get Session Data of a certain session id
# --------------------------------------
# This function will retrieve all session information related to a certain session id from
# the database, after that it unserializes the data and returns an array of data.
#
# @return array (Containing Session Data)
***********************************************************************/
public function get_session_data($session_id)
{
if (isset($session_id) && $session_id != "")
{
$sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");
if (mysql_num_rows($sql) > 0)
{
$res = mysql_fetch_assoc($sql);
$res = $this->unserialize_session_data($res['ses_value']);
return $res;
}
}
}
提前致谢!
I just noticed that my host started using Suhosin Hardening, i'm not quite familiar with this and am having major issues with my application, mainly in sessions.
The session is nowing being stored in the following format:
_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...
I don't mind that but its also breaking my application, i need a way to decode the encryption because its not letting me login to my app because of this.
I have a function to unserialize the session data, not sure where i picked up but here it is:
public function unserialize_session_data($data)
{
$variables = array();
$a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );
for( $i = 0; $i < count( $a ); $i = $i+2 )
{
$variables[$a[$i]] = unserialize( $a[$i+1] );
}
return($variables);
}
It's giving offset errors with that function, because the session data is not in the format it is expecting and thats why i was wondering if anyone knows of a method to decrypt / decode the above ugly suhosin data to present it in its original format?
-- EDIT --
Posting the function which uses the above unserialize function
/***********************************************************************
# Get Session Data of a certain session id
# --------------------------------------
# This function will retrieve all session information related to a certain session id from
# the database, after that it unserializes the data and returns an array of data.
#
# @return array (Containing Session Data)
***********************************************************************/
public function get_session_data($session_id)
{
if (isset($session_id) && $session_id != "")
{
$sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");
if (mysql_num_rows($sql) > 0)
{
$res = mysql_fetch_assoc($sql);
$res = $this->unserialize_session_data($res['ses_value']);
return $res;
}
}
}
Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我以为Suhosin的解密和加密是透明的?
无论如何,生成加密密钥的方式是:
所以:
变量连接在一起,没有分隔符。
如果由于某种原因加密密钥字符串为 NULL,则 Suhosin 将默认值为“D3F4UL7”。
构建后,将使用 SHA256 对字符串进行哈希处理,结果用于生成 256 位 rijndael 加密密钥。
I thought Suhosin's decryption and encryption was transparent?
Anyway, the way the encryption key is generated is:
So:
The variables are concatenated without a separator.
If for some reason the cryptkey string is NULL then Suhosin will default to a value of “D3F4UL7”.
Once built the string is hashed using SHA256 and the result used to generate a 256bit rijndael encryption key.
如果您需要恢复会话中存储的数据,您可以使用此处提供的工具:
http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/
PHP 中没有本地解密 Suhosin 数据的方法 - 最简单的方法是只需在 php.ini 文件中使用 session.encrypt = 0 关闭加密即可。
If you need to recover data thats been stored within the Session you could use the tool avaliable here:
http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/
There is no native way to decrypt Suhosin data within PHP - the simplest way is to just turn the encryption off using session.encrypt = 0 within the php.ini file.
您可以使用
ini_set()关闭它正在使用的加密吗?suhosin.session.encrypt您需要指定要用于加密会话数据的确切密钥(该页面表明可以通过
ini_set()完成),以便对其进行解密。完成后,用密钥解密它应该成为可能(我不确定它使用的是什么加密系统)。Can you just use
ini_set()to turn off the encryption it's using?suhosin.session.encryptYou'll need to specify the exact key that you want to be used for encrypting session data (which the page indicates is possible to do through
ini_set()) in order to decrypt it. That done, decrypting it should become possible with the key (I'm not sure what encryption system it is using).