会话固定攻击复制,学期论文 (php)
我正在尝试为我的学期论文复制会话,并且我在这里找到了很多提示,但无法复制对我的本地主机的攻击。
我尝试过这里的一个例子: http://www.devshed.com/c/a/ PHP/Sessions-and-Cookies/2/
fixation.php:
<?php
session_start();
$_SESSION['username'] = 'chris';
?>
test.php
<?php
session_start();
if (isset($_SESSION['username']))
{
echo $_SESSION['username'];
}
?>
文章说我应该能够通过以下方式固定会话:
http://example.org/fixation.php?PHPSESSID=1234
但检查请求标头似乎不起作用:
Cookie PHPSESSID=0avpo8ttlmg35apkjaovj6dgd3
另外,还有一个tmp 文件夹中的“sess_0avpo8ttlmg35apkjaovj6dgd3”文件。
我有点迷失在这里,并尝试了多个类似的例子,但没有成功......
一点更新
在 php.ini 中,设置这些值:
session.use_trans_sid = 1
session.use_cookies = 0
并注释掉 session.save_handler 禁用在 cookie 中保存会话并生成 tmp 文件(我想,如果我错了,请纠正我)。现在我可以修复会话(tmp 文件夹中有一个名为 sess_1234 的文件)并劫持它(在另一个浏览器中打开,恢复状态)。再次,如果我错了,请纠正我 - 会话固定是在最近的 php 版本中完全修补的还是只是这个简单的攻击?我当前的版本是5.3.4
I'm trying to replicate session for my term paper and I've found quite a bit tips here, but can't replicate an attack on my localhost.
I've tried an example from here:
http://www.devshed.com/c/a/PHP/Sessions-and-Cookies/2/
fixation.php:
<?php
session_start();
$_SESSION['username'] = 'chris';
?>
test.php
<?php
session_start();
if (isset($_SESSION['username']))
{
echo $_SESSION['username'];
}
?>
Article says I should be able to fixate session with:
http://example.org/fixation.php?PHPSESSID=1234
But inspecting the request headers it doesn't seem to work:
Cookie PHPSESSID=0avpo8ttlmg35apkjaovj6dgd3
Also, there is an "sess_0avpo8ttlmg35apkjaovj6dgd3" file in tmp folder.
I'm kind of lost here and have tried more than a few similar examples that didn't work...
A little update
in php.ini, setting these values:
session.use_trans_sid = 1
session.use_cookies = 0
and commenting out session.save_handler disables saving session in cookie and generating tmp file (i presume, please correct me if I'm wrong). Now I'm able to fixate the session (there is a file in tmp folder named sess_1234) and hijack it too (open in another browser, resume state). Again, corrent me if I'm wrong - was session fixation completley patched in recent php versions or just this simple attack? My current version is 5.3.4
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
从这篇文章和您向我们更新的内容中,我可以得知这一点。
PHP 并没有完全修复该攻击,但它为开发人员提供了选择,不允许服务器从 URL 接受 PHPSESSID,并强制服务器仅从 cookie 接受 PHPSESSID。这样,您链接的文章中显示的示例变得更加难以提交(但这并不意味着不可能!)。在某种程度上,这是一种非常简单的攻击,并且取决于要启用的某些配置选项,但如果启用了这些选项,则攻击是非常合法的。
这让我想起了一点魔法引号。该功能本应帮助人们阻止 SQL 注入,但最终却让一些新的 PHP 开发人员编写了容易发生 SQL 注入的代码。魔术引号(直到 PHP 5.4)仍然可以启用,允许人们通过 SQL 注入编写代码,但就像 PHPSESSID 一样,开发人员可以决定是否启用这些选项。
From the article and what you have updated us with, this is what I can tell.
PHP didn't completely patch the attack, but it has given the developer the choice to not allow the server to accept PHPSESSID from the URL and force it to only accept it from the cookie. This way, examples which are shown in the article you linked become much more difficult to commit (but this doesn't mean impossible by any means!). In a way it is a very simple attack and is dependent on certain configuration options to be enabled, but if they are enabled the attack is very legitimate.
This reminds me a little bit of magic quotes. A feature which was suppose to help people thwart SQL injections, but in the end just made some new PHP developers write SQL injection prone code. Magic quotes (until PHP 5.4) can still be enabled allowing people to write code with SQL injections, but just like the PHPSESSID the developer can decide if they want these options enabled or not.
尝试更改浏览器中的 cookie。使用 Firefox,安装“Web Developer”工具栏扩展。然后从 Cookie 菜单中选择“编辑 Cookie”并更改您的域的值或创建您尝试复制的新 Cookie。
Try changing the cookie in your browser. Using firefox, install the "Web Developer" tool bar extension. Then from the Cookies menu, choose "Edit Cookie" and change the value for your domain or create the new cookie that your trying to replicate.