POST-ing a body containing_SESSION[secret]=1will log you in, but only through the secondextract.
Created
August 6, 2020 13:19
-
-
Save FrankSpierings/d219e6c0d8341bdb7a9d4195bf9300c3 to your computer and use it in GitHub Desktop.
Session overwrite in PHP through extract - PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| function isLoggedIn() { | |
| if (is_numeric($_SESSION["secret"])) { | |
| return true; | |
| } | |
| else { | |
| return false; | |
| } | |
| } | |
| function foo($post) { | |
| $retval = extract($post); | |
| return $retval; | |
| } | |
| function printSession() { | |
| print("[+] Session contains:\n"); | |
| ob_start(); | |
| $result = var_export($_SESSION); | |
| $result = ob_get_clean(); | |
| $result = preg_replace("/^/m", "[-] ", $result); | |
| print($result); | |
| print("\n"); | |
| print("-------------------\n"); | |
| } | |
| session_start(); | |
| $_SESSION["someKey"] = 'someValue'; | |
| print("[+] Session started\n"); | |
| print("-------------------\n"); | |
| printSession(); | |
| print("[+] Check(0) if user is logged in: " . var_export(isLoggedIn(), true) . "\n"); | |
| print("-------------------\n"); | |
| print("[+] Extracting variables through function: " . foo($_POST) . "\n"); | |
| print("-------------------\n"); | |
| print("[+] Recheck(1) if user is logged in: " . var_export(isLoggedIn(), true) . "\n"); | |
| print("-------------------\n"); | |
| printSession(); | |
| print("[+] Extracting variables directly: " . extract($_POST) . "\n"); | |
| print("-------------------\n"); | |
| print("[+] Recheck(2) if user is logged in: " . var_export(isLoggedIn(), true) . "\n"); | |
| print("-------------------\n"); | |
| printSession(); | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment