[PHP] Exposing DB Credentials / HttpOnly Bypass / FPD

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
49
Points
18
Hi world, hope you are all good. I am OK but very tired...
While I was developing my software (meanwhile I penetrate it) discovered a bug in PHP. Its a known bug but most of developers/researchers dont aware of this. Today you will learn how to find critical (P1) vulnerabilities just in 10 seconds. Let us start.

1- Meet the System
We use sessions in backend of softwares because of many functions, for example user login. You have registered a website and if you logged in, the server generates a cookie for you. This cookie means 'I have logged in, here is my membership credentials:'. Your cookies may include your hashed membership details (like e-mail,userid) and while server is reading your cookies, it decides which user are you and load your profile page. But what is session and what is cookie? What is the difference between them?

Actually, if you generate a session, you will be generated a cookie. There are some differences but the main difference is:

  • Cookie: Its content (value) is readable by anyone.
  • Session: Its real content (value) is stored in the server.

What means 'real content stored in server?' Let us create a script and call a session & cookie. Our codes:
PHP:
<?php
session_start();
setcookie("hackking", "content");
$_SESSION['hackking'] = "its real content";
Output:
1hk.PNG

PHPSESSID is our session, hackking is our cookie. But look at line 4 of our script: $_SESSION['hackking'] = "its real content";
Why our PHPSESSID value is nh1cqub3dc7oq00maji0iahaup instead of its real content? Because in sessions the real content/value is stored in server.
nh1cqub3dc7oq00maji0iahaup = filename of sessions are stored
Let us check this file. Open your /tmp path (or where sessions are located.)

2hk.PNG

Session's value mean the filename in the server

Let us check its content:

3hk.PNG

The real content is here. Visitors cannot see this.
In cookies, you need to encrypt your value, because its value is public.
But in sessions, the real content is stored in the server, so it is private and safer.

2- Muck the System 😘

Sessions value is filename, what happen if attacker change its to xxx.php? So it will be: xxx.php and it is a critical issue? Let us try. ;)

I am editing the cookie as xxx:

4hk.PNG


And sess_xxx file is generated automatically in my server:

5hk.PNG



Try to change as xxx.php and what happens:

6hk.PNG

PHP is blocked this action and printed an error message.
What we got? the full path and website's user. Why it is important:
- Its a tip for file inclusion attacks,
- It is a tip to learn database user, (for injection attacks)
- Its a tip to find flag for CTFs.

So, we got a "full path disclosure" information.

How to Expose Database Password and Bypas HttpOnly Protection?
You can learn full path with this bug because PHP debug mode is enabled in most of servers. But it is not a critical information.
We want to learn database password and bypass HttpOnly protection. Then look for Laravel apps. In Laravel (and some frameworks) disclose the DB_NAME, DB_USER, DB_PASSWORD and HttpOnly cookies.


Watch this PoC to see how to reproduce:

To exploit this bug, just change cookies as hackking.php , or write a looongest value or put special characters inside.


Loves.
 

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
49
Points
18
@TheAlien and @008divyachawla very thanks for your great comments.
You can find similar websites with Shodan, search "Laravel" or "Whoops! There was an error."
 

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
49
Points
18
It is about luck bro. Developers may disable debug modes. (I do this too :)) So you cannot expect to being all websites are vulnerable.
It has worked for me in Harvard's website and in some websites.
bumbum.PNG

Hello bro, i have try on shodan but this tip is not working.
 

008divyachawla

 
Registered
Joined
Jan 14, 2020
Messages
4
Points
3
So you only change the Laravel cookie value in the cookie editor, to the hackking.php or something else. Apart from this you never change any of the CSRF token or other cookie value.
If the value is something like this, starting with e and a long string. there i have to put *.php or something else
 

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
49
Points
18
So you only change the Laravel cookie value in the cookie editor, to the hackking.php or something else. Apart from this you never change any of the CSRF token or other cookie value.
If the value is something like this, starting with e and a long string. there i have to put *.php or something else
Yes. This bug doesnf effect cookies, you can use . in cookies but you cannot use in sessions.
Yes, just put a dot or write a long value like: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 

numaN

Growth Hacker
Staff member
Administrator
Joined
Sep 11, 2019
Messages
49
Points
18
Sir,
How to convert the PHPSESSID - Value nh1c*********

Whats the procedure to how to check the content?

Sorry for being noob
I want to learn.
You can do this via EditThisCookie browser extension, or you can use you browser console, you can use Burp Suite/Tamper Data or you can use curl. :) Just edit the cookie as hackking.php
 
Top