开发者

Decrypting and Reading Suhosin Session Data

问答 作者:

I just noticed that my host started using Suhosin Hardening, i'm not quite familiar with this and am having major issues with my application, mainly in sessions.

The session is nowing being stored in the following format:

_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...

I don't mind that but its also breaking my application, i need a way to decode the encryption because its not letting me login to my app because of this.

I have a function to unserialize the session data, not sure where i picked up but here it is:

public function unserialize_session_data($data)
{
    $variables = array();

    $a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );

    for( $i = 0; $i < count( $a ); 开发者_JAVA技巧$i = $i+2 )
    {
        $variables[$a[$i]] = unserialize( $a[$i+1] );
    }

    return($variables);
}

It's giving offset errors with that function, because the session data is not in the format it is expecting and thats why i was wondering if anyone knows of a method to decrypt / decode the above ugly suhosin data to present it in its original format?

-- EDIT --

Posting the function which uses the above unserialize function

 /***********************************************************************
 #  Get Session Data of a certain session id
 #  --------------------------------------
 #  This function will retrieve all session information related to a certain session id from
 #  the database, after that it unserializes the data and returns an array of data.
 #
 #  @return array  (Containing Session Data)
 ***********************************************************************/
    public function get_session_data($session_id)
    {
        if (isset($session_id) && $session_id != "")
        {
            $sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");

            if (mysql_num_rows($sql) > 0)
            {
                $res = mysql_fetch_assoc($sql);
                $res = $this->unserialize_session_data($res['ses_value']);
                        return $res;
            }
        }
    }

Thanks in advance!

I thought Suhosin's decryption and encryption was transparent?

Parameter       Description
Encrypt         Turns on the transparent encryption

Anyway, the way the encryption key is generated is:

cryptkey + user agent + document root + IP octets

So:

12345Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2/var/www127.0.0.1

The variables are concatenated without a separator. If for some reason the cryptkey string is NULL then Suhosin will default to a value of “D3F4UL7”.
Once built the string is hashed using SHA256 and the result used to generate a 256bit rijndael encryption key.

If you need to recover data thats been stored within the Session you could use the tool avaliable here:

http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

There is no native way to decrypt Suhosin data within PHP - the simplest way is to just turn the encryption off using session.encrypt = 0 within the php.ini file.

Can you just use ini_set() to turn off the encryption it's using?

  • suhosin.session.encrypt

You'll need to specify the exact key that you want to be used for encrypting session data (which the page indicates is possible to do through ini_set()) in order to decrypt it. That done, decrypting it should become possible with the key (I'm not sure what encryption system it is using).

继续阅读:phpsecuritysuhosin

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9