<?php
error_reporting(E_ALL | E_STRICT);
ini_set("track_errors", "On");
$INC = dirname(__FILE__) . "/../inc";
require_once(dirname(__FILE__) . "/config.php");
require_once($INC . "/init.inc.php");
require_once($INC . "/util.inc.php");
require_once("http.inc.php");
rg_log_set_file("http_login.log");
$rg_no_db = TRUE;
require_once("common.php");
rg_log("Test login operation");
// First we need to load the form so we can get the token
// We provide an old cookie to test if we generate a new pre-login one
$data = array();
$headers = array("Cookie: sid=d978671c2cd12fba05be218bb1653c1ce7bfb947");
$r = do_req($test_url . "/op/login", $data, $headers);
if ($r === FALSE) {
echo "Cannot load login form.\n";
exit(1);
}
$good_sid = $r['sid'];
$good_token = $r['token'];
rg_log("good: sid=$good_sid token=$good_token");
if (strncmp($good_sid, "X", 1) != 0) {
rg_log("Seems we did not generated a pre-login session!");
exit(1);
}
rg_log("Sending wrong token, because bad guy cannot control it");
// we need a valid token, so we do a new request
$data = array();
$headers = array();
$r = do_req($test_url . "/op/login", $data, $headers);
if ($r === FALSE) {
echo "Cannot load login form.\n";
exit(1);
}
//rg_log_ml("After loading attacker login form, r: " . print_r($r, TRUE));
$bad_sid = $r['sid'];
$bad_token = $r['token'];
rg_log("bad: sid=$bad_sid token=$bad_token");
rg_log("Now we can attack, we use attacker token but user cookie...");
$data = array(
"doit" => 1,
"token" => $bad_token,
"user" => "catab",
"pass" => "aaaa",
"lock_ip" => 1
);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/login", $data, $headers);
if ($r === FALSE) {
rg_log_ml("Cannot do the request: " . print_r($r, TRUE));
exit(1);
}
file_put_contents("http_login_attack.log", print_r($r, TRUE));
if (!strstr($r['body'], "invalid token")) {
rg_log("We sould get an invalid token error message. Check http_login_attack.log!");
exit(1);
}
rg_log("Do the real login post request");
$data = array(
"doit" => 1,
"token" => $good_token,
"user" => "catab",
"pass" => "aaaa",
"lock_ip" => 1
);
$headers = array("Cookie: sid=" . $good_sid);
$r = do_req($test_url . "/op/login", $data, $headers);
if ($r === FALSE) {
rg_log_ml("Cannot login: " . print_r($r, TRUE));
exit(1);
}
file_put_contents("http_login_good.log", print_r($r, TRUE));
if (strstr($r['body'], "invalid user or pass")) {
rg_log("Login invalid. Check http_login_good.log!");
exit(1);
}
rg_log("Check what happens if we are logged in and want to login again");
$r = test_login($test_url, $good_sid);
if ($r === FALSE) {
rg_log("Seems we cannot login again if we are already login!");
exit(1);
}
rg_log("Done!");
?>
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://code.reversed.top/user/xaizek/rocketgit
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@code.reversed.top/user/xaizek/rocketgit
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a
pull request:
... clone the repository ...
... make some changes and some commits ...
git push origin master