Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Decrypting and Reading Suhosin Session Data

I just noticed that my host started using Suhosin Hardening, i'm not quite familiar with this and am having major issues with my application, mainly in sessions.

The session is nowing being stored in the following format:

_EzyqHpPJqmQbSpRmXAJTxuFq980aNQlc3XAiRkWxlZQ9B0fnV...

I don't mind that but its also breaking my application, i need a way to decode the encryption because its not letting me login to my app because of this.

I have a function to unserialize the session data, not sure where i picked up but here it is:

public function unserialize_session_data($data)
{
    $variables = array();

    $a = preg_split( "/(\w+)\|/", $serialized_string, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE );

    for( $i = 0; $i < count( $a ); $i = $i+2 )
    {
        $variables[$a[$i]] = unserialize( $a[$i+1] );
    }

    return($variables);
}

It's giving offset errors with that function, because the session data is not in the format it is expecting and thats why i was wondering if anyone knows of a method to decrypt / decode the above ugly suhosin data to present it in its original format?

-- EDIT --

Posting the function which uses the above unserialize function

 /***********************************************************************
 #  Get Session Data of a certain session id
 #  --------------------------------------
 #  This function will retrieve all session information related to a certain session id from
 #  the database, after that it unserializes the data and returns an array of data.
 #
 #  @return array  (Containing Session Data)
 ***********************************************************************/
    public function get_session_data($session_id)
    {
        if (isset($session_id) && $session_id != "")
        {
            $sql = mysql_query("SELECT ses_value FROM sessions WHERE (ses_id = '$session_id');") or die ("MySQL Error : <b>" . mysql_error() . "</b><br />");

            if (mysql_num_rows($sql) > 0)
            {
                $res = mysql_fetch_assoc($sql);
                $res = $this->unserialize_session_data($res['ses_value']);
                        return $res;
            }
        }
    }

Thanks in advance!

like image 991
Zubair1 Avatar asked May 07 '11 01:05

Zubair1


2 Answers

I thought Suhosin's decryption and encryption was transparent?

Parameter       Description
Encrypt         Turns on the transparent encryption

Anyway, the way the encryption key is generated is:

cryptkey + user agent + document root + IP octets

So:

12345Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2/var/www127.0.0.1

The variables are concatenated without a separator. If for some reason the cryptkey string is NULL then Suhosin will default to a value of “D3F4UL7”.
Once built the string is hashed using SHA256 and the result used to generate a 256bit rijndael encryption key.

like image 153
Ben Poulson Avatar answered Nov 06 '22 15:11

Ben Poulson


If you need to recover data thats been stored within the Session you could use the tool avaliable here:

http://www.idontplaydarts.com/2011/11/decrypting-suhosin-sessions-and-cookies/

There is no native way to decrypt Suhosin data within PHP - the simplest way is to just turn the encryption off using session.encrypt = 0 within the php.ini file.

like image 37
Simon Avatar answered Nov 06 '22 14:11

Simon