Author Topic: Cookies  (Read 876 times)

0 Members and 1 Guest are viewing this topic.

Offline Mmwwaaaa

  • Serf
  • *
  • Posts: 20
  • Cookies: 6
    • View Profile
Cookies
« on: November 28, 2014, 08:49:18 pm »
Here are two cookies from two different websites, Both SMF..

Code: [Select]
a3A43A7Bi3A03Bs3A XXXXXXXXXXXX Bi3A13Bs3A403A22 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 223Bi3A23Bi3A1Bi3A33Bi3A03B7D
a3A43A7Bi3A03Bs3A XXXXXXXXXXXX Bi3A13Bs3A403A22 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 223Bi3A23Bi3A1Bi3A33Bi3A33B7D

My references to [X] are the only 'RNG' and its pretty damn similar.. All these cycles we waste on attempts to cracking hashes could perhaps be used much more proficiently.. My first obfuscation i assume will be the data chunk for the site address, the second the creds needed to figure out the user.

No need for user names, timestamps and a "random" PHPSSID will log you in just fine.Nothing more than a preconcept atm, Just putting it out there, Would also love to see some blowfish used for our passwords as it is now 2014 I do recall.

Offline Mmwwaaaa

  • Serf
  • *
  • Posts: 20
  • Cookies: 6
    • View Profile
Re: Cookies
« Reply #1 on: December 01, 2014, 10:48:58 am »
As i suspected the first batch of [X] is indeed the 'UUID' for the domain (much smaller than i originally thought) where the cookie is needed and is NOT randomized, Well it cannot be, due to the browser needing to know where that cookie really came from among the millions of SMF users (catch my drift).. Now like a good WiFi device i will now shout creds until i'm heard...

THS 'UUID' = 3845

EZ   'UUID' = 22407

How these are distributed i don't know yet, One would think it's just numerical order or could well be randomly assigned.. This matters not, Just curious. Point is, Short numerical code.

Now it gets interesting, The second batch of [X] is all about the user & seems to consist of 40 chars, ONLY lower case and numbers. So that may sound safe too you right, gotta love RNG etc.. Well, It's not RNG(ed).... SMF assigns this cookie content based on the time you have chosen to stay logged in, No not like a random timestamp. i.e;

If you check the box, "always stay signed in" it will 'generate' the same cookie over and over, Same 40 chars etc.. Exactly the same if you choose X amount of minutes to stay logged in.. Basically it assigns you one of 2 cookies.. nothing is random, both 'static' cookies leaving room for many ways to exploit this.. Now i am looking at how to change the content of said cookie, See if this were password cracking and you knew you were compromised.. Change your pw & BAAM! HA, You can change all the creds you want, once you botain this 40 char 'master-key' you got persistence baby.. $Profit

Yours sincerely,

Gwyneth

EDIT: One solution/fix seems to be to delete you cookies completely and sign in with a new allocated time. Logging out and in does not seem to change the cookies value.
 
EDIT-2: Even this seems to be a flawed method. All has something to do with the logout buttons URL;

Code: [Select]
https://evilzone.org/logout/?d2d627p=4b613789a9ae67d9a5515878b4e1021oe3
So "d2d627p=4b613789a9ae67d9a5515878b4e1021oe3" somehow translates to "please reset/banish my cookie". If you say close the browser, uninstall said browser, use Ccleaner, DBAN then proceed to your storage medium with your weapon of choice, WITHOUT using the logout button.. Your cookie creds will remain the same and you can use them to log back in without a username or password. Thus leaving my first edit pretty false but i'm getting there.

Now my next assumtion is that "d2d627p=4b613789a9ae67d9a5515878b4e1021oe3" is a two part obfuscation of:

1, Domain 'UUID' = "d2d627p

2, PHPSESSID      = 4b613789a9ae67d9a5515878b4e1021oe3

Hence when you sign in next, SMF knows to allocate you a "new cookie". In saying all that, May i remind you that SMF cares not about the PHPSESSID or Timestamp at login, ONLY the 40 char string..
« Last Edit: December 01, 2014, 12:20:44 pm by Mmwwaaaa »

Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: Cookies
« Reply #2 on: December 03, 2014, 07:23:54 am »
Am following, please proceed.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: Cookies
« Reply #3 on: December 03, 2014, 07:34:42 am »
I dont have the time to put my head into all this at the moment. But I am pretty sure the only thing you have discovered is the SMF CSRF token system?
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline Mmwwaaaa

  • Serf
  • *
  • Posts: 20
  • Cookies: 6
    • View Profile
Re: Cookies
« Reply #4 on: December 03, 2014, 10:10:34 am »
Said token looks like so;

##UUID EXAMPLES

6cd5ac27c88a8f9770f482bd6a81932e106c50de

33b0bba772f80c5d60b139557af685ee2166f402

cb837583db7617ead59c490ce6d9ba259dcc51f5

ce622d70bfa61718b29c58087240f25835c84306

16f0cc9ddb987c5eb706880c43f2b84ba700db7d

## Expiration Date = 2553462000 == 1/12/2050

## Complete "SMFCookie" in JSON
Code: [Select]
[
{
    "domain": "domain.com",
    "expirationDate": 2553462000,
    "hostOnly": true,
    "httpOnly": false,
    "name": "SMFCookie",
    "path": "/",
    "secure": false,
    "session": false,
    "storeId": "1",
    "value": "a3A43A7Bi3A03Bs3A43A228845223Bi3A13Bs3A403A2216f0cc9ddb987c5eb706880c43f2b84ba700db7d223Bi3A23Bi3A16066536963Bi3A33Bi3A03B7D",
    "id": 7
}
]

Now a script to generate tokens and run against domain of choice would be mighty fine.

Example/PoC