Search code examples
phpsessionlogin-scriptphp-curl

Why I am getting access to the admin panel without sending username and password by using php cURL

I have made a basic login form for an experiment and tried to login by using cURL. I am working with php. I have ensured that nobody can enter the main index.php page without login (authentication). But now when I tried to get access with cURL I got it. I think there msut be a problem in my login and session handling codes. I have tried my best but did not get any solution. Please help to solve this problem.

Thanks in advance.

1. This is the session handling code resides in session.php

<?php
class session{
    public static function init(){
        session_start();
    }
    public static function set($key,$value){
        $_SESSION[$key] = $value;
    }
    public static function get($key){
        if (isset($_SESSION[$key])) {
            return $_SESSION[$key];
        }
        else{
            return false;
        }
    }
    public static function cheaksession(){
        self::init();
        if(self::get("login") == false){
            self::destroy();
            header("Location: login.php");
        }
    }
    public static function destroy(){
        session_destroy();
    }
}

?>

2. This is the login form code resides in login.php

<?php 
include "lib/session.php"; 
session::init();
?>
<?php include "lib/Database.php"; ?>
<?php include "helpers/format.php"; ?>
<?php 
  $db = new Database();
  $fm = new format();
?>
<?php  

    $err = 0;
    if ($_SERVER['REQUEST_METHOD'] == 'POST' ) {
      $username = $fm->validation($_POST['username']);
      $password = $fm->validation($_POST['password']);

      $username = mysqli_real_escape_string($db->link,$username);
      $password = mysqli_real_escape_string($db->link,$password);

            if($username == 'fahad' && $password == '1234') {
                  session::set("login",true);
          session::set("username",$username);
          session::set("userId",1);
          header("Location: index.php");
            }
      else{
            $err = 1;
      }

    }
?>

3. This is the home page code for session checking resides in index.php

<?php 
      include "lib/session.php"; 
            session::cheaksession();
?>

4. Here is the cURL code of attack

<?php

    $ch = curl_init();

    curl_setopt($ch,CURLOPT_URL,'http://localhost/Hackalgo/DummySite/index.php');

    curl_setopt($ch, CURLOPT_HEADER, 0);

    curl_exec($ch);

    curl_close($ch);
?>

By executing this script I am crawling the html page of index.php mentioned just above in (3). But in index.php (3) there is a session checker method which should compel me to go in the login page login.php mentioned in (2) . But it is not working and the index.php (3) is crawled without any authentication in login page (2).

Solution
    1. curl does not follow redirects by default.
    2. There is nothing that stops PHP from executing after the cheaksession call.

    Call exit() or so after sending the Location header.