search

RealEnder / dwpa

Distributed WPA PSK auditor
https://wpa-sec.stanev.org
GNU General Public License v3.0
310 stars 71 forks source link

Networks not associated with submitter #27

Closed strasharo closed 2 months ago

strasharo commented 6 years ago

A few times on a freshly initialized database using the latest code from git I got this exception on submit: Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 263 Call Stack: 0.0001 234240 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0003 239224 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0008 240656 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0273 265728 4. insert_n2u() /var/www/wpacracker/public_html/common.php:406 0.0275 267920 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:263}() /var/www/wpacracker/public_html/common.php:263 Capture submitted successfully

And then the submitted networks are not associated with the user that I submitted them with. Looks similar to https://github.com/RealEnder/dwpa/issues/13

RealEnder commented 6 years ago

Hm, looks the same, but it's something else. Can you please put var_dump($ref); after https://github.com/RealEnder/dwpa/blob/ca8227ebf8e06ae8ceef0e2805dbb5846e77288b/web/common.php#L262 and paste the result here?

strasharo commented 6 years ago

This is the first submit on a new database:

/var/www/wpacracker/public_html/common.php:309: array(10) { [0] => string(9) "sssssssss" [1] => string(16) "�k'� c/��j ��" [2] => string(16) "L�?UwI�*�I��4�9" [3] => string(16) "�0GR�5ؙ��HW��" [4] => string(16) "{��nF ei����" [5] => string(16) "�f��wd&?�l�W�l�" [6] => string(16) "����J3*1�z=�" [7] => string(16) " �^�"p���e~A�" [8] => string(16) "�e��d�//�� \000~" [9] => string(16) "�e��d�//�� \000~" } Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 310 Call Stack: 0.0001 234240 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0002 239224 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0008 240776 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0252 266448 4. insert_n2u() /var/www/wpacracker/public_html/common.php:474 0.0255 268640 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:310}() /var/www/wpacracker/public_html/common.php:310 Capture submitted successfully

RealEnder commented 6 years ago

Just created empty DB and can't reproduce this. Please make sure you're using PHP 5.5+ and latest HEAD. Also, there is one caveat for bosskey - you have to first create user via Get key, then use those key for bosskey in conf.php. Of course, you can change those key to whatever you want 16 byte value, just make sure you change this both in the DB and conf.php

strasharo commented 6 years ago

The php version is 5.6.33 on CentOS 6.9 and the code is the latest one from git. So now I repeated the test by setting the bosskey right after I created the first user and got it:

/var/www/wpacracker/public_html/common.php:253: array(10) { [0] => string(9) "sssssssss" [1] => string(16) "�k'� c/��j ��" [2] => string(16) "L�?UwI�*�I��4�9" [3] => string(16) "�0GR�5ؙ��HW��" [4] => string(16) "{��nF ei����" [5] => string(16) "�f��wd&?�l�W�l�" [6] => string(16) "����J3*1�z=�" [7] => string(16) " �^�"p���e~A�" [8] => string(16) "�e��d�//�� \000~" [9] => string(16) "�e��d�//�� \000~" } Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 254 Call Stack: 0.0001 234240 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0002 239224 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0010 240776 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0264 266448 4. insert_n2u() /var/www/wpacracker/public_html/common.php:418 0.0272 268640 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:254}() /var/www/wpacracker/public_html/common.php:254 Capture submitted successfully

RealEnder commented 6 years ago

This is strange, since we pass reference value here: https://github.com/RealEnder/dwpa/blob/master/web/common.php#L411 Can you change line $ref[0] = str_repeat('s', count($ref)-1); with: 

$format = str_repeat('s', count($ref)-1);
$ref[0] = & $format;
var_dump($ref);
strasharo commented 6 years ago

image /var/www/wpacracker/public_html/common.php:255: array(10) { [0] => string(9) "sssssssss" [1] => string(16) "�k'� c/��j ��" [2] => string(16) "L�?UwI�*�I��4�9" [3] => string(16) "�0GR�5ؙ��HW��" [4] => string(16) "{��nF ei����" [5] => string(16) "�f��wd&?�l�W�l�" [6] => string(16) "����J3*1�z=�" [7] => string(16) " �^�"p���e~A�" [8] => string(16) "�e��d�//�� \000~" [9] => string(16) "�e��d�//�� \000~" } Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 256 Call Stack: 0.0001 234848 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0002 239888 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0009 241440 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0344 267112 4. insert_n2u() /var/www/wpacracker/public_html/common.php:420 0.0347 269304 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:256}() /var/www/wpacracker/public_html/common.php:256 Capture submitted successfully

RealEnder commented 6 years ago

Hm, we explicitly defined $ref[0] value to be reference and it isn't; [0] => string(9) "sssssssss" I can't see how this can happen. Maybe it's something CentOS devs patched in PHP for hardening, but seems unlikely. Will ask for help from some real PHP developer :)

strasharo commented 6 years ago

It has Suhosin enabled, maybe that's the issue? image

RealEnder commented 6 years ago

Yeah, maybe, can you try to disable the extension?

RealEnder commented 6 years ago

Or enable Suhosin'l log to see if it blocked/filtered/altered something?

strasharo commented 6 years ago

Disabled Suhosin and still got it: /var/www/wpacracker/public_html/common.php:255: array(10) { [0] => string(9) "sssssssss" [1] => string(16) "�k'� c/��j ��" [2] => string(16) "L�?UwI�*�I��4�9" [3] => string(16) "�0GR�5ؙ��HW��" [4] => string(16) "{��nF ei����" [5] => string(16) "�f��wd&?�l�W�l�" [6] => string(16) "����J3*1�z=�" [7] => string(16) " �^�"p���e~A�" [8] => string(16) "�e��d�//�� \000~" [9] => string(16) "�e��d�//�� \000~" } Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 256 Call Stack: 0.0001 234840 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0002 239824 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0009 241376 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0246 267064 4. insert_n2u() /var/www/wpacracker/public_html/common.php:420 0.0249 269256 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:256}() /var/www/wpacracker/public_html/common.php:256 Capture submitted successfully

/var/www/wpacracker/public_html/common.php:255: array(21) { [0] => string(20) "ssssssssssssssssssss" [1] => string(16) "O_�\000�NT~>�g-�^�" [2] => string(16) "�p�3�a����w{Y" [3] => string(16) ",4U����!c3^h" [4] => string(16) "�}��.~4���^W�8" [5] => string(16) "�>.��f㗯5��k8�" [6] => string(16) "�Qr�P�#�Z@���" [7] => string(16) "�t�aD�<��1�Wl�- " [8] => string(16) "{O?4g��Pv�d�N�" [9] => string(16) "hU��/we)I5a\�L�" [10] => string(16) "<Σ‡}�Ιi9z�+�9" [11] => string(16) "�-pz�m��~� ��6"" [12] => string(16) "��T��+@7/�=�s�p�" [13] => string(16) "7 b�K]d�pʟ-z9" [14] => string(16) "��YN�R�-�?�K�" [15] => string(16) "�1�8/����z��2" [16] => string(16) "o8.�*#���-f ���[" [17] => string(16) "1u�v���/\�2�)�" [18] => string(16) "���;�э7�0��n�" [19] => string(16) ",�៦��<[vf�\000�" [20] => string(16) ",�៦��<[vf�\000�" } Warning: Parameter 2 to mysqli_stmt::bind_param() expected to be a reference, value given in /var/www/wpacracker/public_html/common.php on line 256 Call Stack: 0.0000 234832 1. {main}() /var/www/wpacracker/public_html/index.php:0 0.0002 239816 2. include('/var/www/wpacracker/public_html/content/submit.php') /var/www/wpacracker/public_html/index.php:182 0.0007 241368 3. submission() /var/www/wpacracker/public_html/content/submit.php:36 0.0207 287760 4. insert_n2u() /var/www/wpacracker/public_html/common.php:420 0.0209 291072 5. call_user_func_array:{/var/www/wpacracker/public_html/common.php:256}() /var/www/wpacracker/public_html/common.php:256 Capture submitted successfully ` It appears to be specific to pcap files containing handshakes from multiple networks, so far if I recall correctly it hasn't happened to a pcap with a single network handshake in it. I'm reproducing it with a pcap file from wlandump-ng containing handshakes from multiple networks.

RealEnder commented 2 months ago

Please reopen if you still see this.