> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/cookie-manipulation/session-hijacking/trick-0246.md).

# Session Hijacking via Dumped Database Session ID

***

You've obtained a valid session ID, potentially from a database dump via SQL injection or another vulnerability. This ID can often be used to hijack an active session and authenticate as the associated user without needing a password.

The method involves injecting the recovered session ID into the application's session handling mechanism, commonly through cookies or URL parameters. The session ID is typically propagated using a cookie, but may also be propagated as a URL parameter. PHP's session module will create and manage session files, usually stored in a temporary directory on the server. The name of the session file typically follows the pattern `sess_<session_id>`.

For instance, if a session ID `g4e01qdgk36mfdh90hvcc54umq` belonging to user `matt` was found in a database table like `pandora.tsessions_php`, you might attempt to use it in a URL parameter like this:

```
http://localhost:8000/pandora_console/include/chart_generator.php?session_id=g4e01qdgk36mfdh90hvcc54umq
```

Alternatively, you would replace your current session cookie with the compromised one. Once the session ID is obtained, it can be used to hijack the session. A common method is to inject it into the request. For example, using `curl` to explicitly set the session cookie (often named `PHPSESSID` in PHP applications):

```bash
curl -b "PHPSESSID=g4e01qdgk36mfdh90hvcc54umq" http://localhost:8000/pandora_console/index.php
```

Or, using `curl` to include the `session_id` in the URL and save the resulting cookie:

```bash
curl 'http://localhost:8000/pandora_console/include/chart_generator.php?session_id=g4e01qdgk36mfdh90hvcc54umq' -c cookies.txt
```

The `-c, --cookie-jar <filename>` option in `curl` is used to write cookies after the operation to the specified file. The `-b, --cookie <data>` option is used to pass the data to the HTTP server as a cookie. The session ID can be used to establish a session via cookies. The `-c` flag in `curl` can save the session cookie after a successful request using the injected ID. Then, subsequent requests can use this saved cookie file with the `-b` flag:

```bash
curl 'http://localhost:8000/pandora_console/index.php' -b cookies.txt
```

If successful, you will gain access as the user (`matt` in this example) whose session was hijacked.
