https://github.com/p0dalirius/codeigniter-session-unsign

Command line tool to fetch, decode and brute-force CodeIgniter session cookies by guessing and bruteforcing secret keys.
https://github.com/p0dalirius/codeigniter-session-unsign

codeigniter cookie crack php session unsign

Last synced: 5 days ago
JSON representation

Command line tool to fetch, decode and brute-force CodeIgniter session cookies by guessing and bruteforcing secret keys.

• Host: GitHub
• URL: https://github.com/p0dalirius/codeigniter-session-unsign
• Owner: p0dalirius
• Created: 2022-06-25T11:02:04.000Z (over 2 years ago)
• Default Branch: main
• Last Pushed: 2024-03-16T08:26:49.000Z (10 months ago)
• Last Synced: 2024-12-18T18:50:12.888Z (17 days ago)
• Topics: codeigniter, cookie, crack, php, session, unsign
• Language: Python
• Homepage: https://podalirius.net/
• Size: 1.12 MB
• Stars: 12
• Watchers: 2
• Forks: 2
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml

Awesome Lists containing this project

README

        
![](./.github/banner.png)



  A multithreaded bruteforcer of CodeIgniter ci_session cookies.

  


  

  

  

  




## Features

 - [x] Extract the `ci_session` cookie from an URL (with `--url`) or from a file (with `--cookie`)

 - [x] Progress updated every second with the number of processed hashes per second.

 - [x] Multithreaded bruteforce.

## Usage

```

$ ./CodeIgniter-session-unsign.py -h

CodeIgniter-session-unsign v1.1 - by @podalirius_

usage: CodeIgniter-session-unsign.py [-h] [-u URL | -c COOKIE] -w WORDLIST [-t THREADS] [-k] [--md5 MD5 | --sha1 SHA1 | --sha256 SHA256]

Description message

optional arguments:

  -h, --help            show this help message and exit

  -u URL, --url URL     URL of the CodeIgniter website.

  -c COOKIE, --cookie COOKIE

                        CodeIgniter session cookie.

  -w WORDLIST, --wordlist WORDLIST

                        Wordlist of keys to test.

  -t THREADS, --threads THREADS

                        Number of threads (default: 8)

  -k, --insecure        Allow insecure server connections when using SSL (default: False)

  --md5 MD5             Use MD5 algorithm.

  --sha1 SHA1           Use SHA1 algorithm.

  --sha256 SHA256       Use SHA256 algorithm.

```

## Example

```

./CodeIgniter-session-unsign.py -c ./example/cookie -w ./example/wordlist

```

![](./.github/example.png)

## Contributing

Pull requests are welcome. Feel free to open an issue if you want to add other features.

## References

 - https://www.websec.ca/publication/blog/insecure-session-data-CodeIgniter