-2

I am trying to understand the below code how exactly it was verifying the license key and can it be bypassed in php file its self to put self license key and get verified

<?php
session_start();

if (!function_exists('curl_init')) {
    die('cURL is not available on your server! Please enable cURL to continue the installation. You can read the documentation for more information.');
}

function currentUrl($server)
{
    $http = 'http';
    if (isset($server['HTTPS'])) {
        $http = 'https';
    }
    $host = $server['HTTP_HOST'];
    $requestUri = $server['REQUEST_URI'];
    return $http . '://' . htmlentities($host) . '/' . htmlentities($requestUri);
}

$current_url = currentUrl($_SERVER);

if (isset($_POST["btn_purchase_code"])) {

    $_SESSION["purchase_code"] = $_POST['purchase_code'];
    $response = "";

    $url = "http://jobsearchers.in/api/license?purchase_code=" . $_POST['purchase_code'] . "&domain=" . $current_url;

    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $response = curl_exec($ch);
    curl_close($ch);

    if (empty($response)) {
        $url = "http://jobsearchers/api/license?purchase_code=" . $_POST['purchase_code'] . "&domain=" . $current_url;

        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        $response = curl_exec($ch);
        curl_close($ch);
    }

    $data = json_decode($response);

    if (!empty($data)) {

        if ($data->status == "300" || $data->status == "400") {
            $_SESSION["error"] = "Invalid purchase code!";
        } else {
            $_SESSION["status"] = $data->status;
            $_SESSION["license_code"] = $data->license_code;
            header("Location: folder-permissions.php");
            exit();
        }
    } else {
        $_SESSION["error"] = "Invalid purchase code!";
    }

}
?>

I tried removing the curl and place my own key in $data place like $data = 123456789 and tried to validate it doesn't work.

Tim Nikischin
  • 368
  • 1
  • 18
SRM Testimonials
  • 1
  • 2
  • 3
    Quite likely it can be bypassed by modifying the code responsible for validating the license key. Though however, this depends a lot on the actual implementation and to me appears to be illegal activity. However, this part of the code seems like only being responsible for getting the key from a server and not for validating it internally. – Tim Nikischin Nov 08 '22 at 17:53
  • Hey actually I am creating a site to validate the user and I want to learn how to do it, If you can explain and help it will be appreciated. Can you please show how internal verification will be done and external verification is done, thanks – SRM Testimonials Nov 08 '22 at 17:58
  • 2
    Setting the $_SESSION["status"] = 200; and $_SESSION["license_code"] = "some random number". will replicate what this script is trying to do, but the random number might be getting verified internally in the app and in that case the bypass won't work. – Moudi Nov 08 '22 at 17:59
  • $current_url = currentUrl($_SERVER); if (isset($_POST["btn_purchase_code"])) { $_SESSION["purchase_code"] = 1234567890; $response = ""; $data = "purchase_code" ; if ($data->status == "200") { $_SESSION["license_code"] = $data->license_code; header("Location: folder-permissions.php"); } } ?> – SRM Testimonials Nov 08 '22 at 18:08
  • I had tried still the same @Moudi – SRM Testimonials Nov 08 '22 at 18:08
  • I included a snippet and some explanation, hopefully it will help you foolproof your applications from being cracked – Moudi Nov 09 '22 at 10:37

1 Answers1

0

In that snippet of code, the application sends an HTTP request with the purchase_code and gets back the license_code.

This is better than hard-coding the license code on the device to avoid users sharing license codes.

Let's assume that the license_code returned does not get verified, in that case you can just change the script to do the following:

<?php
session_start();
if (isset($_POST["btn_purchase_code"])) {
    $_SESSION["purchase_code"] = $_POST['purchase_code'];
    $_SESSION["status"] = 200;
    $_SESSION["license_code"] = "fake_license_code";
    header("Location: folder-permissions.php");
    exit();
}
?>

However, what the above code does is it only spoofs the response of the server, there usually is some sort of "correlation" between your purchase_code and your license_code that only the devs know, and they use that knowledge to verify that your license code matches the purchase code.

If you are doing this for malicious reasons, big shame, but if you're doing this to foolproof your application from being cracked, then you have to figure out a way to locally verify the "license_code" and make sure it's a valid code sent by the server, this can be done by signing the code with a private key from the server, which would make it impossible to replicate.

My favorite way of creating unique verifiable tokens or license codes, is JWT.

You can use JWT to create a token that contains a timestamp, purchase_code and other information, then sign it using a private key, that makes it impossible to replicate. The client can verify the isser through a public key.

TL;DR: The above snippet will only work if no extra steps are done to verify the license_code, which is unlikely. A good step to verify that the license_code is one shared by the server is to sign it with a private key.

Moudi
  • 525
  • 3
  • 12