Weak PHP type: WordPressCookie counterfeit

Source: Internet
Author: User
Tags hmac
PHP weak type: WordPressCookie forging 1 PHP weak type PHP is a weak type language, so variables are automatically converted because of different use cases. Used in PHP and! During the equality judgment, the type conversion is automatically performed, and! The type is not automatically converted during the determination. 1 & lt ;? Php2 $ a3; 3 $ b3vic; 4var weak PHP type: WordPress Cookie forgery

1 weak PHP type

PHP is a weak type language, so variables are automatically converted based on different use cases. = And! in PHP! = When equality is determined, the type conversion is automatically performed, with ===and! = The type is not automatically converted during the determination.

1 
 

Note: In PHP, when a string is converted to an integer type, if it starts with a number, it is converted to the preceding number ('3vic '-> 3). if it is not the beginning of a number, then it is converted to 0 ('Vic '-> 0)

2 WordPress code

  • Differences between WordPress 3.8.1 and WordPress 3.8.2

1 
 

  • Cookie composition

The client backend only verifies one of the cookies, as shown below:

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

Cookie namewordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 Format:wordpress_ + Md5 (siteurl) WheresiteurlIs the WordPress URL, where the website address ishttp://www.test.ichunqiu,After md5 encryptionc47f4a97d0321c1980bb76fc00d1e78f, Other parts can also be saved.

Type username expiration time logon successful server-side hash value assigned to the client

Corresponding variable $ Username $ Expiration $ Hmac
Cookies Admin 1433403595 Cf50f3b50eed94dd0fdc3d3ea2c7bbb

  • Analyze and verify logon

Code wp-nodes des/pluggable. php line 543-modules

1
 

In the variables used by the code, the $ username and $ expiration validity period can be controlled by changing the client Cookie method. because the user name is fixed, only$expirationIs controllable, so we can change$expiration Method to change$hash.

  • WordPress analysis based on PHP Hash comparison defects

There are several possible causes$hmac == $hash True: The string is completely equal or$hmac Equal to 0 at the same time$hash Is a string starting with a character.$hmac Change the value to 0, and thenif ( $hmac != $hash ) {Write the above rowvar_dump($hmac);die();Printed$hmac The result isstring '0'Insteadint 0Is there any way to recognize a string as an integer? the code is as follows:

1
  

The0e156464513131 It is identified as 0 multiplied by the 10 power of 156464513131, or 0. Therefore, when$hash When all numbers start with 0 E$hmac When the value is '0', so we can set the Cookie of the client as similarwordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 Then, update the Expiration Time (currently at the 1433403595 position) to collide with the server.$hash The value starts with 0e and is followed by a number. If the collision succeeds, you can modify the Cookie of the browser and directly access the background address to log on to the background.

3 Test script

By changing the value of the client Cookie expiration time, we constantly try to log on to the background and find the timestamp that can enter the background, so as to counterfeit the Cookie and log on to the background.

1
       

Note: theoretically, the 32-bit MD5 value starts with 0e and is about one thousandth of the value. The probability of collision to $ expiration is very low.

5. Solution

The hash comparison function used in PHP, where = ,! = Change to = and! = Or use MD5 to encrypt the two variables.

Study notes: http://ichunqiu.com/course/167

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.