Weak PHP type: WordPressCookie forgery

: This article mainly introduces the weak PHP type: WordPressCookie forgery. if you are interested in the PHP Tutorial, refer to it. 1 weak PHP type

PHP is a weak type language, so variables are automatically converted based on different use cases. = And! in PHP! = When equality is determined, the type conversion is automatically performed, with ===and! = The type is not automatically converted during the determination.

1 
 

Note: In PHP, when a string is converted to an integer type, if it starts with a number, it is converted to the preceding number ('3vic '-> 3). if it is not the beginning of a number, then it is converted to 0 ('Vic '-> 0)

2 WordPress code

• Differences between WordPress 3.8.1 and WordPress 3.8.2

1 
 

• Cookie composition

The client backend only verifies one of the cookies, as shown below:

wordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|cf50f3b50eed94dd0fdc3d3ea2c7bbb; path=/wp-admin; domain=www.test.ichunqiu; HttpOnly

Cookie namewordpress_bbfa5b726c6b7a9cf3cda9370be3ee91 Format:wordpress_ + Md5 (siteurl) WheresiteurlIs the WordPress URL, where the website address ishttp://www.test.ichunqiu,After md5 encryptionc47f4a97d0321c1980bb76fc00d1e78f, Other parts can also be saved.

Type username expiration time logon successful server-side hash value assigned to the client

Corresponding variable	$ Username	$ Expiration	$ Hmac
Cookies	Admin	1433403595	Cf50f3b50eed94dd0fdc3d3ea2c7bbb

• Analyze and verify logon

Code wp-nodes des/pluggable. php line 543-modules

1
 
In the variables used by the code, the $ username and $ expiration validity period can be controlled by changing the client Cookie method. because the user name is fixed, only$expirationIs controllable, so we can change$expiration Method to change$hash.
 
 

  
  
WordPress analysis based on PHP Hash comparison defects
 
 
There are several possible causes$hmac == $hash True: The string is completely equal or$hmac Equal to 0 at the same time$hashIs a string starting with a character.$hmac Change the value to 0, and thenif ( $hmac != $hash ) {Write the above rowvar_dump($hmac);die();Printed$hmac The result isstring '0'Insteadint 0Is there any way to recognize a string as an integer? the code is as follows:
1
  
The0e156464513131 It is identified as 0 multiplied by the 10 power of 156464513131, or 0. Therefore, when$hash When all numbers start with 0 E$hmacWhen the value is '0', so we can set the Cookie of the client as similarwordpress_c47f4a97d0321c1980bb76fc00d1e78f=admin|1433403595|0 Then, update the Expiration Time (currently at the 1433403595 position) to collide with the server.$hash The value starts with 0e and is followed by a number. If the collision succeeds, you can modify the Cookie of the browser and directly access the background address to log on to the background.
3 Test script
By changing the value of the client Cookie expiration time, we constantly try to log on to the background and find the timestamp that can enter the background, so as to counterfeit the Cookie and log on to the background.
1
       
Note: theoretically, the 32-bit MD5 value starts with 0e and is about one thousandth of the value. The probability of collision to $ expiration is very low.
5. Solution
The hash comparison function used in PHP, where = ,! = Change to = and! = Or use MD5 to encrypt the two variables.
Study notes: http://ichunqiu.com/course/167
                                                
The above introduces the weak PHP type: WordPress Cookie forgery, including some content, and hope to be helpful to friends who are interested in PHP tutorials.