Shulou(Shulou.com)05/31 Report--

In this issue, Xiaobian will bring you about how to carry out Cookie algorithm and Rootkey random intensity analysis. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

Study the cookie generation algorithm of DEDECMS and rootkey generation algorithm, confirm the strength of random algorithm used by rootkey, calculate attack time.

1. Cookie algorithm 1. The role of cookies and common structural forms

Role: authorization authentication, no session state.

Composition:

cookie = F(x,y), where F is an irreversible function, x is salt, y is permission/user related data

The part we can know, F-> is usually hash function md5,sha256, etc.

y-> e.g. user name/id number/authority abbreviation

What we don't know, x.

2. Location Algorithm-Dynamic Debugging

According to common sense, after logging in, the server will return cookies!

2.1 The requested URL/member/index_do.php was not found on this server.

2.2 Analyze index_do.php (dedecms routing is very simple, the path directly corresponds to the file), and break the breakpoint at the login interface

2.3 Browsing through the function, I didn't find the cookie setting operation (php prototype function-setcookie), but I found the account checking function. Follow it:

2.4 key field

Sometimes, check the server response or generated by js cookie field a lot, but call the interface, may check a few fields inside the cookie, so we find the key is used to authenticate the field, can reduce our test interference.

Cookie for 2.1 pictures Through the descending field test, you can actually find that the key fields of the dedecms check cookie are:

DedeUserID=7; DedeUserID_ckMd5=4d0db47b3ba3fef5;DedeUserID= userID; DedeUserIDckMd5 = substr(md5($cfgcookie_encode. userID),0,16)

Where DedeUserID is easy to know, or regular, 1,2,3,4 like this, then the key to forging cookies is to know $cfgcookieencode(this article called rootkey)

2. Root Key Generation Algorithm 1. code location

Is $cfgcookieencode fixed? Or is it dynamically generated in memory?

1.1 Full text search for the following cfgcookieencode, found in config.cache.inc.php stored: this value and we see the breakpoint above the same value, high probability can be judged, should belong to a fixed value.

1.2 Globally look for where config.cache.inc.php is manipulated and see which function writes this value

This location is off. This is where the root key will be refreshed once when the server is updated ~

1.3 Continue to install.php

$cfgcookieencode In addition to config.cache.inc.php, it is also recorded in config.cache.bak.php, so look where config.cache.bak.php operates:

The same root key generation algorithm is found in context:

This is where the root key is actually generated for the first time.

When installing the interface, it will actually show us:

1.4 According to 1.2 and 1.3, the Root Key algorithm is as follows:

$chars='abcdefghigklmnopqrstuvwxwyABCDEFGHIGKLMNOPQRSTUVWXWY0123456789';

$max = strlen($chars) - 1;

$length = rand(28,32);

$root_key='';

for($i = 0; $i < $length; $i++) {

$root_key .= $chars[mt_rand(0, $max)];

}2. strength analysis

2.1 Apply conclusions

The following three conclusions are based on the first part:

4.1 There are two factors that affect the generation of random numbers: 1. Seeds 2. number

4.4 The seed interval is 0 to 0xffffff

4.6 Rand and mt_rand, called in succession in the same process, will use the same random seed without seeding

We know that root_key has (0xffffff-0)+1 = 2^32 possibilities.

Guess what the author thinks the intensity is:

62^28 + 62^29 + 62^30 + 62^31 + 62^32

2.2 Traversing all rootkeys takes time

Here the md5 and substr calculations are static strings, the actual strings are variable, and the elapsed time should float around the calculated time.

Results:

3.9920189380646 //10^7 times md5() Time

7.0076858997345 //10^7 substr(md5()) time

8.376072883606 // 10^6 key generation times

The time required for a single process to traverse the root key is:

((8.376072883606/10^6) * (2^32)) / 3600 ≈ 10 hour

The above is how to carry out Cookie algorithm and Rootkey random intensity analysis shared by Xiaobian for everyone. If there are similar doubts, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.